Threat Intel
43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available 43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available
Scan Free →
wp-scan.org
Get started
Security #wordpress #hacked #malware

WordPress Hacked? Do These 7 Things in the Next 60 Minutes

Your WordPress site has been hacked. Every minute counts. This is the exact recovery sequence — from external scan to re-hardening — that works in 2026.

R
Rajan Gupta
May 26, 2026
⏱ 5 min read · 👁 165 views
WordPress Hacked? Do These 7 Things in the Next 60 Minutes

The First Thing You Should Know

You are not alone. Around 13,000 WordPress sites are compromised every single day. Most site owners only discover the hack days or weeks after it happened — usually because Google flagged the site, a visitor complained about a redirect, or the hosting company sent an abuse notice. The worst thing you can do right now is panic and start clicking randomly in your dashboard. The second worst thing? Restore a backup immediately without understanding what happened. Here's the exact sequence that works. ---

Step 1 — Run an External Scan First (Before You Touch Anything)

Before doing anything else, you need to understand what an attacker or Google actually sees when they visit your site. This is not the same as what you see logged into WordPress. Run a free external scan at wp-scan.org/malware-check Enter your site URL. It will check:
  • Malware signatures and PHP backdoors
  • Spam injection (SEO pharma/casino links)
  • Dangerous files (webshells like c99.php, r57.php, alfa.php)
  • Exposed .env and wp-config.php files
  • Suspicious redirects to external domains
  • Security header gaps
  • WordPress version and plugin CVE exposure
This gives you the full picture before you start cleaning. Save the report — you'll need it. ---

Step 2 — Prevent New Damage While You Work

``bash # Option A: Enable WordPress maintenance mode # Add to wp-config.php temporarily: define('WP_MAINTENANCE', true); # Option B: Password-protect wp-admin via .htaccess # Ask your host — many have a one-click option in cPanel ` Don't take your site offline entirely — you need it accessible to run scans. But reducing traffic during the cleanup prevents the attacker from running their code while you're fixing things. Also: immediately change all passwords
  • WordPress admin account(s)
  • Database password (update wp-config.php after)
  • Hosting cPanel / FTP passwords
  • Email account your WordPress notification goes to
---

Step 3 — Find and Remove the Infection

Using the scan report from Step 1 as your guide, look for: Backdoor files — files with names like wp-xmlrpc-helper.php, class-wp-updates.php, or single-character named files (a.php, i.php) in unexpected locations like /wp-content/uploads/. Injected code in legitimate files — eval(base64_decode(...)) or gzinflate(str_rot13(...)) inside wp-config.php, functions.php, or index.php. These look like one very long line of garbled text. Hidden admin users — check your Users list in WordPress admin. Delete any accounts you don't recognise. Modified core files — compare against official WordPress files. A clean copy of any WP version is at wordpress.org/download/releases/
📖 WordPress's official Hardening WordPress guide has a section on cleaning hacked sites and resetting file permissions.
---

Step 4 — Regenerate Security Keys and Salts

Even after cleaning, the attacker may have an active session cookie. Regenerating salts invalidates all active sessions — including any that belong to the attacker. `php // 1. Go to: https://api.wordpress.org/secret-key/1.1/salt/ // 2. Copy all 8 lines // 3. Replace the existing define('AUTH_KEY'...) lines in wp-config.php // Your wp-config.php should have something like: define('AUTH_KEY', 'your new random string here'); define('SECURE_AUTH_KEY', 'your new random string here'); define('LOGGED_IN_KEY', 'your new random string here'); // ... etc ` This forces every logged-in user (including any attacker sessions) to log in again. ---

Step 5 — Update Everything

` WordPress Core → Update to latest version immediately All Plugins → Update every single one All Themes → Update active theme and delete unused themes PHP Version → Check with your host — PHP 8.1+ recommended ` The exploitation window after a patch is published is 5 hours on average. If you're running an outdated plugin, you're in that window right now. Delete plugins you don't use — even deactivated plugins exist as files and can be exploited. ---

Step 6 — Scan Again to Confirm It's Clean

After cleaning, run the external scan again: wp-scan.org/malware-check Compare your grade before and after. If you've gone from F → A or B, you've successfully cleaned the infection. If you still see issues — particularly webshell paths or suspicious files — there may be additional infection points the first cleanup missed. The full scan report includes the exact file paths and what was found. ---

Step 7 — Harden to Prevent Re-Infection

The most common reason hacked sites get hacked again: the vulnerability that allowed the initial breach was never fixed. Quick hardening checklist: `apache # Block access to xmlrpc.php (brute force amplification) Order Deny,Allow Deny from all # Block PHP execution in uploads folder Deny from all ` `php // Disable file editing in WordPress admin define('DISALLOW_FILE_EDIT', true); // Disable plugin/theme installation (optional, high-security environments) define('DISALLOW_FILE_MODS', true); `` Also:
  • Enable 2FA on all WordPress admin accounts
  • Limit login attempts (plugin or server-level)
  • Remove readme.html from your server root
  • Set correct file permissions: 644 for files, 755 for directories, 440 for wp-config.php
---

The Re-Infection Trap

40% of WordPress sites that are cleaned get re-hacked within 30 days. Almost always because:
  1. 1The entry point was never identified (usually an outdated plugin)
  2. 2A backup containing a backdoor was restored
  3. 3The cleanup was incomplete — a second backdoor was missed
The external scan at wp-scan.org gives you a clear before/after picture. Run it before cleanup, during, and after. It's free. It takes 60 seconds. ---

If You Can't Do This Yourself

If the infection is severe and you're not comfortable digging through PHP files, a professional cleanup typically costs $200–$500. That's still significantly less than the average $14,500 total cost of a hack that includes downtime, SEO damage, and customer trust loss. The scan report from wp-scan.org gives any developer the exact roadmap of what to fix — so even if you hire someone, you're going in informed. ---

Summary: 60-Minute Recovery Checklist

| Step | Action | Time | |------|--------|------| | 1 | Run external scan → wp-scan.org/malware-check | 2 min | | 2 | Change all passwords + enable maintenance mode | 5 min | | 3 | Remove backdoors, injected code, hidden users | 20 min | | 4 | Regenerate WordPress secret keys and salts | 5 min | | 5 | Update core, all plugins, all themes | 10 min | | 6 | Scan again to confirm clean | 2 min | | 7 | Harden: xmlrpc, file edit, permissions | 15 min | Total: ~60 minutes. Cost: $0 with the free scan. → Start with a free scan at wp-scan.org/malware-check
🛡️ Check your WordPress site right now

Free external scan — 22 checks, instant report. No plugin, no account.

Run Free Scan → wp-scan.org/malware-check
Tags: wordpress hacked malware recovery security
R
WordPress Security & Full-Stack Developer · 9+ years experience

Builder of wp-scan.org — a free external WordPress malware scanner trusted by thousands of site owners. With 9+ years building and securing WordPress products, Rajan writes practical security guides based on real attack patterns he's encountered. You can find more of his work at rajangupta.com.

📬 Enjoyed this article?

Get the next one in your inbox — free WordPress security guides, weekly.