There are many ways to accomplish the same outcome.  There can even be many debates on what is best practice for doing this.  However, getting hacked is an emergency, and there really isn’t much time for debate when that happens.

You want the quickest and best way to salvage the situation.

This is a technical article but those who want to get an idea of what effort is entailed in recovery are welcome to browse it.

The first thing you should think of:  Where are the backups?

  • Where is the backup of the Theme.  The more recent version in a compressed file, the better.  You want a clean version.
  • Where is the backup of the Database?
  • Where is the backup of the File System?
  • Are there any premium plugins?  If yes, where are the original compressed file versions?

If you are unable to locate even one of these items, get prepared for a longer recovery time period.

The first thing you should do:  Put Up a Maintenance Splash Page

While you are busy formulating a recovery strategy, put up a Maintenance Splash Page.

If the website is not getting flagged by search engines (only the attack websites get blocked), you will want to prevent anyone else from getting to the website.  You can use Wp-Maintenance Mode or anything similar.

The next thing you should do:  Run Backups of the current system

  • Get a SQL Dump of the database
  • Copy the whole thing that is in PUBLIC_HTML to a compressed file.  cPanel should let you do this pretty handily.
  • Get a separate backup of the Theme folder.

Google recovery actually wants you to get make two backups.  You can read the Google article on hacking.  It’s rather long but it’s good information.

Caveat:  The backups will contain files that can be harmful to your computer.  But in the case where there are no other backups (two out of two times, this was actually true for me) – sometimes it is all you’ve got.  You are not really going to use these backups unless you accidentally delete a file that you end up needing.

Onward to Recovery.

There isn’t a straight-forward formula for recovery.  Mainly because the actions you need to take will depend on the severity of the hacking.  The article Anatomy of a Hack shows you what pieces of the WordPress site can actually get hacked.

Here’s an idealized situation:

CAVEAT:  Every hacking situation has variations so your situation may not be a 100% fit for this script.  However, I hope it helps, even if a little.

  1. Clean up the PUBLIC_HTML folder in your administration account.  Delete all files that you know can be deleted.
  2. Re-install WordPress.  This effectively gets rid of any malware code embedded in the WordPress core.
  3. Upload a clean copy of the Theme.
  4. Grab the CSS and Functions.PHP files from the backup and upload them.
  5. Examine the SQL Dump – it’s a .SQL file.  You can open it with a text editor like Notepad++.  Look for spam content in any of the columns.  Those will be obvious when you see a bunch of URLs in any of the content.
    • Edit the file directly – but you have to make sure you don’t mess up the markups.
    • Alternatively, load it into a work database and edit using the PHPMyAdmin interface.
    • Load the database when you feel you’ve made the best effort
  6. Now examine the Files on the backup.  Be careful not to double-click on anything.
    1. Plugins – skip over all the non-premium plugins.  Load clean versions from the WordPress Repository.  Upload premium plugins and activate.  The settings from the database should still hold out.
    2. Examine the UPLOADS folder.  Check for sub-folders.  Also check for any PHP files here.  Delete those.  No reason for PHP files in here.
    3. Overall just check all the folders to see if anything looks suspicious.  Delete those.  You have a backups you can use in case you need them back.
  7. Install the WordFence plugin.  Everything needs to be scanned.  Methodically address each reported issue that you find until your scans are clean.  This could take some time but it’s what I call “due diligence”.
  8. Every FILE in your system MUST be cleaned from all traces of malware or you will be permanently “cursed” with their vile code.

Here’s the rule of thumb you can use:  Look for code first, look at the data next, and then look for images that are actually code disguised as a .PNG or .JPG file.


I am currently updating this content to explain how to use WordFence properly. This plugin really saved the day for me so I am working on some videos and more posts that will explain how to use it.

Sign Up Now to my List and I will add you to my new Membership Site that I am starting in 2018.