Finding out your site’s been hacked is alarming, but panicking leads to mistakes. Work through this in order and you’ll clean it properly rather than removing symptoms while leaving the back door open.
1. Take the site offline and scan
If the site is serving malware or spam to visitors, put it into maintenance mode first to limit damage. Then run a malware scan — a security plugin or a server-side scan will identify infected files. On our servers we can run a deep scan that finds injected code and webshells that plugins sometimes miss.
2. Change every password
Assume all credentials are compromised. Reset your WordPress admin passwords, your cPanel password, your database password (update wp-config.php to match) and any FTP accounts. Do this early, or the attacker simply walks back in through the credentials they already have.
3. Back up the hacked site before cleaning
Counterintuitive, but useful: keep a copy of the compromised site. It preserves evidence of how they got in and gives you a fallback if a clean-up step goes wrong.
4. Replace core, themes and plugins with clean copies
The reliable way to remove infected core files is to delete WordPress core and reinstall a fresh copy — your content lives in the database and wp-content/uploads, so it’s safe. Reinstall themes and plugins from trusted sources too. Delete anything you don’t recognise; attackers often leave rogue plugins as a way back in.
5. Hunt down injected code and backdoors
Check wp-config.php, .htaccess and the uploads folder for suspicious PHP files (uploads should never contain .php files). Look for recently modified files with obfuscated code. This is the step where a server-side scan really earns its keep.
6. Clean up and resubmit
Once clean, remove any spam pages the attacker created, update everything, and check whether search engines flagged your site — if so, request a review so warnings clear.
7. Harden so it doesn’t recur
A hacked site usually means an unpatched plugin or a weak password. Close that gap: update everything, enforce strong logins, add a firewall.
Hacks can hide deep. If you’re not fully confident the site is clean, don’t guess — open a ticket and we’ll run a thorough server-side clean-up for you.