logo

1. Check for Suspicious Admin Users

One of the most common signs of a hacked WordPress site is unauthorized admin users.

  • Go to WordPress Admin → Users
  • Look for unknown admin accounts
  • Delete any suspicious users immediately

Attackers often leave hidden users for persistent access.

2. Inspect the Database (wp_users Table)

Hackers may insert users directly into the database.

  • Open phpMyAdmin
  • Locate your database
  • Check the wp_users table
  • Remove unknown entries

Also check wp_usermeta for hidden admin privileges.

3. Scan Your Website with Wordfence

Use Wordfence to detect malware, backdoors, and modified files.

  • Install and activate the plugin
  • Go to Wordfence → Scan
  • Run a full scan

Important:

  • Go to Wordfence → All Options
  • Enable "Scan files outside your WordPress installation"
  • Ensure themes and plugins are included in scans

This is critical, as many recent attacks hide malware outside standard WordPress directories.

4. Remove Dangerous File Manager Plugins

File manager plugins are a major attack vector.

  • Remove WP File Manager
  • Remove File Organizer
  • Remove Filester
  • Delete any unknown plugins

These plugins are commonly exploited to upload malware and gain server access.

5. Scan and Clean Website Files

  • Check wp-config.php for injected code
  • Look for unfamiliar PHP files
  • Scan themes and plugins manually
  • Replace core files with a clean WordPress download

Compare files against a clean version if unsure.

6. Enable ModSecurity Protection

  • Enable ModSecurity in your hosting panel
  • Ensure rules are active and updated
  • Block malicious requests and bots

ModSecurity helps prevent future attacks at the server level.

7. What We Learned from Recent WordPress Hacks

  • File manager plugins are frequently exploited
  • Attackers create hidden admin users
  • Malware is often placed outside standard directories
  • Database manipulation is common

A proper cleanup must include both file system and database checks.

8. Final Cleanup Checklist

  • Remove unknown users (dashboard + database)
  • Run full Wordfence scan (including outside files)
  • Delete dangerous plugins
  • Clean infected files
  • Update WordPress, themes, plugins
  • Enable ModSecurity
  • Change all passwords

Following all these steps ensures your website is fully cleaned and secured.