How to Recover a Hacked WordPress Site Without Losing Data

The moment you realize your website has been hacked is terrifying. Your first thought might be of broken pages or strange content appearing on your homepage. But the biggest fear runs much deeper—it’s the potential loss of all your hard work, your customer data, and your online reputation.

A hacked site isn’t just an inconvenience; it’s a critical business emergency. The breach can corrupt your database, inject malicious software that harms your visitors, steal sensitive user information, or even get your site blacklisted by Google, making you invisible to the world.

Don’t Panic—Assess the Situation

When you discover a hack, your adrenaline spikes and your first instinct might be to start deleting files randomly. Don’t. Acting hastily can make a bad situation much worse, potentially deleting crucial data or making the infection harder to trace.

The very first step is to take a deep breath. A calm, logical approach is your best weapon. Start by assessing the damage. Look for common symptoms:

• Strange Redirects: Your website URL suddenly sends visitors to a spammy or malicious site.
• Site Loading Errors: Your site shows a blank white screen, a database connection error, or a 500 internal server error.
• Suspicious Content: You see new, unfamiliar pages, posts filled with spam links, or strange ads appearing on your site.
• New Admin Users: You find new user accounts in your WordPress dashboard that you didn’t create.
• Google Warnings: Your site is flagged in search results with a message like “This site may be hacked” or “This site may harm your computer.”
• Emails from Your Host: Your hosting provider may have detected malware and sent you a warning or suspended your account.

Try to determine the scope of the hack. Can you still log into your WordPress admin dashboard? Is the malicious content only appearing on the front end of your site, or has your database been filled with spam links and users? Knowing what’s affected will help you plan your recovery.

Secure Your Environment to Stop the Bleeding

Before you start cleaning, you need to contain the threat and prevent further damage to your site and its visitors.

1. Activate Maintenance Mode: If you can still access your admin dashboard, use a plugin like WP Maintenance Mode or SeedProd to put your site into maintenance mode. This shows a friendly message to your visitors while preventing them from interacting with potentially harmful content.
2. Change Critical Passwords Immediately: The hacker may have stolen your credentials. Change them now, in this order of priority:
   • Hosting account password.
   • SFTP/FTP and SSH passwords.
   • All WordPress admin user passwords.
   • Your database password (this can usually be changed via your hosting control panel).
3. Contact Your Hosting Provider: Open a support ticket with your host immediately. Inform them that you’ve been hacked. They can often provide valuable information from server logs, help identify the point of entry, and use server-side tools to scan for and stop malware from spreading further.

Backup Everything Before You Touch Anything

This may sound counterintuitive. Why back up an infected site? Think of it as taking a “crime scene photo.” This infected backup is your ultimate safety net. If a fix goes wrong and you accidentally delete something important, you can use this backup to restore the site to its hacked state and try a different approach.

• Use your hosting provider’s backup tool (often found in cPanel or Plesk).
• If you have command-line access, use WP-CLI to export the database and zip the files.
• Use a trusted backup plugin like UpdraftPlus or All-in-One WP Migration to create a full backup.

Crucially, store this backup on an offsite location, like Google Drive, Dropbox, or your local computer. Do not leave it on the same server, as the entire server could be compromised.

Scan and Identify the Malware

Now it’s time to play detective. You need to find all the malicious code, spam injections, and backdoors the hackers left behind.

• Use a Security Scanner Plugin: This is the easiest and most effective first step. Install a reputable scanner like Wordfence, Sucuri Security, or MalCare. Run a deep scan, which will compare your core files, themes, and plugins against known malware signatures and report any suspicious files or database entries.
• Manual Checks: While scanners are powerful, sometimes you need to look manually. Check for recently modified files (you can sort by date via FTP), look for unfamiliar PHP files in your core directories (like wp-includes or wp-admin), and check for suspicious cron jobs that might be re-infecting your site automatically.
• Check the Database: Scan your database for trouble. Look for injected spam keywords in your posts and pages, and check the wp_users table for any unauthorized admin accounts.

Clean the Infection Safely

Once you’ve identified the malicious files and code, it’s time for surgery.

1. Replace WordPress Core Files: Hackers love to hide malware in core WordPress files. The safest way to clean them is to replace them entirely. Download a fresh copy of WordPress from WordPress.org, unzip it, and then delete the wp-admin and wp-includes directories on your server. Upload the fresh ones to replace them. Do not delete your wp-config.php file or your wp-content folder.
2. Reinstall Your Themes and Plugins: Delete all of your theme and plugin folders from wp-content/themes and wp-content/plugins. Then, reinstall fresh, clean copies from the official WordPress repository or the original developer. This is also a great time to delete any plugins and themes you are no longer using, as they are a common security risk.
3. Protect Your Uploads: Do not blindly delete your wp-content/uploads folder! This is where all your images and media files live. While you should scan it for any suspicious .php files, the media files themselves (.jpg, .png, .pdf) are generally safe.
4. Clean the Database: This is the most delicate step. If the scan found spam links or malicious scripts injected into your posts or options table, they must be removed. A plugin like Wordfence or a tool like Search-Replace-DB can help, but if you’re not confident, this is the best time to call a professional.

Harden Your Site After Recovery

You’ve cleaned the infection, but the lock on your front door is still broken. Hardening your site is about adding new locks and an alarm system to prevent hackers from getting back in.

• Update Everything: Ensure WordPress core, all your plugins, and all your themes are updated to their latest versions.
• Enforce Strong Passwords: Use a tool to force all users to reset their passwords and enforce the use of strong, unique passwords.
• Limit Login Attempts: Install a plugin that locks users out after a few failed login attempts to prevent brute-force attacks.
• Install a Security Plugin with a Firewall: If you haven’t already, install a comprehensive security plugin like Wordfence or Sucuri and enable its Web Application Firewall (WAF). The firewall acts as a shield, blocking malicious traffic before it can even reach your site.

Reset All Credentials

The hackers might have stolen more than just your WordPress password. You need to assume every credential associated with your site is compromised.

• Force Password Resets for All Users: Ensure every single user on your site, from subscribers to admins, resets their password.
• Regenerate API Keys: Generate new, secret API keys for all integrated services, such as your payment gateways (Stripe, PayPal), email marketing service (Mailchimp), and Google Maps.
• Review and Revoke Users: Go through your user list and delete any suspicious accounts or users who no longer need access.

Test Thoroughly Before Going Live

You’re almost there. Before you disable maintenance mode and announce you’re back online, you need to do a final, thorough check.

1. Run One Final Scan: Use your security scanner again to confirm the site is 100% clean.
2. Test Key Functions: Make sure everything works as expected. Can you log in and out? Can users register? If you run an e-commerce store, can you complete a test checkout? Do your contact forms submit correctly?
3. Check the Front End: Browse your site as a visitor would. Ensure there are no broken images, missing content, or lingering spam links.