Help with a hacked WordPress site
Find malicious code & remove malware
..or have it reliably removed.
Around 43% of all websites on the web run on WordPress. Among content management systems, that corresponds to a market share of a full 61% (as of 2026).
WordPress's widespread use and popularity make the system an attractive target for hackers. In most cases, attacks are fully automated. The target is not individual companies or people, but known vulnerabilities in the core and in plugins. The main cause of hacked websites is therefore missed security updates. The same also applies to Joomla! as well as all other CMS and shop systems.
If your WordPress has been hacked, you’ll find here a summary of the most important repair steps along with a few tips.
Step 1: Disable the website - download backups
To avoid further damage, the website should be taken offline first and foremost.
Two proven options:
- .htaccess password protection (example.org/xssen.php)
- Rename/redirect the root directory (set up a maintenance page)
After that, download backups of all relevant data. In addition to the file system and the database, this also includes the server log files, which are essential for analyzing the hacking attack. These are either located in the /logs directory on the webspace or can be accessed via the web host's control panel.
Step 2: Analyze the breach - find the security vulnerability
For malware analysis, it is important that the timestamps of the downloaded files are preserved (option in the FTP program). To prevent any virus alert from interfering with the transfer, temporarily disable your local antivirus protection.
You can find potential malicious files as follows:
- Inspect recently modified files
- Go through the host's malware logs
- Local scan of the data with good antivirus software
- Check WordPress root directory
- Look out for file names != .htaccess, index.php, wp-*.php, xmlrpc.php (by default, there are 15 PHP files in the WP root directory
Note the timestamp (file modification time) of each piece of malicious code found.
Attention! This can also be falsified - it may discreetly match the timestamps of the other files in the respective directory. The timestamps of the directories should also be taken into account.
Based on that:
- Analyze the web server access logs
- Suspicious POST entries
- Typical attack patterns
You can find a helpful tool for identifying POST requests and further tips for analysis here.
Step 3a: Restore backup
If the time of compromise can be clearly determined from the log files and a backup is available, restoring it and then updating and securing it is the best course of action.
Step 3b: Clean the file system (reinstall WP + plugins)
To ensure that no malware remains in the core and wp-content directories, it is necessary to reinstall the WordPress core and all plugins.
- Replace all WordPress system files, deleting wp-admin/ and wp-includes/ completely.
- Replace all plugins with clean versions by deleting all folders in wp-content/plugins/; the same applies to the theme.
- Search for/delete all PHP files in wp-content/uploads/.
Paid premium plugins must also be reinstalled using a fresh installation package directly from the source - do not simply use the version from the backup here. Even a single overlooked malicious file is enough for the WordPress installation to be hacked again through it.
Step 4: Change passwords
Changing all passwords goes without saying - FTP, MySQL (database), WordPress accounts, etc.
You should use strong passwords with uppercase/lowercase letters, numbers, and, for maximum security, special characters as well.
To prevent your WordPress site from being hacked again and again, you must carry out regular updates. Only then can you maintain the highest possible level of security.
You can find additional security measures in our blog article Secure WordPress.
