Your WordPress website has been humming along nicely for years. Then, unexpectedly, your website starts behaving weirdly. It displays text that doesn’t belong, redirects to different spammy websites, or it slows down considerably. Your website may suffer from an unauthorized hack. Don’t panic. Learn how to clean an infected WordPress website.

There are several great companies available that will clean a hacked site. Securi and Wordfence are highly recommended. They have plenty of experience cleaning hacked WordPress websites. If you have some technical skills, you can clean the website yourself.

Backup immediately

First, do a full system backup. Ensure that the backup includes all website files and the database. Download the backup to your local computer. Compare the WordPress core files in the backup with the core files in a downloaded good version of WordPress (from

Examine the backup files for any recently modified files (look at the timestamp). If you have access to SSH, run this command to supply a list of all files changed in the last 15 days.

$ find ./ -type f -mtime -15

The next steps to clean an infected WordPress website is to inspect all suspicious files. Replace changed files with clean files from the version downloaded from

Examine your .htaccess file for redirection code. The .htaccess file is a hidden file so ensure you set your file access program to display hidden files. Also check your wp-config.php file for invalid entries.

Remove suspicious users

Remove any suspicious user accounts. If you don’t recognize a user, delete them immediately. Change the administrator password. Verify that all users have the proper role set (limit users to the maximum role necessary).

Check the themes and plugins files. Keep all your themes and plugins up to date. Hackers attack websites through known vulnerabilities in old themes and plugins. Remove all unnecessary themes and plugins.

Secure the cleaned website

With a cleaned website, ensure that it is secure. Make another full backup. Add security to the website by installing a firewall and locking down the website. Sucuri and Wordfence are both great additions to any WordPress website. Set up a regular backup system so that your website automatically has a recent copy of your website. Store your backups offline (use a third-party option such as Dropbox or Google Drive).

Having an infected WordPress website is not the end of the world. The challenge for DIY administrators is knowing where and what to look for. Getting your website back online is crucial for continued credibility. If all else fails, hire a company that understands WordPress and knows how to clean an infected website.

Need help with an infected WordPress website?

Let’s chat.

Share This