A hacked WordPress site is rarely fixed by deleting one suspicious file. Modern attacks often leave several layers behind: visible malware, hidden backdoors, malicious redirects, fake admin users, poisoned database records, and reinfection triggers that wait for the next page load.
If your site redirects visitors, shows browser warnings, sends spam, or keeps getting reinfected after a “cleanup,” you need a full WordPress hack cleanup process. The goal is not only to remove what you can see, but to close every path the attacker used to come back.
I’m Ryohei Yokoyama, founder of SiteFixNow. I’ve worked as an IT engineer for over 20 years and have handled many WordPress malware removal, hacked site repair, redirect hack cleanup, and security recovery cases. In this guide, I’ll explain the practical cleanup order I use to reduce data loss and reinfection risk.
- How to start a WordPress hack cleanup without destroying evidence or backups.
- Where malware, backdoors, and redirect scripts usually hide.
- Which files, folders, database tables, and users to check first.
- How to reduce the chance of the same hack coming back after cleanup.
WordPress Hack Cleanup Starts With Containment
The first step is containment. Before deleting files, installing plugins, or restoring random backups, stop the damage from spreading and preserve enough evidence to understand what happened.
This matters because many site owners accidentally make the situation worse. They delete a plugin folder, clear cache, and then lose the only clue that showed where the attacker entered. Others restore an old backup, but the backup already contains the backdoor.
- Make a full backup of files and database, even if the site is infected.
- Download server access logs and error logs if your host provides them.
- Disable public access temporarily if visitors are being redirected or warned.
- Record the first date you noticed the problem and any recent updates or uploads.
- Do not overwrite the live site with an unknown backup yet.
A practical cleanup starts with a separate copy of the site whenever possible. Work on a staging copy or local copy first, then apply the verified fix to production. If you must work directly on the live site, keep a dated backup before every major change.
For a broader recovery overview, you can also compare this process with the SiteFixNow guide on cleaning an infected WordPress site safely.
WordPress Hack Cleanup Must Check Files, Users, and the Database
A serious WordPress hack cleanup should cover three areas: files, administrator access, and the database. If you only scan files, you may miss malicious JavaScript stored inside posts or options. If you only reset passwords, you may leave executable PHP in uploads.
Start with the most commonly abused locations. In WordPress, attackers often hide code in places that look normal at a glance: plugin folders, theme files, mu-plugins, uploads, cache folders, and configuration files.
wp-content/uploads/– should not normally contain executable PHP.wp-content/plugins/– check unknown plugin folders and modified plugin files.wp-content/themes/– checkfunctions.php, header/footer files, and old unused themes.wp-content/mu-plugins/– loads automatically and is easy to overlook..htaccessandwp-config.php– common places for redirect rules and hidden includes.- Database tables such as
wp_options,wp_posts, andwp_users.
If you have SSH access, compare file modification dates against the estimated infection date. A cluster of changed files in unrelated folders is often more useful than one obvious suspicious file.
find public_html -type f -mtime -14 -print
find public_html/wp-content/uploads -type f -name "*.php" -print
find public_html/wp-content -type f \( -name "*.php" -o -name "*.js" \) -mtime -14 -printThese commands do not clean the site by themselves. They help you identify where to inspect. If the output is large, sort the files by date and prioritize files that should not have changed recently.
WordPress Backdoor Cleanup Requires More Than Deleting Malware
A backdoor is a hidden way for the attacker to regain access after the visible malware is removed. This is why a site can look clean for one day and then become infected again.
Backdoors often use small PHP snippets that look meaningless to non-developers. They may call functions such as eval, base64_decode, gzinflate, str_rot13, assert, preg_replace with executable patterns, or remote include functions.
grep -R "base64_decode" public_html/wp-content --include="*.php"
grep -R "gzinflate" public_html/wp-content --include="*.php"
grep -R "eval(" public_html/wp-content --include="*.php"
grep -R "shell_exec" public_html/wp-content --include="*.php"Be careful with these results. Some legitimate plugins may use encoding or system functions. The point is not to delete every match automatically. The point is to inspect the file path, modification date, surrounding code, and whether the file belongs to a real plugin or theme.
One common backdoor pattern is a fake file placed inside uploads or cache folders. Another is a tiny include added to a legitimate file so that the real malicious code loads from somewhere else.
// Suspicious examples to investigate
@include_once('/tmp/.cache/file.php');
require_once ABSPATH . 'wp-content/uploads/2026/07/system.php';
if (isset($_REQUEST['key'])) { eval($_REQUEST['key']); }If you find code like this, do not only remove the line. Check the referenced file, the user accounts, the login history, and the plugin or theme vulnerability that allowed the change. A backdoor is usually a symptom of a deeper access problem.
For a focused guide on hidden backdoors, see how to scan WordPress for malware and hidden backdoors.
WordPress Redirect Hack Cleanup Needs .htaccess and Database Checks
Redirect hacks are especially frustrating because the site may look normal to you while visitors from Google, mobile devices, or specific countries are sent to spam pages. That behavior often means the redirect is conditional.
Check the obvious redirect locations first: .htaccess, theme header files, plugin JavaScript files, injected scripts in posts, and the siteurl or home values in the database.
