HelpWithWebGet Help Now
← Back to Blog
WordPress Security7 min read

Hacked WordPress Site? The Cleanup Playbook — Clear, Update, De-Obfuscate, Harden

Your WordPress site got infected with malware. Before you nuke the whole thing, there's a 4-step recovery playbook that fixes most infections: clear the active malware, update plugins + core, hunt obfuscated code, and harden against reinfection.

ByDino Bartolome
Laptop and notebook on a desk in a soft creative workspace
Photo by Deng Xiang on Unsplash

You log in to your WordPress dashboard and see something off — redirected pages, weird admin users you didn't create, Google flagging your site as deceptive, or your hosting provider sending you a "malware detected" email. Now you're in cleanup mode.

The instinct is to either panic-restore from a backup (and lose recent work) or call someone to "fix the whole site" (which usually means an expensive rebuild). Most malware infections don't need either. There's a 4-step recovery playbook that resolves the majority of WordPress malware cases — and a hardening pass at the end that makes reinfection much less likely.

Here's the workflow I run on every infected site.

Step 1 — Clear the Active Malware

The first priority is stopping the damage. Active malware is doing one of three things: redirecting visitors to spam sites, injecting ads into your pages, or creating backdoor admin accounts so the attacker can come back.

What that looks like in practice:

  • Scan with a real malware scanner — Wordfence or Sucuri are the two I trust most. Both have free tiers that scan core files and known plugin/theme files against their official checksums. Anything modified gets flagged.
  • Inspect every flagged file by hand — don't just trust the scanner's "remove" button. I've seen scanners flag legitimate plugin modifications as malware. Read each flagged file. If it has obfuscated code (base64-encoded strings, eval'd content, hex-encoded payloads), it's almost always malicious. If it's an unexpected modification to a core file (like wp-config.php having extra includes), that's a backdoor.
  • Check the database — malware often injects content into the wp_options table, modifies wp_users to add admin accounts, or stuffs malicious code into post meta. Look for users you didn't create. Look for new options keys you don't recognize. Search the posts table for <script> tags, iframe injections, or base64 strings.
  • Delete the malware — once you've identified what's infected vs. what's modified-but-clean, delete the infected files. Don't worry about breaking things in this step. We'll restore from clean sources next.

Don't skip the database. Most clients focus on file-level malware and miss the database injections, which are the things that survive a code update.

Step 2 — Update Plugins (Most Common Attack Vector)

Once the active malware is cleared, the next step is patching the hole it came through. Outdated plugins are the #1 cause of WordPress compromises — usually by an order of magnitude.

What I do:

  • Get a list of every plugin, including version installed and latest available — Wordfence shows this; so does the WordPress admin Plugins page.
  • Update every plugin to the latest version — don't skip "minor" updates. Many security patches go out as point releases.
  • For abandoned plugins (no update in 12+ months), replace or remove — abandoned plugins are the worst risk because vulnerabilities never get patched. Find a maintained alternative or delete it.
  • Watch for compatibility issues — after each batch of updates, click through the site as both admin and a logged-out visitor. Make sure key pages still render, forms still submit, checkout still works.

A plugin you used to need but haven't touched in two years is rarely worth keeping. Delete it. Less surface area means fewer vulnerabilities.

Step 3 — Update WordPress Core

After plugins, update WordPress itself. Core updates fix vulnerabilities in WP itself, and a lot of malware specifically exploits known core CVEs from outdated WP versions.

What that looks like:

  • Take a fresh backup before the core update — even though we're in cleanup mode. A core update can collide with custom code in unexpected ways.
  • Run the WordPress core update from Dashboard → Updates — it'll update WP itself and re-update the database schema if needed.
  • Test the major flows again — login, posting, plugin compatibility, theme rendering.
  • If your theme is outdated or modified, update it too — modified themes are a common malware hiding spot, because theme files don't get checked by core's update system.

If your site uses a paid premium theme that hasn't been updated in 2 years, that's a problem worth raising with the client. Premium themes with no support contract become the same liability as abandoned plugins.

Step 4 — Hunt for Obfuscated Code (The Backdoor)

This is the step most cleanup jobs skip — and it's why "we cleaned the malware" sites get reinfected within days.

Malware almost always leaves a backdoor: a piece of obfuscated code, usually hidden in a theme file, plugin folder, or uploads directory, that lets the attacker re-execute their payload after you've cleaned everything else. If you miss the backdoor, the attacker walks back in and reinfects within hours of you finishing the cleanup.

