How can you recover your WordPress website if it is hacked?

How can you recover your WordPress website if it is hacked?

Imagine finding out that your WordPress website has been hacked. Imagine considering it as a nightmare, but then realizing that your worst nightmare has turned into a reality. Hundreds of pessimistic thoughts run through your mind. Your years of hard work, investment, and prevention all went down the drain!

But, is it actually that bad?

No one can deny the fact that your business website getting hacked is a terrible experience! It is akin to any other asset of your business getting stolen. The anguish, pain, and anger are similar to when you get physically robbed off.

However, apart from feeling bad about your WordPress website getting hacked, what else could you possibly do?

Let us tell you that!

Table of Contents

What should you do when you get to know that your WordPress website has been hacked?

Stay Calm

This might sound cliche, but it is absolutely important. Most people panic in such situations. Resultantly, they are not able to tackle the situation rationally and efficiently. Hence, if you get to know that your website has been hacked, take a deep breath, and stay calm. You can counter the problem a lot more easily by staying calm than by panicking.

Back-up the remaining stuff

What is gone is gone. Now, you need to save the remaining stuff. A hacked website has some other important stuff, too, apart from the corrupted files. You should try to back-up those remaining files. There are numerous back-up solutions available for WordPress.

You should particularly try to back-up images and videos. The reason being that media files are harder to recreate. Hence, by backing those up, you can use them later on when you rebuild your site.

Scan your local machine

It is very likely that the hacker who has hacked your website first hacked your computer. If that is the case, then all the websites that you have been logging on to are in danger.
Therefore, you should instantly install and run a virus scan on your computer. You should also ensure that your OS is updated. This process will help you in ensuring that your computer is safe from hackers, and there is no chance of your system being infected again after you have cleaned up the virus.

Need help with this?

Call us and get a chance to discuss this with our experts!

Seek help from a professional

Let us admit: WordPress website security is not something that every Tom, Dick, and Harry can deal with. It might not seem so, but it is actually a very, very tough job to manage a website’s security. Hence, it is in your website’s best interest to hire a professional for this purpose.

Hackers are becoming smarter day by day. They often tend to hide things in places where no one else except for a web expert can reach. This leads to your website becoming infected again after you have cleaned up the mess.

Imagine the horror!

Do you wish to avoid it? Call us today and get a chance to avail our website security services!

ecommerce website on WordPress

How can a hacked WordPress website be recovered if you have access to the back-up?

Change your password

As soon as you get to know that your WordPress website has been hacked, you should change the password. This will prevent the hackers who have obtained your login details from logging into your website again. Not only this, but you should also encourage all other users and admins to change their passwords as well. You can even change their passwords yourself manually.

Scan for virus

The next thing to do is to find where the hackers have hidden infected files. You should ideally start-off by deleting inactive themes and plugins because this is exactly where most of the hackers hide infected files. After that, download and run a malware scanner to disinfect your website.

Replace infected files with original

If you find any malicious file on your website, delete it instantly. You can do so for WordPress core files as well as themes and plugins.

Check user permissions

In WordPress, each user can be given a specific role. You can decide what each user can and cannot do after logging in. You should give admin rights only to people whom you trust blindly.

Change SALTs

Likely, someone who stole your password to login to your website might still be logged in through the secret keys. These secret keys have important information inside the cookies. You can change them by generating new SALTs and replacing the older ones with them.

Change your password once again

We do remember that you started by changing your password, but it is extremely important to change it again along with other things such as hosting admin backend credentials, FTP login, MySQL database password, and admin email address. It is only after changing all these things that you can be sure of making your website secure again.

Make your security more stringent

It is high time for you to figure out the security loopholes of your website and then try to fix them up. You should do anything and everything possible to make your website safe and secure.

Rebuild your site

After you have got rid of the infected files and recovered your website, you still might need to take care of certain things. Blog posts, theme customizations, and other similar things might get lost in the process of recovering the website. Hence, you got to work on them all over again!

