How do I know if my WordPress was hacked?

The most common signs are: redirects to suspicious sites, pages indexed in Japanese or Chinese that you never created, "This site may be dangerous" warnings in Google, extreme slowness with no apparent cause, unknown administrator accounts, or modified core files. If you notice any of these signs, act within hours — every minute counts.

How long does it take to clean a hacked WordPress site?

Between 2 hours (simple hack: malware in one plugin) and 3 days (severe hack with compromised database and SEO spam). Most mid-level cases are resolved in 4 to 8 hours when handled by a professional.

How much does recovering a hacked WordPress cost?

A basic cleanup starts at USD 100–200. A full cleanup with security hardening costs from USD 200–500. A monthly maintenance plan to prevent future incidents starts at around USD 40 per month. Prices as of publication (April 2026).

Can I clean WordPress myself or should I hire a professional?

If you don't have hands-on experience with PHP, databases, and web security, manual cleanup is risky: it's easy to miss backdoors that let the attacker return days later. For sites that generate revenue or serve clients, a professional pays for themselves in avoided downtime alone.

What do I do so it doesn't happen again?

Always keep WordPress, themes, and plugins updated; install a security plugin like Wordfence or Sucuri; enable two-factor authentication; set up automatic weekly backups to an external destination (not on the same server); and consider a professional maintenance plan if you don't have an internal technical team.

WordPress hacked: what to do step by step

How to tell if your WordPress was hacked

A hacked WordPress site doesn’t always show obvious signs. Sometimes the only clue is that Google marks your site as “not secure,” or that your visitors are being redirected to suspicious pages while everything looks normal to you as the admin. This is deliberate — many attacks are designed to stay hidden from the site owner for as long as possible.

These are the most common warning signs to watch for:

Redirects to other sites: When you visit your website, the browser takes you to a completely different page — casino sites, fake pharmacy stores, or content farms
Pages in Japanese or Chinese: You find pages indexed in Google with Asian characters that you never created — this is a classic “Japanese keyword hack” used to rank spam content under your domain
Google shows “This site may be dangerous”: A red warning in Chrome or a Safe Browsing alert before users can reach your site — one of the most damaging outcomes for both traffic and reputation
Extreme slowness: The site loads much slower than usual with no apparent reason — often caused by malware running processes on the server in the background
Unknown administrator accounts: You find admin accounts in your WordPress user list that you never created — a sign an attacker has already established persistent access
Modified files: Core WordPress files, your theme files, or plugin files have been altered — detectable by comparing file checksums against the official distribution
Spam email complaints: Your hosting provider or email reputation monitors flag your domain for sending spam — meaning the malware is already using your server as a relay

If you recognize any of these signs, don’t wait. The window between discovery and action directly determines how much damage the attack causes.

What to do immediately

1. Don’t panic, but act fast

Every minute that passes, the malware may be sending spam from your server, infecting visitors’ devices, building additional backdoors, or accumulating SEO damage under your domain. Act calmly but without delay. A structured response is always more effective than a rushed one.

2. Change all passwords

Before cleaning anything, change every credential associated with the site. If an attacker has your passwords, any cleanup you perform will be undone the moment they log back in.

Change:

WordPress passwords (all admin users — not just your account)
Your hosting account password (cPanel, Plesk, or whatever control panel you use)
Database password
FTP/SFTP credentials
Security keys in wp-config.php (SALT keys) — WordPress provides a generator to regenerate these instantly

Do this before anything else. It’s the step most people skip because they want to start cleaning right away, and it’s the reason many cleanups fail when the attacker simply logs back in.

3. Make a backup of the current state

Yes, even of the infected site. This backup lets you analyze what happened: which files were modified, what code was injected, and how the attacker likely got in. This information is critical for preventing the same thing from happening again. Don’t use this backup to restore the site — only keep it for investigation purposes.

