How to Recover Hacked WordPress Website? (9-Step Guide)

Getting your WordPress website hacked is the worst thing that you can ever face. With hacking, you will lose your search engine ranking, site data, and reputation. But thankfully, I got your back. Learn how to recover hacked WordPress website and fix it.

Hacking is unavoidable today—no matter which CMS you use – WordPress, Joomla, or Drupal. According to a report, over 30,000 websites receive hackers’ wrath every day. And 64% of companies face a cyberattack at least once.

So, if you have a WordPress website today, let’s learn how to recover it from a cyberattack.

Things to Consider Before Recovering Hacked WordPress Website

Before learning how to recover from WordPress hacks, you must learn how to avoid them. Here are a few things that you can consider to avoid cyberattacks on your website:

Use The Secure Web Hosting Provider

Your web hosting provider plays a significant role in protecting your website from hacking. If you are using a free or shared hosting service, it is better to get secure and paid web hosting. A secure web hosting provider can dodge many cyber hacks on your site without even your knowledge. You can check out our exclusive guide and learn how to choose best WordPress hosting.

While shopping for a web hosting provider for your WordPress website, you must look for the following security features:

  • Ensure that your web hosting company provides secure software with frequent updates.
  • Make sure the company offers Secure Sockets Layer (SSL) to encrypt the connection between the web server and browser. Find out how to get free SSL certificate for your WordPress website.
  • Most reputed web hosting providers offer backup and restoration options to their customers.
  • Distributed Denial of Service (DDoS) attacks mitigation feature is required to handle overwhelming server requests.
  • Always use the web hosting server with built-in malware support.
  • Firewall protection is also important to prevent your website from cyberattacks.

Many powerful web hosting platforms are available today. But I will recommend our readers to use WP Engine. Simply because it offers all the security features to protect your website. In addition, we have special WP Engine coupon codes for our users.

Install The Best Backup Plugin

The best web hosting providers will offer backup and restoration options for sure. But, it is always better to install a backup plugin on your website to recover it from WordPress hacks.

BackupBuddy is the best backup plugin for WordPress users. This plugin can handle all the WordPress issues such as hacks, malware, user errors, etc. You can get this BackupBuddy for a basic price of $499 per year.

You can also try manual database backup. Find out from our guide how to take WordPress database backup manually.

How to Recover Hacked WordPress Website?

When a WordPress hack ruins your website performance or delete data, you should take these instant steps to recover your site:

Recognize The Hack

When you go to a doctor, they will first ask for symptoms and then suggest treatment. In the same way, you need to first note down the problem with your site before recovering it.

There are plenty of different hacks that your WordPress site can encounter, such as:

  1. Brute Force Attack: This attack involves several try-and-error approaches to crack the right username or password. Since WordPress has no default option to block users from trying to log in several times. Therefore, this attack can put your website in a frenzy when thousands of login attempts are made per second.
  2. SQL Injection: It is the oldest trick in the hackers’ book. By injecting SQL queries to your WordPress website, a hacker can destroy your entire database.
  3. Malware: Hackers can inject malware codes into your website via infected themes, plugins, or scripts. If the origin of the hack is from your WordPress plugin, you need to delete the theme. We have created a detailed guide on how to Uninstall And Delete WordPress Theme. Feel free to check it out!
  4. Cross-site Scripting: In this hack, attackers load malicious Java code to your site. When this is loaded on a client-side, it will start collecting data and redirecting to other malicious sites.

So, to identify the type of WordPress hack impacting your site, look out for these things:

  • Can you log in to your website’s admin panel?
  • Is your WordPress site taking users to another site?
  • Does your website have any malicious or illegitimate links?
  • Is Google marking your website as insecure or adult?

Write down all the problems with your site so you can talk to your hosting company or fix yourself.

Put Your Website in Construction Mode

Before recovering your site from WordPress hacks, put it into construction mode or staging mode. This will tell users and search engine crawlers that you are working on your site.

To do so, go to your WordPress admin panel > More Tools > Select Construction Mode.

Change Your Password

It is a good practice to change your WordPress website on a regular basis. But after the WordPress hack, it is vital to change your website password.

