<aside> ⚠️ If you want an editable version of this page, please click “Duplicate”.

</aside>

If your WordPress website has been hacked, it is important to act quickly to remove any malicious code and restore the site's security.

Here is a checklist of steps to follow to clean a hacked WordPress site:

Scan the site for malware.

Use a malware scanner to scan the site thoroughly for any malicious code or files. Depending on the situation you can either use

Online scanner

• [ ] Scan your WordPress site using wpsec.com

Installing a scanner plugin in the WordPress backend

I’m suggesting below that you use Wordfence as your scanner, but you’re free to use any kind of plugin of your choice, like for example Sucuri. It really does not matter, as long as your site gets scanned.

• [ ] Install Wordfence (the free version from WordPress.org suffices)
• [ ] Scan your site using the Wordfence scanner

This should give you a listing of all infections that were found and need to be tackled.

<aside> 💡 Keep the results somewhere you can access them easily. We’ll need them later on.

</aside>

• [ ] I’ve saved the scan results locally.

Identify the source of the hack.

Before we proceed with cleaning the site, we’ll first need to determine how the hack occurred, whether it was due to a vulnerability in a plugin or theme, weak passwords, or other security issues. This can help you to prevent similar attacks from occurring in the future.