Help for a hacked WordPress website

Find malicious code & remove malware
...or have it reliably removed.

Around 43% of all websites on the internet run on WordPress. Among content management systems, that equals an impressive market share of 61% (as of 2026).
Die massive Verbreitung und Beliebtheit von WordPress macht das System zu einem attraktiven Angriffsziel für Hacker. In den allermeisten Fällen finden Angriffe völlig automatisiert statt. Ziel sind nicht einzelne Unternehmen oder Personen, sondern bekannte Schwachstellen im Core und in den Plugins. Die Hauptursache für gehackte Webseiten sind also versäumte Sicherheitsupdates. Gleiches gilt auch für Joomla! as well as all other CMS and e-commerce systems.

In case your WordPress has been hacked, you will find a summary of the most important recovery steps here, along with a few tips.

Schritt 1: Website deaktivieren - Backups herunterladen

To prevent further damage, the website should first be taken offline.
Two proven options:

• .htaccess password protection (example.org/xssen.php)
• Rename/redirect the base directory (set up a maintenance page)

Im Anschluss laden Sie Sicherungen von allen relevanten Daten herunter. Neben des Dateisystems und der Datenbank gehören auch die Logdateien des Servers für die unbedingt notwendige Analyse des Hackerangriffs dazu. Diese befinden sich entweder im /logs Verzeichnis auf dem Webspace oder sind über das Control Panel des Webhosters abrufbar.

Step 2: Analyze the breach - find the security vulnerability

For malware analysis, it is important that the timestamps of the downloaded files are preserved (option in the FTP program). To prevent a virus alert from interrupting the transfer, temporarily disable the local antivirus protection.

You can identify potential malicious files as follows:

• Inspect recently modified files
• Review the hoster's malware logs
• Run a local scan of the data with good antivirus software
• Check the WordPress root directory
  • Watch out for file names != .htaccess, index.php, wp-*.php, xmlrpc.php (By default, there are 15 PHP files in the WP root directory

Note the timestamp (file modification time) for each malicious code finding.
Attention! This may also have been falsified - matching the other files in the respective directory so as not to stand out. The timestamps of the directories should also be taken into account.
Based on that:

• Analyze the web server access logs
  
  • Suspicious POST entries
  • Typical attack patterns

A helpful tool for picking out POST requests and more evaluation tips can be found here.

Step 3a: Restore backup

If the time of compromise can be determined beyond doubt from the log files and a backup is available, restoring it and then updating and securing it is a good option.

Schritt 3b: Dateisystem bereinigen (WP + Plugins neu installieren)

To rule out that malware is still present in the core and wp-content directories, the WordPress core and all plugins must be reinstalled.

1. Replace all WordPress system files; to do this, completely delete wp-admin/ and wp-includes/.
2. Replace all plugins with clean versions; to do this, delete all folders in wp-content/plugins/, and the same applies to the theme.
3. Find/delete all PHP files in wp-content/uploads/.

Even paid premium plugins must be reinstalled with a fresh installation package directly from the source - do not simply use the version from the backup here. Even a single overlooked malicious file is enough for the WordPress installation to be hacked again through it.

Schritt 4: Passwörter ändern

Changing all passwords goes without saying - FTP, MySQL (database), WordPress accounts, etc.
You should use strong passwords with uppercase/lowercase letters, numbers, and for maximum security, additional special characters.

To prevent your WordPress from being hacked again and again, regular updates must be carried out. Only this way can the highest possible level of security be maintained.
You can find additional security measures in our Securing WordPress blog article.