Emergency guide: WordPress site hacked? Don’t panic, here is how to fix it!

In 10 years of web development, especially with WordPress, and general maintenance of dozens of sites, I have seen & fixed my fair share of horribly hacked websites.
If you are here I sense that something went horribly wrong with YOUR website!
But don’t panic, it’s nothing that can’t be fixed and if you don’t feel like doing it yourself, you can always contact a WordPress expert, you guessed it, me!

The Database

First things first.
I hope that you have a database backup system in place, if not, it might not be the end of the world, but please install one as soon as possible.
There are plenty free & automated backup plugins for WordPress, just pick the one that you like better.

Your newly backed-up database might be compromised, so let’s hold on to it just for the time being, but not as a future reference backup for your site’s data.

FTP

You need FTP access for this next step, so if you don’t have it, or don’t know what FTP is, I’m afraid your best option is, again to contact a WordPress professional.
Without direct access to the files, through FTP, we will not be able to verify how the hackers got through and manually fix the malicious code they injected in your files.
If your hosting provider doesn’t give you FTP access (change hosting ASAP), but you have a File Manager in your hosting panel, then you may use that too, but the process might be slower.

You can use FileZilla to connect to your server through FTP, it’s free!

One last thing about servers: do not underestimate the importance of a good server.
Some come for cheap but there is always a catch, except you might not now what it is until something unpleasant happens, or in case you want to customize your website, past the usual pre-made templates and common functionalities.
But most importantly, not all hosting providers have server-level security measures in place, or they might be too mild and not tweakable to your needs.
If you just got hacked, you really might want to consider a new hosting provider, because part of the responsibility is also the lack of appropriate security measures.

WordPress Plugins

In most cases, it’s not an actual person that hacked your site, but a bot: an automated script that targets hundreds of websites at once, in search for a security flaw to breach.
Security flaws are discovered on a daily basis, unfortunately, so what is considered safe today, might not be in 3 months, hence it will be exploited as soon as it’s discovered.
So as you may have guessed, it is of the utmost importance that you perform regular and frequent maintenance, updating your WordPress core, your plugins and your theme.
Provided that updates sometimes cause issues (of different nature, related to different plugins conflicting with each other, usually), it’s easier to temporarily de-activate a plugin than fixing an outdated site that’s been hacked.

Also, while free plugins are great and usually work perfectly fine, sometimes it’s worth investing in pro (paid) ones, simply because they might be more carefully maintained and kept up to date. Here is a few must-have plugins for WordPress that you might find useful.

Make sure to always fully delete, from your WP backend or FTP, any unused plugins. Even if deactivated, they can still be used as a way to enter your site.
Same thing with themes. You should always have at max 2 themes, never more, where one is the “child” theme and the other, its “parent”.
If the themes are unrelated, then go ahead and delete the unused one.

Analyze

Since I’m guessing you are not too familiar with the WordPress files and folders structure, download the latest copy of WordPress, extract it and have it on the side for reference.

Now go ahead and save a backup copy of ALL your files, everything you see in your site root (you should see a wp-content folder, a wp-admin one etc. that’s the root).

You might now want to look at these 2 files, while having an original copy next to it:
wp-config.php (in the new copy you downloaded, it’s called wp-config-sample.php)
.htaccess (WordPress doesn’t ship with one, because it gets generated when you save your Permalinks from your dashboard, but you can look at what it should look like here)

Notice any significant difference?
If yes, go ahead and replace the ones in your server, with fresh ones (make sure you edit the new one with all the DB info from your site’s wp-config).
Remember to remove the -sample bit, from the wp-config file.

Now, usually WP core files don’t get hacked, but let’s go ahead and delete completely the whole of wp-admin and wp-includes folders, from your FTP.
It doesn’t hurt to stay on the safe side, this way, if anything was compromised, it will be gone and you will simply upload them again, from the fresh copy.
Don’t delete the wp-content folder! That’s where the important stuff about your website is: plugins, themes and uploads.

Now for the more time consuming part: check the Last Modified date, from your FTP client, of folders and files, inside the wp-content folder, and then again, inside your plugins and themes folder.
If you have recently updated a plugin, then obviously its date will make sense to you, but if you are certain you didn’t update anything, make a note of anything that looks like it’s been updated very recently OR in case you don’t recognize its name: those are probably the culprits.
Don’t just stop at the folders dates, do look inside at files too.
Do the same for themes and make note of anything that seems strange.

FIGHT BACK

If you found date discrepancies within plugins, go ahead and delete them completely, from FTP.
Usually saved options from deleted plugins, stay in the db, but in some cases you might have to re-setup those plugins, once we get back to the site backend with a working website.
You may now upload a fresh copy of the plugin, directly from FTP.

Now to the theme(s): things might get a little trickier here, depending if you were using a single theme or a child-parent combo, and if you ever edited any of the files in them.
Your safest option, in case you noticed weird dates, strange file names or extra files, is to delete everything, however, if the theme(s) was manually edited, the edits will also go… so hopefully you have an original copy saved on your hard disk, of the edits you made, and you may now re-upload that version.
If you never edited the theme(s) files, then go ahead and delete it, get a fresh copy of the theme and re-upload it.

Back in business

You may now log into your WP dashboard again.
If you did everything correctly, and the hack was limited to files but didn’t compromise the database, then everything should be working fine as before.

In case you see error messages or are still experiencing problems, please do contact a WordPress developer, because your case requires further in-depth analysis, which is beyond the scope of a “beginners'” emergency guide.

Browse your frontend and make sure everything is in place, some things might need to be adjusted or re-setup.
One last check to make is inside your posts and other content, as well as the users list: everything that you don’t recognize, must be deleted at once.

Don’t forget to keep your WordPress up to date (or have someone do it for you!) and happy WordPressing!