Cleaning up a hack

Last Revised: October 2, 2021

You may have been infected, hacked, attacked… any of these options is possible if your site has a security hole due to lack of update or because you have activated or not a template or plugin that has been poorly developed.

Before you start, I recommend going through the Security Support Forums, where you will find problems and solutions from other members of the community, as well as an interesting document on cleaning up a WordPress.

First of all

Back up /backup.

Getting Started

When you have an attack, hacking or just the suspicion that something weird may be going on, one of the first steps is to block access to everyone so they can’t access. You can “close the web” (put it in maintenance mode) if you consider that it can be harmful to your visits, or simply make a closure of the inner part, preventing other users from logging in.

Once you have closed the access, the next thing is to proceed to change the main passwords of the site. Change the passwords of all WordPress administrators and hosting/FTP, and even the database. If there has been a data leak no doubt someone will try to access them and the main thing is that if you try you can not.

Once we have done this, the next thing is to reinstall WordPress. We could consider using the reinstall button that includes the platform itself, but in this case, it is much better to do the upload directly by FTP, so that you download WordPress and upload it little by little.

Update all

The second step is key. You already have updated the WordPress core, but do you have updated the rest of the elements? The first thing is to enter the administration panel and update all the elements that exist. All plugins that you do not use (and are disabled), delete them. Even if you have updated everything, you should go plugin by plugin and template by template by looking for the website of that plugin (in the official repository or not) and verify that the version you have installed is the same version that is indicated as last. In the official repository it is simple, but if you have plugins from sites like Codecanyon or Themeforest you should look for the latest version of them and download them. If you bought them a long time ago and don’t have the latest version, do it.

Pass an antivirus

Here we can try to work with several options, one of them quite complicated, which is to pass the antivirus on the server or through a plugin or system. On the other hand there is another option that is usually simpler: use the antivirus of your computer. The first thing is to verify that you have an antivirus and check that it is updated to its latest version.

Once you have verified this you should connect by FTP and download your entire website. As the site is downloaded, the antivirus will be passed, so if there is any known virus or malware , the system will detect it and you will be able to eliminate it from the server as well.

NOTE: Viruses that run on websites, in general, are not viruses that affect your computer, so if you are careful nothing unwanted should happen.

After downloading the website, you should also download a copy of the database. As a general rule, your hosting will have a phpMyAdmin panel with which you can make an Export of the entire site.

One more time

Back up /backup. Do not overwrite the previous one, save it next to it.

WordPress Review

The next step is to take a “walk” through WordPress in search of configurations or strange things that should not be there. Do a review in the entries and categories to check that you do not find any article that should not be there; the same as with the pages. In the media check the gallery to check at a glance that there are no images, ZIP files or similar that do not sound like you.

In templates and plugins, once again, remove those you don’t use, and the ones you use confirm that they are up to date.

Check all users of the site. In case of doubt, it forces users to have to access with a double verification system. It even forces a password change and changes the Security Keys in the wp-config. Take the opportunity to check in the wp-config file that there is no element that you do not think should be there.

Confirm that the general texts and settings are correct. Regenerates permalinks.

Server Review

It is possible that having checked your WordPress you have not found anything strange, and it is because one of the frequent points of attack is the server itself, so you should take a look. If you do not have knowledge of system administration, you can look for one, or ask your accommodation to do a review of some elements.

To begin with, of the versions of the operating system, PHP, web server… in the same way that you have to update WordPress, you also have to update the operating system (as with your computer). If you do not already have it, activate a TLS certificate, to navigate with HTTPS, and thus the connection between your visits and the server will be secure.

Now that we have the server up to date, let’s review the relationship between the server and WordPress. The first thing will be to review the access permissions to the files. No matter how much they tell you that you have to use 777, or that of the three figures the last one is not zero, do not pay attention. If you want to protect the system correctly, the owner, you, must have complete control over them (7xx in folders, 6xx in files), the web server must have partial permissions (x5x in folders, x4x in files) and the rest of the users of the system must not have access (xx0 in folders, xx0 in files). If your hosting provider doesn’t allow you this, make a thought because maybe you’re not in the right place.

In the same way that we do not give permissions to those who do not touch, remember that in the folder in which we upload the multimedia files we upload that, files. Normally we upload images, some PDF, documents, a ZIP … but what we are not going to upload there is executable code (EXE, PHP …). That is why we will block that in those folders any type of code can be executed. If you have other folders where files are uploaded (for example through a plugin), apply the same security measures.

Finally, the mail. Many hacks take advantage of the fact that the web server also sends mail taking advantage of the fact that it is active. Do you really have to send the mail from the same place where you have your website? Maybe you should consider outsourcing the web mailing service .

Are we done yet?

The answer is it depends. From the technical point of view, in most cases with these steps you should already have your website back up and running , but in case it is not, the most reasonable thing is that you contact an expert in cleaning up attacks and hacks and give it a review. Sometimes attacks are more aggressive and go beyond your website.


Even if you have cleaned up a hack, it is possible that you are doing things in your day to day that do not go according to the security of your site. Remember to update WordPress, plugins and templates frequently (if you are not going to do it, you can hire maintenance services that do) and also not install plugins and templates from unknown sites… if you have doubts, it is better not to do it.

Remember to use strong passwords (a minimum of 12 characters and 24 recommended, with letters, numbers and symbols); also, try not to use the same password on two websites (let alone the administrator website). Back up with some frequency… if you update your site a lot, then a daily copy, and if you do not update it so much, then one a week. Less not.

Seguir con Seguridad para WordPress

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.