To change your site password, log in to the WordPress admin panel > Users > All Users. Click on your username to access your profile. Scroll down to the Account Management section and click Set New Password.

WordPress can set a password for you, or you can do it yourself. Just don’t forget to hit the Update Profile button after setting a new password.

Here are a few tips to remember while setting a new WordPress website password:

  • Don’t use the same password for multiple accounts
  • Aim for a complicated password using alphabets, special characters, and numbers

Contact Your Hosting

Before making any efforts to recover your site from the WordPress hack, you should contact your web hosting company. Sometimes the problem is with the hosting provider, especially if you are using shared hosting.

If you are using reputable hosting services like HostGator and Siteground, they can better help you in such situations. Many hosting keeps your site’s backup that can help you recover from the WordPress hack.

Moreover, hosting companies have technical staff that can fix your site and provides solutions to improve security. So, give a call to your web hosting company before doing anything else. Here are the best WordPress hosting providers that are ace in customer support.

Restore From Backup

If you have already backed up your website, the first thing you should do is restore it. The restoration process depends upon the plugin that you are using to back up your data. So, check your plugin manual to know how to restore the website data.

You can also follow our step-by-step guide to learn how to restore the WordPress site with the database backup.

Malware Scanning & Removing

Once you restore your website, you need to find the reason behind the WordPress hack. For this, you have to run a complete malware scan on your theme, plugins, and users for malicious codes.

You should first look for a hacker’s backdoor. A backdoor is a method that bypasses normal authentication to access the server while remaining undetected. Most hackers first install it on websites to regain access even after the infected plugin is eliminated.

Once you block a backdoor entry for hackers, move to scan your website. For this, I suggest using free tools like Sucuri WordPress Auditing and Theme Authenticity Checker (TAC).

Once you download both tools, the Sucuri scanner will tell the integrity status of all your WordPress core files. It will show you where hackers are hiding.

The most common hacker’s hideouts are – plugin directories, wp-config.php, wp-includes directory, etc. But, Sucuri will pinpoint the exact location.

After that, use Theme Authenticity Checker to find malicious codes in your theme. If you find malicious activities on the theme, it will provide you with full detail to understand the depth of infection.

Once you find the problematic theme or plugin, delete it and reinstall the fresh copy to clean your website.

Check User Permissions

Have a look at the user section on your website to make sure that only your trusted people have admin access to your site. If you find any suspicious user, remove it right away.

Also, make sure that you have limited login attempts for your WordPress website so that not everyone can have access to your website. WordPress by default enables users to record passwords an infinite number of times. This makes it possible for hackers to quickly access your WordPress admin panel and test various password combinations. Overall, it hurts your company’s reputation and the information on your website. Check out our step-by-step guide on how to limit login attempts on WordPress.

you can never know who can hack your website, it can be an outsider or a user to that you have given permission to your WordPress website. It’s better to be safe than sorry.

That said, in WordPress you can create temporary login that will help you restrict access to a user after a certain period of time which means he/she cannot access your WordPress website anymore as the link will be expired. We have created a guide on how to create temporary login for your WordPress, feel free to check it out!

Change Your Secret Keys

If a hacker is still logged into your website, they can access your site despite you changing the password. This happens because WordPress generates security keys that encrypt your passwords.

So, you have to disable cookies to create new secret keys. After generating a new security key, add it to your wp-config.php file.

Contact Professional

If you are a novice to WordPress or facing a harsh WordPress hack, it is better to consult a professional. You can contact your website developer to recover from WordPress hacks.


It is quite hard to avoid cyberattacks these days. Even on a powerful platform like WordPress, hackers find ways to attack your website.

Thus, it is always good to have a backup plan in order. You should use a backup plugin like BackupBuddy so you can recover from WordPress hacks effortlessly.

In addition, keep your website security always top-notch to block hackers. For example, use strong passwords, reputable plugins, themes, and hosting companies.

All in all, it is easy to recover your site from WordPress hacks. But it doesn’t mean you go lenient on security. Always ensure that your website has tight shielding against all hacks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.