WordPress Hack Recovery Checklist

A white, rounded square logo with an abstract S-shaped design on a gradient blue and purple background.

Recovering From a Hack

If your WordPress site has ever been hacked, you might need a checklist to cover everything. Here is a quick one that we have used to help a few site owners in need:

  1. Download new WP and upload to New Directory on the server. This starts you with a clean slate.
  2. Check to see if you have local copies of the theme folder. Use those old, uncorrupted files for the new installation.
  3. If you do not have local copies of the theme files, then you need to transfer over the potentially hacked theme files and upload files only.
    1. First, download and check all theme files for the hack. Usually the hack is added code to the header and footers of common files.
    2. Search for any javascript code of base64 encodes, as that is the hack of choice lately.
    3. Remove any unnecessary files that you are unsure of their purpose.
  4. Move over themes files to the new install once cleaned.
  5. Check your WP users for any unauthorized WP users and delete them.
  6. Change all WP user passwords.
  7. Check your database for any odd/new data.
  8. Reset FTP Passwords for all users.
  9. Remove any Shell Access in the control panel if not needed
  10. Reset Hosting Control Password
  11. Reset Database Password for WP
  12. Update new wp-config.php file to your new settings.
  13. Salt the wp-config.php file.
  14. Swap the installs, by moving the old WP to a sub-directory and the new installation to the old location. This makes the new site live.
  15. Test the site to make sure the theme works, the hack is gone, that plugins work and all uploads work.
  16. Delete old WP installation once you pass all tests.
  17. Reset CHMOD Permissions to all transferred files. The new WP install should have all the correct permissions, but any transferred files might be corrupted and have 777 access or other odd access permissions.
  18. Install Security Plugins such as WP Lockdown, WP Security Admin Tools
  19. Change the default user from admin to something else.
  20. Change the WP database table names, if possible.

If you have any other tips, feel free to let us know.

Move over themes files to the new install once cleaned.
Share This

Join the Sales and Marketing News, receive our last insights, tips and best practices.

Our 7 Guarantees

Keeping 2,000+ Clients Happy Since 2001.

You Will Love Your Design We design to please you and your clients
Same-Day Support 24-hour turnaround edits during business hours
Free Education We provide knowledge to help you expand
No Hidden Charges We quote flat-rate projects
Own Your Site No strings attached
We Create Results SEO, PPC, content + design = clients
We Make Life Easier One agency for web, branding and marketing