Clean up a hacked wordpress site

Clean up a hacked wordpress site

There is nothing more frustrating than a hacked WordPress site and not knowing where to go.

Here at AljaCloud we are trying to help our customers who are facing this unfortunate situation as much as possible so that they can get back to business as usual as quickly as possible.

Preventive maintenance
Obviously, it is much better to prevent a hack.

If you were lucky enough to not have your WordPress hacked, you probably did the following:

Use strong cPanel, FTP, email, and WordPress passwords (such as passwords containing letters, numbers, and special characters)
Keeping WordPress core files up to date along with plugins and themes
Maintain backups regularly
Use a good security WordPress plugin

Scan malware at night
Here at AljaCloud, we try to help you be proactive by automatically scanning accounts every night for malware.

When files are detected, they are automatically removed, preventing most attacks from skipping (i.e. infecting your entire cPanel account).

However, it is important to remember that the account is still infected with malware, which means that it is a security hole in your website that needs to be patched.

You can follow these steps to secure your installation.

Before starting the next steps, it is important that you have a full backup of your account. You can create this by going to cPanel -> Backups -> Download a full backup.

Replace WordPress Core files 
The first thing you want to do when your WordPress site gets injected with malicious content is to replace your WordPress core files with clean ones.

You can easily download them from and use your favorite FTP program (such as Filezilla) to upload.

If you are not running the latest version of WordPress, it is important to download the correct version and immediately upgrade as soon as you are able.

Updated themes and plugins
Once you have secured your core WordPress files, and upgraded to the latest version, you will need to replace all themes and plugins with new versions as well.

Most of the plugins can easily be upgraded within your wp-admin under the plugins menu. Many of the default themes can be upgraded here too, but if you have a custom theme you may need to go to the theme developer website to download the latest files.

Scanning with Wordfence
WordFence is a security add-on that has a free version that includes a malware scan. Once you’ve updated things, it’s important to run a check to see if you’ve detected anything extra.

WordFence will also ask for your email so it can alert you when a plugin/theme/core file needs to be updated. They also have a strong firewall that helps prevent some hacking attempts.

Change all passwords
If your WordPress site has been hacked, you need to assume that all your passwords have been compromised.

You need to change everything:

cPanel master password
All email account passwords
All FTP account passwords
All mySQL user passwords (make sure you update wp-config.php file)
WordPress admin password and users
When changing, be sure to use a strong password generator and not a random string that might be vulnerable to dictionary-based attacks.

If you have more than one WordPress installation in cPanel, you must complete the above for all of them.

Completely re-create your cPanel account
If you complete everything but are still experiencing malware injections, spam, or other malicious activity, it’s possible that your entire cPanel account has been compromised and needs to be rebuilt.

This is the worst case scenario, but we’ve seen it happen.

You will first need to take a full backup of the account (cPanel -> Backups -> Download a full website backup) and then contact us to have our team completely delete the account.