Methods of restoring a hacked WordPress site

How to restore hacked WordPress website?

restore hacked WordPress site

This question comes from a user whose site recently got attacked with malware. Before reading the answer, please do read How to remove malware from a hacked WordPress site.

Depending on what needs restoration, this question can have multiple answers:

However considering that you have removed all your WordPress installation files, you’ll need to restore the files from a known-good backup.

Database is Intact; WordPress Files are Infected

In an ideal situation this means that your database remains intact. This includes your settings, posts, pages etc.

Instead of reinstalling WordPress you’ll need to extract the files from the WordPress core package.

  1. Make sure that wp-config.php in the root of your installation has the correct settings.
  2. Download the core files from (replace the version with the correct one). Extract and overwrite the files on your WordPress install.
  3. Point your browser to <yourwebsiteurl>/wp-admin/upgrade.php. This will make sure that a database upgrade runs.
  4. Log into the website admin area.
  5. Purge the cache.
  6. Verify that you have the required theme and plugins active.
  7. Visit the permalinks settings once. This will create a .htaccess file or verify and update it if one already exists.
  8. Visit the front-end of the website and verify that all is well.
  9. Log into Google Search Console and head over to URL Inspection Tool.
  10. Enter the URL of the homepage or select any URL of your website.
  11. Click on “Test Live URL”.
  12. Click on “View Tested Page”.
  13. Very the site in “Screenshot” and “More Info” tabs.

If you have access to WP CLI, you can also reinstall WordPress with some very easy to follow steps. This is quicker than manual extraction and uploading.

Step-by-Step guide to efficiently reinstalling infected WordPress Core using WP CLI

Database is Infected; WordPress Files are Intact

Fixing an infected database is slightly more involved and you’ll certainly need access to WP CLI.

  1. Run a malware scan with Malcure Malware Scanner.
  2. The scan will outline the infected database records.
  3. Use PHPMyAdmin to inspect the infected records and identify the malware / malicious code.
  4. Find and replace: The WordPress database contains serialized data so bare-hand find and replace will break the data integrity. Use the WP CLI to do a search and replace.
  5. Execute the following command via WP CLI replacing the malicious code with the one that you detected on your WordPress install. In case of several types of malicious code you’ll need to run it multiple times. wp search-replace 'malicious code' '' --all-tables --dry-run --report-changed-only --precise --regex --regex-delimiter='/'

If there is a large database dump, here is what you will need to do:

Removing Malware from Large Database Dumps

Different Use Cases and Scenarios for Malware Cleanup

There are different types of malware attacks, here are some of the different use cases of malware attacks with respective steps to cleaning the infection and restoring the site:

Run Another Malware Scan to Ensure Clean Site

Whatever the case, be it database infection, files infection or database and file infections both, after cleaning the infection it’s time to run another malware scan to ensure there are no remaining traces of the malicious code / malware. It is important to clear the cache before running the second scan to avoid cached versions of infected files.

Ensure that SERPS are clean

There are use cases of SEO spam and website redirects specifically via search engine results. That is why it is important to search for your site in search-engines. If you see weird results then it’s time to ask the search-engines to re-index your website or specific URLs. Also check your Google Search Console account for any malware warnings, etc.

That’s pretty much it! If you need help with this part of the process checkout our Malware Removal Service.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.