4. Identify the type of hack

Understanding what kind of attack you’re dealing with determines the cleanup approach. The most common WordPress hack types are:

PHP file malware injection: Malicious code inserted directly into theme files, plugin files, or core WordPress files — often obfuscated with base64 encoding so it’s not immediately readable
Backdoors: Hidden files or code snippets that give the attacker persistent access even after you change passwords — these are the most dangerous to miss, because they allow the attacker to re-infect the site days after you think it’s clean
SEO spam (Japanese keyword hack): Ghost pages created entirely to rank spam content in Google under your domain, damaging your site’s authority and exposing your visitors to malicious destinations
Pharma hack: Your site shows pharmaceutical or adult content to search engines and external visitors but looks normal to logged-in users — making it particularly hard to detect without external tools
Malicious redirect via .htaccess or database: Code injected into the server configuration file or directly into the WordPress database that redirects mobile users, users coming from search engines, or all visitors to external sites

Knowing the type of attack helps you prioritize where to look during cleanup and tells you whether the infection is file-level only, database-level, or both.

5. Clean the infected files

This is the most technical step. You have two options:

Option A: Manual cleanup (if you have technical experience)

Download a clean copy of WordPress from wordpress.org
Fully replace the wp-admin and wp-includes folders with the clean versions — these shouldn’t contain any custom files, so a full replacement is safe
Check wp-config.php line by line for any suspicious code that shouldn’t be there
Review every file in wp-content/themes/ and wp-content/plugins/ — compare file modification dates to identify recently changed files
Look for PHP files that shouldn’t exist — random-looking names like wp-tmp.php, class.api.php, config.bak.php, or files in directories where PHP shouldn’t be (like the uploads folder)
Check the .htaccess file in the root directory and any subdirectories for redirect rules you didn’t add
Scan the database for malicious JavaScript, spam links, or base64-encoded strings injected into post content or widget settings

Option B: Hire a professional

If you don’t have technical experience with PHP, server file management, and database queries — or if you simply don’t have the time — the safest option is to hire someone who specializes in WordPress security. A professional can clean the site in hours, run a thorough backdoor scan, and make sure nothing is left behind. For sites that generate revenue, the cost of a professional cleanup is almost always less than the cost of the downtime and reputational damage from a prolonged compromise.

6. Update everything

After the cleanup is complete:

Update WordPress to the latest version
Update all plugins — especially any that have known vulnerabilities or were recently patched
Update your theme and any child theme
Delete plugins and themes you don’t actively use — inactive code is still a potential attack surface

7. Harden your security

To prevent the same attack from succeeding again:

Install a security plugin (Wordfence, Sucuri, or Solid Security) and configure it — don’t just install and forget it
Enable two-factor authentication on all administrator accounts
Limit login attempts to block brute-force attacks
Change the database table prefix if you’re using the default (wp_) — this reduces the effectiveness of automated SQL injection attacks
Disable the file editor from within the WordPress dashboard (add define('DISALLOW_FILE_EDIT', true); to wp-config.php) — this prevents an attacker with admin access from modifying theme and plugin files through the browser
Set up automatic backups to an external destination — at least weekly, daily if you have active e-commerce or content
Always keep WordPress, plugins, and themes updated going forward

How long does it take to recover a hacked WordPress

Recovery time depends entirely on the severity of the infection and whether any database content was affected:

Simple hack (malware in one plugin file, no backdoors): 2–4 hours
Moderate hack (backdoors embedded in multiple files, modified .htaccess): 4–8 hours
Severe hack (database compromised, SEO spam pages created, multiple backdoors, Google flagged): 1–3 days

The timeline also depends on whether you can restore from a clean pre-hack backup (much faster) or have to clean file by file from a compromised state. This is why current, external backups are non-negotiable.

How much does it cost to clean a hacked WordPress

Prices vary by provider and the severity of the infection. As a general reference:

Basic cleanup (single malware type, no database involvement): from USD 100–200
Full cleanup + hardening (multiple vectors, backdoors, database, post-cleanup security configuration): from USD 200–500
Emergency response surcharge: many providers charge a 25–50% premium for same-day or after-hours response — having a maintenance relationship in place beforehand usually eliminates this
Monthly maintenance plan (prevents incidents rather than reacting to them): from USD 40–80/month

The math here is straightforward: a USD 80/month maintenance plan prevents the USD 200–500 cleanup cost plus the days of downtime, plus the weeks of SEO recovery. The preventive investment is almost always smaller than the reactive one.

To understand what a professional maintenance plan covers and whether it makes sense for your business, read our complete WordPress maintenance guide for businesses.