WordPress security

How can a hacked WordPress website be recovered if you do not have access to the back-up?

Reset the administrator password with phpMyAdmin

Are you facing issues while trying to login to your website? If yes, that is probably because the hacker has changed your admin password. You can reset or recover WordPress admin password with phpMyAdmin inside the database. Or, you can try to change your email address and then reset your password.

Find affected files

As previously has been described, you need to start by finding the infected files and deleting them. You can do so by running an external scanner on your site. There are numerous scanners available online. You can download and use whichever you like. Another thing that you could do is, get in touch with your host and ask it to help you with the task.

Re-run security checks

Ideally, when you are done with everything, you should re-run the security checks. Just to be sure that everything has been fixed and there are no security loopholes left.

Finish up

Once all the mess has been cleaned up, you need to take the same measures mentioned above. Check user permissions, change passwords, replace secret keys, and rebuild websites. Are you done with all this? You are good to go!

10 Reasons Why WordPress Sites Get Hacked

Reason 1: Not choosing a secure web hosting service provider

If you are planning to launch your WordPress website, you need to opt for a web hosting service provider. In most cases, people end up choosing a web hosting service provider that does not have a properly secured hosting platform. This makes their business website vulnerable to hacking attempts.

Preventing your website from getting hacked is an achievable task. You can simply make your website less vulnerable to such attacks by choosing a safe and secure web hosting service provider. In case you have no idea about which one to choose, you can have a look at this guide on best WordPress hosting.

When it comes to web hosting, you have two options; you can either choose shared WordPress hosting or opt for managed WordPress hosting. We highly recommend our clients to go for managed WordPress hosting. It is surely more expensive than shared WordPress hosting, but it is more safe and secure!

WordPress websites

Reason 2: Having weak passwords

Passwords are to your website what keys are to the locks. No one can access your website until or unless they have your passwords. Just like no one can open the lock without the key. You should have a unique as well as different password for all your accounts including:

  • WordPress admin account
  • Web hosting control panel account
  • FTP accounts
  • MySQL database
  • Email accounts associated with WordPress admin

All the above-mentioned accounts are protected by passwords. If you use weak passwords, it becomes easier for hackers to figure them out using various hacking techniques. Therefore, we highly recommend you to have strong and unique passwords for all your accounts. This way you can keep the hackers at an arm’s length from your website.

You can have a look at the guide for managing passwords. If after going through the guide, you feel that it is too much for you to digest, do not worry.

You can hand over your WordPress website’s security to us and will take great care of it!

Reason 3: Unprotected access to WordPress admin

The WordPress admin area is an extremely significant place on your WordPress dashboard. A person who has access to this area can do a number of different things to your WordPress website. It is, therefore, also the most frequently attacked area of your WordPress website.

Leaving this area unprotected can have severe repercussions for your website’s safety and security. Hackers get a free hand to try various techniques to mess up your website. However, you can easily deter the hackers by adding various forms of authentication to your WordPress admin directory.

Your first layer of authentication should include protecting your WordPress admin area with a password. This will further secure your website as anyone who would try to access your admin area would have to provide an additional password. Until or unless that extra password is provided, no one can access the admin area.

If your website has more than one user or admin, you can ensure its security by having strong passwords for all the users. You can even make use of two-factor authentication to make it more troublesome for hackers to access your admin area.

Reason 4: Incorrect file permission

File permissions simply refer to rules that are used by your web server. These rules govern access to the files on your website. If your website has incorrect file permission, hackers can easily invade the files. They can then edit, change as well as delete these files at their own discretion.

You should check your file permission and see if they have the desired number or not. All WordPress files’ permission should be set to the value of 644. On the other hand, file permission of your WordPress website should be set to 755.

If you think all this information is mind-boggling, COMMENT BELOW and we will come to your rescue. Our experts have been fixing WordPress problems for quite some time. Hence, you won’t be disappointed.

