GUIDE
My WordPress was hacked — how to clean it safely
A hacked WordPress site is stressful, but panicking and deleting files by hand usually makes things worse. Here's a safe, order-of-operations way to handle it.
1. Confirm it's actually compromised
Signs of a hack include: unexpected admin accounts, spam pages appearing on your site, your host or Google Search Console flagging malware, visitors getting redirected elsewhere, or your site suddenly sending spam email. Start with a free scan to check for outdated, vulnerable software and exposed files — the entry points attackers use most often.
2. Don't delete files by hand first
It's tempting to start deleting anything that looks suspicious. The problem: without a backup taken first, you can't undo a mistake, and malware often hides copies of itself in more than one place — including outside the WordPress folder entirely, in other directories on the same hosting account, where a manual cleanup won't think to look. Miss one copy and the site gets reinfected within days.
3. Back up before touching anything
Whatever cleanup method you use, take a full backup first — of files and database — before making any change. That backup is your undo button if a fix breaks something or misses part of the infection.
4. How WP Clinic's AI repair works
Once the free plugin is installed and connected, a deep scan checks your entire hosting account (not just the WordPress install) for malware signatures, webshells, PHP files planted in your uploads folder, injected content and suspicious admin accounts. If it finds something, the repair flow is:
- Off-site backup taken first, before any file is touched.
- The AI analyzes the malicious code and produces a targeted patch — it doesn't run on your server or get shell access; the patch is generated and applied through audited code.
- The patch is applied, then a health check confirms the site still loads and works.
- If the health check fails, the site is automatically rolled back to the pre-repair backup — no manual intervention needed.
Large infections are cleaned in batches against a repair budget, so a heavily compromised site can be repaired in more than one pass rather than timing out.
5. Change your passwords
After a confirmed compromise, rotate your WordPress admin password, hosting/FTP password and any API keys or application passwords that could have been exposed. If the malware had file-level access, assume anything readable on disk (including wp-config.php) may have been read.
6. Prevent the next one
Most WordPress infections come in through an outdated plugin or theme with a known vulnerability, a weak admin password, or a nulled (pirated) plugin with a backdoor built in. Keep everything updated, use unique strong passwords, avoid nulled plugins entirely, and turn on ongoing monitoring so new vulnerabilities are caught before they're exploited — see the security checklist for the full list.
Scan your WordPress site free
No signup, no credit card — enter your URL and get a security report in seconds.