# Normal WordPress rules usually look like this
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressIf you see unfamiliar domains, long encoded strings, mobile user-agent conditions, or rules that redirect only search-engine visitors, investigate them carefully. A malicious .htaccess file may be placed not only in the document root, but also in subdirectories.
wp option get siteurl
wp option get home
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%' LIMIT 20;"
wp db query "SELECT option_name FROM wp_options WHERE option_value LIKE '%base64%' LIMIT 20;"These WP-CLI examples assume the table prefix is wp_. If your site uses a custom prefix, replace wp_posts and wp_options with the correct table names.
If your main problem is visitor redirection, also review the SiteFixNow article on WordPress redirect virus cleanup.
WordPress Malware Removal Should Use Clean Sources for Core, Plugins, and Themes
The safest way to clean WordPress core is to replace it with a fresh copy from wordpress.org, while preserving wp-content and wp-config.php. For plugins and themes, reinstall clean copies from trusted sources instead of trying to edit every suspicious line manually.
This approach reduces the risk of missing small changes inside large files. It also helps you separate “known clean” code from site-specific uploads, custom themes, and database content that still need inspection.
- Back up the current infected site and database.
- Replace WordPress core files from a clean official package.
- Reinstall plugins from the official repository or vendor account.
- Reinstall the active theme from a clean source, then reapply verified custom changes.
- Inspect uploads, mu-plugins, custom code, and the database manually.
Do not reinstall nulled themes, abandoned plugins, or ZIP files from unknown sources. If the original infection came from a vulnerable or pirated extension, restoring the same extension puts the site back in danger.
When replacing plugins, first rename the current plugin folder instead of deleting it immediately. This gives you a rollback path and preserves evidence for later review.
cd public_html/wp-content
mv plugins plugins-infected-backup
mkdir plugins
# Then reinstall only necessary plugins from trusted sources.After reinstalling clean plugins, test the site carefully. If the site breaks, re-enable only the essential plugin you need for diagnosis. Avoid activating everything at once because that makes it harder to identify the risky component.
WordPress Hack Cleanup Is Not Complete Until Access Is Secured
A cleanup is incomplete if the attacker can still log in, upload files, or run code. After removing malware and backdoors, secure every access path that could bring the infection back.
Start with administrator users. Remove unknown accounts, reset all admin passwords, check email addresses, and confirm that no attacker-controlled email is used for password resets.
- Reset WordPress administrator passwords.
- Reset hosting control panel, FTP/SFTP, database, and email passwords.
- Remove unknown WordPress admin users and unused FTP accounts.
- Update WordPress core, plugins, and themes after cleanup.
- Disable PHP execution in uploads where your hosting environment allows it.
- Set up reliable off-site backups before reopening the site fully.
If the hosting environment supports Apache .htaccess, you can restrict PHP execution inside uploads. Test this carefully because server behavior differs by host.
<FilesMatch "\.php$">
Require all denied
</FilesMatch>Security hardening should happen after the site is clean, not instead of cleanup. A security plugin can help reduce future risk, but it does not automatically prove that every backdoor has already been removed.
For post-cleanup hardening, read how to secure WordPress after malware removal.
WordPress Hack Cleanup Verification Before Reopening the Site
Before you consider the cleanup finished, verify the site from several angles. Check the home page, important landing pages, search-result entry points, mobile access, and direct URLs that were previously redirecting.
Also clear every cache layer after cleanup: WordPress cache plugins, server cache, CDN cache, and browser cache. A site may appear infected simply because an old cached page is still being served.
- No unexpected redirects from desktop, mobile, and search-result entry points.
- No new suspicious files appear after several page loads.
- WordPress admin users are known and necessary.
- Core, plugins, and themes are updated from trusted sources.
- Google Search Console and browser warnings are reviewed after cleanup.
- Fresh backups are running and stored outside the infected hosting account.
If malware warnings were shown in Google or browsers, cleanup alone may not remove the warning immediately. You may need to request a review through the relevant platform after confirming that the site is clean.
- WordPress Malware Removal: 9 Warning Signs Your Site Is Infected
- WordPress Malware Cleanup Checklist for Site Owners
- WordPress File Infection Cleanup: What to Check in wp-content and wp-config.php
- How to Fix a Hacked WordPress Site and Stop Reinfection
- WordPress Redirect Hack Fix: Why Your Site Sends Visitors to Strange Pages
- Website Malware Removal Service: When DIY Cleanup Is Not Enough
WordPress Hack Cleanup FAQ
WordPress Hack Cleanup Summary
WordPress hack cleanup is not just malware deletion. A reliable cleanup contains the site, backs up evidence, checks files and database records, removes backdoors, cleans redirects, replaces compromised code from trusted sources, secures access, and verifies the result before reopening the site fully.
If the site keeps getting reinfected, assume that something is still open: a backdoor, weak credential, vulnerable extension, malicious database entry, or server-level problem. In that situation, slow down and investigate the full chain instead of repeating the same partial cleanup.
If You Can’t Secure or Recover Your WordPress Site Yourself

If your website shows malware warnings, redirects to strange pages, or you are not sure whether it is secure,
SiteFixNow can help clean, repair, and recover your WordPress site.
- Your WordPress site may be infected with malware.
- Security warnings appear in Google or browser results.
- You found unknown admin users or suspicious files.
- The site redirects to spam or unknown websites.
- You need urgent WordPress hacked site repair.
- Reduce visitor risk and SEO damage.
- Find hidden malware and backdoors, not only visible symptoms.
- Recover the site safely without unnecessary data loss.