That is a promise!

Reason 5: Not keeping your WordPress website updated

People often think that developing a WordPress website is a one time process. You just need to get a WordPress website designed once and then you can relax for years to come. This perception is totally deceptive.

Developing a WordPress website is not a one-time-job. It requires constant upgrading. You need to keep updating your WordPress website from time to time in order to keep it alive.

Each and every WordPress update improves your website’s security and safety. If you are sceptical about an update, create your website’s backup before updating your website. This way you can play around safely!

Our client’s do not need to worry about such petty things. We do such tasks on our clients’ behalf so that they can focus on their core business practices. If you wish to have the same leverage, grab your phone and give us a call NOW!

Wordpress design sydney

Reason 6: Not keeping plugins updated

Just keeping your WordPress software updated is not enough. Way more efforts are required to keep the website running smoothly. You also need to update your plugins. In case you are using outdated plugins, your website will become vulnerable to hacking attacks.

The reason is that WordPress plugins are not without any flaws. At times developers later realise the loopholes left in the plugin. Once the plugin has been rolled out, the only way to fix up these loopholes is through regular updates.

Hence, do not make the silly mistake of ignoring WordPress plugin updates.

Note that down!

Reason 7: Choosing FTP instead of SFTP/SSH

It is through FTP accounts that files are uploaded using an FTP client. Almost all hosting providers support FTP connections through the usage of different protocols. Therefore, FTP, SFTP, and SSH can also be used.

However, you need to understand the hidden technicalities. If you are using plain FTP to connect to your website, there lies a great danger. Your password that is sent to the server is unencrypted. This means it can easily be stolen and misused. Therefore, it is highly recommended that you avoid using FTP. Instead, you should prefer to use SFTP or SSH.

In order to implement this change, you are not required to change your FTP client. Your existing FTP client can switch your website to SFTP or SSH, whichever option you find to be more desirable!

Reason 8: Using ‘admin’ as your WordPress username

By default, WordPress username is set to ‘admin’. However, if you continue to use the same username, then you are making a serious mistake. You should change your username as soon as possible.

Websites that have ‘admin’ as their username are vulnerable to hacking attacks. They can be attacked at any time by hackers. Hence, your username should be decided by you yourself so that your website can remain safe and secure.

ecommerce website on WordPress

Reason 9: Testing random themes and plugins

In a competitive corporate environment where businesses are already trying hard to make their ends meet, there is nothing more tempting than free themes and plugins. The internet is filled with such free stuff but, as they say, “there is no free lunch in business”. These free themes and plugins are harmful to your website. Therefore, you should avoid enjoying such free stuff!

We always recommend our clients to opt for customised business websites. They are unique, aesthetic, and secure. Our team has mastered the art of customising websites according to the client’s requirements.

If you want a custom-designed website, you can BOOK AN APPOINTMENT and get a chance to discuss your website idea with our experts!

Reason 10: Not changing the WordPress table prefix

WordPress, by default, uses the prefix wp_ for the tables that are created in your website’s database. Experts in the field recommend that this default prefix should immediately be changed. Sticking with this prefix can prove to be hazardous for your website’s security.

You should ideally use a prefix that is a bit complicated. Doing so will make it difficult for hackers to guess the name of your tables.


Being in the field for years has made us realize that it is easier to pen the process down than to implement it. We know businesses do not have that much time or expertise to recover a hacked website. Hence, we facilitate such businesses by doing so on their behalf.

Do you wish to avail our services too?

Head on to our website now and fill the given form to avail our services!

Updated on: 22 May 2020 |

Nirmal Gyanwali, Director of WP Creative

Nirmal Gyanwali

With over 16 years of experience in the web industry, Nirmal has built websites for a wide variety of businesses; from mom n’ pop shops to some of Australia’s leading brands. Nirmal brings his wealth of experience in managing teams to WP Creative along with his wife, Saba.