How to hunt it:

  • Search every PHP file for known obfuscation markers:
  • - eval( — evaluating arbitrary code at runtime is almost always malicious in modern WP code
  • - base64_decode( — decoding base64 strings to execute as code, classic backdoor pattern
  • - gzinflate(, str_rot13(, gzuncompress( — used to obfuscate the actual payload
  • - \x[0-9a-f]{2} hex strings being concatenated into function names
  • - Long single-line PHP files where every variable is named $O0O0O or similar — code obfuscators generate these
  • - assert( with dynamic content — assert evaluates code in old PHP versions
  • Check the uploads directory for PHP files — wp-content/uploads should contain only images, PDFs, and other media files. ANY .php file in there is suspicious. Most malware drops a small backdoor into uploads because most owners don't realize PHP can execute from there.
  • Check the root directory for unknown files — anything in your WordPress root that isn't a default WP file (wp-config.php, .htaccess, index.php, wp-admin/, wp-includes/, wp-content/) should be inspected.
  • Compare against a fresh WordPress download — pull a clean copy of the WordPress version you're running and diff your install against it. Anything different is either a customization (legitimate) or a backdoor (not).
  • Disable, don't delete, on the first pass — when you find suspicious code, rename the file or comment out the suspicious section first, then test the site. If something breaks, you might've caught legitimate (if poorly written) code. If nothing breaks, delete it.

The disable-first approach saves you from breaking legitimate-but-ugly customizations that look malware-shaped at first glance.

After Cleanup — Harden So It Doesn't Happen Again

Cleanup without hardening is whack-a-mole. After the 4 steps above, do these to make reinfection much less likely:

  • Change every password — admin users, hosting account, FTP, database, and any service account integrated with the site. The attacker probably has them all.
  • Enable 2FA on all admin users — Wordfence or Google Authenticator. Free, takes 5 minutes per user.
  • Restrict admin access by IP if possible — at the .htaccess or hosting firewall level, lock wp-admin to specific IPs.
  • Install a security plugin and configure it — Wordfence's free tier blocks most automated attacks. Set up file-change monitoring so you'll get an email the next time anything modifies a WordPress file.
  • Block PHP execution in the uploads directory — add this to your .htaccess in wp-content/uploads:
  • ```
  • <Files *.php>
  • Order Deny,Allow
  • Deny from all
  • </Files>
  • ```
  • This single change prevents the most common malware re-entry path.
  • Schedule automatic plugin updates — for non-critical plugins, just enable auto-updates. The risk of a bad update is lower than the risk of running a known-vulnerable plugin.
  • Set up daily off-site backups — UpdraftPlus or BlogVault to a separate cloud storage, not your hosting server. If reinfection happens, you can restore from a clean point.
  • Initialize a git repo on the site root — even if you'll never push to GitHub. cd to your WordPress install, run git init, git add ., git commit -m "post-cleanup baseline". From that moment on, git status instantly shows every file change since baseline. The next time malware drops a payload, you'll see exactly which files changed — usually before any visitor reports anything. Set up a cron job that emails you the output of git status if it's not empty: 0 */6 * * * cd /var/www/html && git status --porcelain | grep . && git status | mail -s "WP file change detected" you@example.com. Fifteen minutes of setup catches infections that scanners miss for days.

When to Rebuild Instead of Clean

There are a few cases where rebuilding is faster and cheaper than cleaning:

  • The site is on PHP 5.x or WP 4.x — the surface area is too large; the old PHP version has unpatchable issues
  • You can't identify the original developer and the code is a mess of un-attributed customizations
  • You've cleaned twice and it keeps coming back — there's a backdoor you're missing and rebuilding is more reliable than continued hunting
  • The site uses 30+ plugins of unknown origin — the time to vet each one exceeds the time to rebuild lean

For most cases, the 4-step cleanup + hardening pass takes a day or two of focused work and saves the client weeks of rebuild time.

What I Do Differently

When I take on a WordPress malware cleanup, I always do three things:

  1. Run the full 4-step playbook — not just "delete the bad files." Most cleanup services skip Step 4 (obfuscated code hunt), which is why their cleanups don't hold.
  2. Document what I found and where — so the client knows what was actually wrong, not just "we fixed it."
  3. Apply the hardening pass — so the site is genuinely less vulnerable than it was before the infection.

That way the engagement is a complete unit: clean site, documented findings, hardened against the most common re-entry paths.

---

Got a hacked WordPress site that needs cleanup? I take on these engagements at all sizes. A standard cleanup + hardening pass is typically a $1,500 Quick Win — clear the malware, update everything, hunt the backdoor, harden against reinfection, all delivered in about a week with a written report of what was found. For sites where you're not sure what's going on yet, a $500 Discovery buys an audit + cleanup roadmap you keep regardless. Send me the URL and what you're seeing and I'll tell you what's realistic.

Need Help With Your Website?

I fix these problems every day. Send me a message and I'll take a look.

Get Help Now