Yap, it is true, a mask faced, fast finger typing nerd of a hacker thousands of miles from you has got to your website. So what do you do? In this article, I will show you how to fix a hacked WordPress site, so you get your business running up and fast.

When you have done something long enough, it almost becomes natural to drift to the easiest, fastest, and lazy solutions that get the job done.

I could say that applies to fixing a hacked website.

As a practice, we make an effort to keep backups for all client websites, in the unfortunate yet likely event of a hack we default to restoring the site from a backup, then patch up the holes that let the hacker in.

Sorry, I outrun myself, that’s not where I would start.

When you visit your website and find it has been defaced, there a couple of steps to take.

Step by Step: How to Fix A Hacked WordPress Site?

1. Go offline

The first thing you need to do is go offline. If you see something strange, so does every one of your customers and visitors.

Taking the website or the affected pages down will provide you the room to investigate and correct the issues.

When you go offline, leave a notice on the website informing visitors that the site will be offline temporarily.

2. Figure out what hack

Secondly, figure out what hack you are dealing with.

Have the files been deleted? Do you see links to malicious or unknown sites on your website? Could it be that your database is compromised? Are browsers warning of malware infections when people visit your website?

Knowing how your website was compromised is essential, as it tells what to do to fix the hack and most importantly prevent future hacks.

3. Fix the website

If your website is totally wiped out, I mean files deleted from the server, the only way to get back from this is to restore your site. If you do not have a backup, then you will have to rebuild your website. It sucks, I know.

If your website has been injected with malware, you may have to hire a security person (not the guy with a gun) to fix the files.

However, you could first try to replace your files; the core WordPress files, themes, and plugins – delete all of them and upload new files. Remember to back up your data before you do this.

If you do not have access to a clean copy of the theme and plugin files, you will need to know what files have been compromised, then manually edit them, removing the extra lines of code added to the files.

The same applies to the database.

As you can see, the average Joe website owner is not knowledgeable enough for this.

4. Prevent future hacks

Once, your website is back. It should have been a wakeup call to secure your website.

There are a simple thing you can do;

  • Host your website with proven security conscious web hosts.
  • Use trusted themes and plugins. Stay away from pirated plugins like a plague. If you are hiring someone to build your website, demand proof of authenticity of licenses. That means, only work with individuals who know what they are doing.
  • Use updated software: core WordPress files, Themes, Plugins.
  • Enforce strict security policies, like strong Passwords, lockout users, and or ban individual IP addresses whose activities seem suspicious.
  • All machines/devices that manage your website must use genuine and updated software.

For most of the security measures above, you can use security plugins. There are a number of these on the WordPress plugin repository. This will place you one step ahead of the hackers.

If you are running a mission-critical website, proactive preventative measures need to take center stage of all your efforts to keep your site running.


No website is safe from hacker. No matter how many security measures you put in place, as long as there is motivation, any website or system can be broken into.

However, that does not mean you should be lax and sloppy about your website.

That’s why among many measures you can put in place, maintaining a backup schedule religiously should be on top of your list.

I may be a little biased here, but we have probably the best WordPress backup plugin. With WPvivid, you can remotely backup your websites to cloud storage platforms like Dropbox, Google Drive, Amazon S3, Microsoft OneDrive, DigitalOcean Spaces, FTP, and SFTP.

On the unfortunate event that the mask-faced, fast finger typing nerd of a hacker thousands of miles away beats your security, restoring from a backup may be the easiest thing you can do after of course figuring out how they got in.

If you do not have a backup, if you are not a nerd or at least knowledgeable with the technology running your website  –  you are better off hiring someone knowledgeable to fix the issue. It is better for you. It is better for your clients.

I hope you found this read helpful. You may also want to see our ultimate guide to secure a WordPress site.