User Question: What are your preferred methods of restoring a hacked WordPress site?

How to restore hacked WordPress website?

restore hacked WordPress site

This question comes from a user whose site recently got attacked with malware. Before reading the answer, please do read How to remove malware from a hacked WordPress site.

Depending on what needs restoration, this question can have multiple answers:

However considering that you have removed all your WordPress installation files, you’ll need to restore the files from a known-good backup.

Database is Intact; WordPress Files are Infected

In an ideal situation this means that your database remains intact. This includes your settings, posts, pages etc.

Instead of reinstalling WordPress you’ll need to extract the files from the WordPress core package.

  1. Make sure that wp-config.php in the root of your installation has the correct settings.
  2. Download the core files from https://downloads.wordpress.org/release/wordpress-5.8.3-no-content.zip (replace the version with the correct one). Extract and overwrite the files on your WordPress install.
  3. Point your browser to <yourwebsiteurl>/wp-admin/upgrade.php. This will make sure that a database upgrade runs.
  4. Log into the website admin area.
  5. Purge the cache.
  6. Verify that you have the required theme and plugins active.
  7. Visit the permalinks settings once. This will create a .htaccess file or verify and update it if one already exists.
  8. Visit the front-end of the website and verify that all is well.
  9. Log into Google Search Console and head over to URL Inspection Tool.
  10. Enter the URL of the homepage or select any URL of your website.
  11. Click on “Test Live URL”.
  12. Click on “View Tested Page”.
  13. Very the site in “Screenshot” and “More Info” tabs.

If you have access to WP CLI, you can also reinstall WordPress with some very easy to follow steps. This is quicker than manual extraction and uploading.

Step-by-Step guide to efficiently reinstalling infected WordPress Core using WP CLI

Database is Infected; WordPress Files are Intact

Fixing an infected database is slightly more involved and you’ll certainly need access to WP CLI.

  1. Run a malware scan with Malcure Malware Scanner.
  2. The scan will outline the infected database records.
  3. Use PHPMyAdmin to inspect the infected records and identify the malware / malicious code.
  4. Find and replace: The WordPress database contains serialized data so bare-hand find and replace will break the data integrity. Use the WP CLI to do a search and replace.
  5. Execute the following command via WP CLI replacing the malicious code with the one that you detected on your WordPress install. In case of several types of malicious code you’ll need to run it multiple times. wp search-replace 'malicious code' '' --all-tables --dry-run --report-changed-only --precise --regex --regex-delimiter='/'

Run Another Malware Scan to Ensure Clean Site

It’s time to run another malware scan to ensure there are no remaining traces of the malware.

Ensure that SERPS are clean

Search for your site in search-engines. If you see weird results then it’s time to ask the search-engines to reindex your website.

That’s pretty much it! If you need help with this part of the process checkout our Malware Removal Service.