How to Clean a Hacked WordPress Website in 7 Easy Steps
This FAQ shows you how to quickly clean your WordPress website after it has been hacked. Follow our 7 easy steps to clean your infected WordPress website:
- Reinstall WordPress via the UPDATES page in admin.
- Update all the plugins and themes via the UPDATES page in admin*.
- Change your website database password and update the config.php file with the new password.
- Change all WordPress administrator level passwords.
- Replaced the .htaccess files with a clean .htaccess file (copy from installation files for WordPress).
- Repeat for all websites on the same hosting account. This is very important.
- Install the Sucuri Security plugin for WordPress and which is very good. It tells you what’s wrong with your website after running a scan via the plugin ‘Malware Scan’ page.
Use this site check to see if your website has been infected: sitecheck.sucuri.net and then check it again after you’ve followed the steps above.
*Please note that some plugins will not show that they need an update via the Updates section in your WordPress administrator section. For example the popular ‘WPBakery Visual Composer’ plugin has multiple XSS security vulnerabilities prior to version 4.7.4. and because it’s a commercial plugin it doesn’t show in the Updates section. You’ll need to either manually check for updates and/or get on your plugin’s mailing lists so that you will be alerted of important updates.
Keeping your WordPress software, plugins and themes up to date is essential if you want to keep your website free from viruses, malware and other nasties! We hope that this FAQ has helped you to quickly clean your hacked WordPress website. Please post any questions below.