How to Recover a Hacked Website in WordPress: A Step-by-Step Guide

It was 3:32 AM when an automated alert landed in our inbox. It was from the Netcraft Takedown Service, and the subject line was stark: “Malicious web shell being hosted on your network.” This is the kind of notification that sets alarm bells ringing for any hosting provider.

For those unfamiliar, Netcraft is not just any company; it’s a world leader in cybercrime detection, disruption, and takedown services. They are trusted by some of the largest global brands, including Microsoft and Meta.

The report identified a malicious web shell on a client’s website, greececruiseexcursions.com. It went on to explain that once a web shell is in place, an attacker can upload files, execute commands on the server, and even use the server to send spam.

This client was not using our Shielded WordPress sevice (a secure WordPress hosting plan), meaning their WordPress installation was directly exposed to the internet, making it a target for automated hack attempts. We immediately took action and contacted our client.

While the situation was critical, the good news is that a hacked WordPress website can be cleaned and restored. If you’re wondering how to recover hacked website, read on.

Step-by-Step Guide to Learn How to Recover Hacked Websites

If you discover your website has been hacked, follow these steps methodically to regain control and secure your site.

Step 1: Isolate Your Website

Immediately take your site offline. This prevents attackers from causing more damage, stops malware from spreading to your visitors, and protects your brand’s reputation. You can do this by using a maintenance mode plugin or by replacing your index.php file with a temporary, static index.html page. This is the first step in learning how to recover hacked websites.

Step 2: Backup Your Hacked Site

This might sound counterintuitive, but you must create a full backup of the current, compromised website (both files and the database). This backup is a critical piece of evidence. It will allow you to analyze the hack without touching the live server and ensure you don’t accidentally delete important data during the cleanup process.

Step 3: Scan WordPress For Vulnerabilities

With your site offline, perform a thorough scan. You must scan WordPress for vulnerabilities thoroughly to identify infected files and scripts. Use a combination of tools:

• Server-Side Scanners: Ask your host if they have tools like ClamAV.
• External Scanners: Use services like Sucuri SiteCheck or Wordfence to scan your site from the outside.
• Plugins: Install a security plugin on your backed-up copy to perform a deep scan of files and the database.

These scans will generate a list of suspicious files, malicious code injections, and known vulnerabilities.

Step 4: Remove Malware from WordPress Website and Clean Your Files

This is the most hands-on part of the process.

Replace Core Files: Download a fresh copy of WordPress from WordPress.org.

• First, delete your site’s old wp-admin and wp-includes directories. You should also delete all other core WordPress files from your root directory (like wp-login.php, wp-mail.php, etc.). Do not delete your wp-content folder and wp-config.php file.
• Next, upload the new wp-admin and wp-includes directories and all other files from the fresh WordPress download into your site’s root directory.
• Handle wp-config.php with care: This file contains your database information but can also be infected. To be safe, do not reuse your old file directly. Instead, find the wp-config-sample.php file from the new download. Open it, and carefully copy your database details (DB_NAME, DB_USER, DB_PASSWORD, DB_HOST, and table prefix) from your old wp-config.php file into it. Save this new file as wp-config.php.

Inspect wp-content: Go through your wp-content folder file by file. This is where most hacks hide. Delete any suspicious-looking plugins or themes.

Reinstall Plugins and Themes: Delete all of your plugins and themes. Reinstall them from their official sources (the WordPress repository or the developer’s official website). Never use a version from an unknown source.

Check .htaccess: Since you have already created a clean wp-config.php, now focus on your .htaccess file. Carefully inspect it for any malicious code or strange redirect rules. Compare it with a default WordPress .htaccess file for reference.

Step 5: Clean Your Database

Hackers can also inject malicious content and spammy links into your database. Use a tool like Search-Replace-DB or a security plugin’s database scanner to look for suspicious content (like script tags or spam keywords) within your posts, pages, and comments. Remove any malicious entries you find. This complements your website security check and reinforces your recovery.

Step 6: Change All Your Passwords and Secrets

Assume that the attacker has stolen every password. You must change everything:

• All WordPress user passwords (especially for admin accounts).
• Database password.
• Hosting control panel (cPanel/Plesk) password.
• FTP/SFTP passwords.
• Go to the official WordPress salt generator and replace the old keys in your wp-config.php file. This will log out all users and invalidate existing cookies.

Step 7: Bring Your Site Back Online

Once you have uploaded the clean files and the sanitized database, remove the maintenance page to bring your site back online. Clear all server-side and browser caches. Confirm that your website security check passes before going live again. You’re now close to fully completing your how to recover hacked website process.

Step 8: Monitor Closely

Keep a close watch on your site for a few days. Check your logs and use a file integrity monitor to ensure the attacker doesn’t return using a backdoor you might have missed.

The Proactive Solution: Prevention Over Cure

Cleaning a hacked site is a reactive, time-consuming, and stressful process. The client in our story was able to recover, but they experienced downtime and a major security scare. What if you could prevent this from ever happening in the first place?

This is where our hosting philosophy makes a difference. All our plans are built on Speedfirst WordPress Hosting, which provides a fast, stable, and inherently more secure foundation than standard hosting. It dramatically lowers the risk of intrusion, so you won’t have to constantly scan WordPress for vulnerabilities, run emergency website security checks, or figure out how to recover hacked website content under pressure.

But for businesses that cannot afford any risk, we take security a step further. To solve the exact problem our client faced, we developed the Shielded WordPress service as an additional layer of protection.

Imagine a fortress around your website. That’s what Shielded WordPress offers. It fundamentally changes how your site is exposed to the internet, reducing attack surfaces and preventing unauthorized access. You don’t just react and remove malware from WordPress website infrastructure — you block those threats entirely.

We convert your WordPress site into a static-like infrastructure. Your visitors interact with an ultra-fast, read-only version of your site, making it impossible for attackers to exploit common WordPress vulnerabilities. The actual WordPress core, with its admin dashboard and database, is completely locked down and firewalled, accessible only to you when you need to make updates.

Here are the benefits:

• Complete Prevention of Hacking Attempts: It is designed to completely prevent hacking attempts like the web shell incident mentioned earlier. Nobody can access your WordPress core if you don’t want them to — meaning there’s no need to constantly scan WordPress for vulnerabilities or figure out how to recover hacked website content later.
• No More Update Anxiety: Forget about your site breaking on WordPress updates. Since the public-facing site is separate, updates can be tested in a safe environment without affecting your visitors.
• Eliminate Risky Security Plugins: Security plugins can be complex and, ironically, can sometimes introduce vulnerabilities themselves. Our service removes this dependency entirely — offering you secure WordPress hosting that works by design, not patchwork.
• Automated Defense: Our system automatically blocks hacking attempts and malicious bots before they can even reach your WordPress installation. With continuous monitoring and built-in protection, you dramatically reduce the chances of needing to remove malware from WordPress website files or troubleshoot how to recover hacked website data.

Understanding how to recover hacked website is crucial — but preventing the issue matters even more. If you’re already dealing with a compromise, follow the guide above to remove malware from WordPress website, run a full website security check, and scan WordPress for vulnerabilities using multiple methods.

Next time, don’t wait for a disaster to land in your inbox. Move to a platform that provides true secure WordPress hosting. With our Shielded WordPress service, you can lock down your site at the infrastructure level — and never need to worry about how to recover hacked website again.