Updated: 31/08/2023

Published: 09/08/2020

By Peter K

TOP
TIPS

How to Fix a hacked WordPress website

A quality start guide to repairing & restoring a WordPress website

Duration: 2+ hours

Last Updated 2022-12-10

Find the current version of your hacked WordPress

There are different ways to get the current version of your hacked WordPress.

Here is a great article how to find out the current version of WordPress

Download the database

Get a copy of the database. 

Here is a good example how to backup the MySQL database using cPanel

 

Note: If the database use malware in it, you will need to manually clean the malware via phpMyAdmin

Some Guides: Cleaning a WordPress MySQL database after a malware / hacking attack.

Make a copy of wpconfig.php 

The wp-config. php file is usually located in the root folder of your website with other folders like /wp-content/. Via File Manager download a copy on your computer. You will need this file later.

Make a zip backup of the current WordPress directory

Some hosts will suspend your website until the malware is removed. Thus making it harder to remove the malware.

A workaround is to make a zip archive of the infected directory thus bypassing the malware scan.

It is also good to have a backup, because you can never have enough backups!

Here is a good example how to cPanel File Manager to compress files & directories

 

Rename the current WordPress Directory

Rename the directory of the current hacked WordPress website so it so it is not active.

Eg: I would rename public_html to public_html_hacked

Make a new folder to match the renamed folder.

As in the previous example create a new folder public_html

Install a Fresh Copy of WordPress.

The fresh copy should be the same version of the hacked website.

Some examples how to install WordPress

  1. Manual installation
  2. Install by using Softaculous

Upload wp-config.php

Replace the fresh copy of wp-config.php with the hacked version of wp-config.php.

You can upload it from your computer, or you can copy it from the hacked directory in File Manager

Install fresh copy of your theme

You will now be able to log into your WordPress and install a fresh copy of your theme.

Copy images from uploads directory

The specific folder where the image files are stored in WordPress is called the uploads folder located inside the /wp-content/ folder. Inside the uploads folder, your media files are stored by year and month folders. Additionally, you’ll also see folders created by your WordPress plugins to save other uploads.

Copy the uploads folder from your hacked website to your new fresh installation to transfer the images across.

Note: It is important to look inside the uploads folder for files that should not be there. Such as:

  • .php files
  • .js files

Do not copy those files or folders across as they may contain remains of the virus.

Install Fresh Copies of your plugins

All WordPress plugins you download and install on your site are stored in /wp-content/plugins/ folder.

Have a look at your hacked website for plugins that were installed in your websites.

Install fresh copies of these plugins from reputable sources.

Note: It is important that you do not copy plugins from your hacked directory.

Install Firewall Ninja

To prevent your website being hacked again. I would also install ninja firewall plugin and activate full WAF mode.

Check everything works

Your WordPress website is now virus free! 

Check that it all works. You may need to re-activate settings that were disabled by missing plugins.

You can compare the appearance of your website with the Wayback Machine to make sure you are not missing anything