My WordPress site got hacked. How do I clean it up?
I logged into my WordPress site today and every page had been replaced with some gambling spam. My hosting provider suspended my site. I have no idea how this happened. I use a strong password. What do I do to get my site back and make sure it doesn't happen again?
1 Answer(s)
Take a deep breath—this is fixable. Here's your emergency recovery plan:
Step 1: Clean the infection
Install Wordfence (free plugin). Run a full scan. It will find and remove malicious files. Also check your wp-content/uploads folder for files you didn't upload.
Step 2: Change EVERYTHING
- Change your WordPress admin password (use 16+ characters)
- Change your hosting password
- Change your database password
- If you use the same password anywhere else, change it there too
Step 3: Update everything
Update WordPress core, all themes, and all plugins. Hacks usually exploit outdated software.
Step 4: Install security plugins
- Wordfence (firewall + malware scanner)
- Sucuri (additional security monitoring)
- Limit login attempts
Step 5: Enable 2FA on your admin account
Step 6: Get a backup plugin like UpdraftPlus and set up daily backups. You should never be in this position again.
Most hacks come from outdated plugins, not weak passwords.