It is a nightmare for every website owner: your WordPress website has been hacked. Maybe you see strange redirects, spam links in your content, or Google has marked your site as unsafe. In this article, we explain which steps you need to take to restore your website and prevent future hacks.

Step 1: Stay calm and document

It is understandable that you panic, but hasty actions can make the situation worse. Take a moment to document what you see:

  • What strange behavior is your website showing exactly?
  • When did you first notice it?
  • Did you recently change anything (plugins, theme, passwords)?
  • Take screenshots of the problems for later analysis.

Step 2: Take your website temporarily offline

To prevent further damage and protect your visitors, it is wise to temporarily take your site offline. You can do this in several ways:

Via DirectAdmin

Log into DirectAdmin and temporarily disable your website via Domain Setup. You can also show a maintenance page instead of the hacked content.

Via .htaccess

Add these lines to your .htaccess file to block all visitors (except your IP):

order deny,allow
deny from all
allow from YOUR.IP.ADDRESS

Step 3: Make a backup of the current state

Before you start cleaning, make a complete backup of your website in its current (hacked) state. This seems contradictory, but this backup can be valuable for later analysis of how the hack happened.

Use the backup function in DirectAdmin or a tool like UpdraftPlus to make a complete backup of files and database.

Step 4: Scan for malware

There are various tools to scan your website for malware and infected files:

Wordfence Security

This is the most complete security plugin for WordPress. Install Wordfence and run a full scan. The plugin identifies modified WordPress core files, suspicious code in themes and plugins, and known malware patterns. Check our guide for Wordfence installation and configuration.

Sucuri SiteCheck

Sucuri offers a free online scanner at sitecheck.sucuri.net. It scans your website from outside for known malware, blacklist status, and suspicious code.

Theory7 Patchman

As a Theory7 customer, you benefit from Patchman, our automatic malware scanner that detects and repairs known vulnerabilities. Read more about Patchman and how it protects you.

Step 5: Clean infected files

After the scan, you know which files are infected. Now the cleanup work begins:

Replace WordPress core files

Download a fresh copy of WordPress from wordpress.org and completely replace the wp-admin and wp-includes folders. Do not touch the wp-content folder yet.

Check plugins and themes

Remove all plugins and themes you are not actively using. For the plugins and themes you do use:

  • Remove them completely from wp-content
  • Download fresh versions from wordpress.org or the original source
  • Reinstall them

Search the uploads folder

Hackers often place PHP files in the uploads folder. This folder should only contain images and documents. Search for .php files:

find wp-content/uploads -name "*.php"

Remove any PHP file you find.

Check database

Some hacks add malicious code to your database, especially in posts and options. Check the wp_options table for suspicious entries and search posts for spam links or strange scripts.

Step 6: Change passwords

Change all passwords related to your website:

  • WordPress admin accounts (all users!)
  • FTP password via DirectAdmin
  • Database password (do not forget to update wp-config.php)
  • DirectAdmin password
  • MyTheory7 password

Use strong, unique passwords of at least 16 characters with uppercase, lowercase, numbers, and special characters.

Step 7: Take security measures

Now that your website is cleaned up, prevent a new hack with these measures:

Update everything

Update WordPress, all plugins, and your theme to the latest versions. Outdated software is the main cause of hacks.

Install security plugin

Install Wordfence and configure the firewall. Enable brute force protection and set up two-factor authentication for all admin accounts.

Renew security keys

Generate new WordPress security keys via the WordPress API and replace them in wp-config.php. This logs out all current sessions.

Check file permissions

Make sure your file permissions are correctly set:

  • Folders: 755
  • Files: 644
  • wp-config.php: 600

Step 8: Check Google Search Console

If Google has marked your site as hacked, you must request a review via Google Search Console after cleanup. Log in, go to Security Issues, and click "Request Review" after you have resolved all issues.

Prevention for the future

Prevention is better than cure. Take these measures to prevent future hacks:

  • Make regular backups with UpdraftPlus or Solid Backups
  • Keep WordPress, plugins, and themes always up to date
  • Use strong passwords and two-factor authentication
  • Remove unused plugins and themes
  • Only install plugins and themes from trusted sources
  • Limit the number of admin accounts

At Theory7, we take security seriously. Our servers run automatic malware scans with Patchman, and our support team is ready to help you with security incidents. Feel free to contact us if you need help restoring your hacked website.