If you are not comfortable with using FTP or your web host’s File Manager (like cPanel), then using free plugins to fix your hacked WordPress is the easiest method.
Keep in mind though that using this method may not remove more complicated hacks or malware injections. In such cases, you will have to do things manually and access your WordPress files directly. But this is the simplest way and a good method to attempt first.
This tutorial assumes you still have access to your WordPress dashboard. If you do not, then you will need to jump straight to fixing your hacked WordPress manually.
Step 1: Install the Sucuri Security plugin.
Login to your WordPress dashboard, click on Plugins > Add New. Search for sucuri.
Step 2: Scan your WordPress core files.
Click on the newly installed Sucuri plugin Dashboard. Wait up to a minute for it to automatically scan your WordPress core files. The plugin will show you files that are not part of WordPress.
These files can be deleted.
Word of caution: Be very careful that the files are not necessary. If you had previously uploaded files not using WordPress (eg. via FTP), they may show up in random locations (depending on where you uploaded them). Make sure you don’t actually need those files before you delete them.
Files and images uploaded from within WordPress won’t be affected. These are stored within the wp-content folder which is not scanned here.
Step 3: Update secret keys
Changing the secret keys in WordPress will lock out anyone who already has access credentials stored in cookies. For example, if your WordPress admin logins were compromised, you would want to change the secret keys as well as changing your password (we’ll do this straight after).
Go to Sucuri Security > Settings. And select the Post-Hack tab.
Then click the Generate New Security Keys button after selecting the checkbox.
You will be immediately logged out of WordPress. Just log back in and continue to the next step.
Step 4: Change your Administrator passwords
After you log back in, go to Users > All Users.
Edit the main Administrator user. If you have other Admin users (that you recognise), then edit them too. If there are other Admin users that you did not create, delete them.
At the bottom of the Edit page, Generate a new password (copy the password somewhere) and then Update Profile.
Step 5: Re-install all plugins
Now that you have removed the non-core suspicious files, you should re-install all your plugins.
You can do this manually by going to your Plugins page and deleting each plugin and installing them again one at a time.
Alternatively, you can use the Sucuri plugin to automatically do this.
On some web hosts this automatic process will not work properly. Premium plugins are also not re-installed. So you may need to do this manually anyway for some (or all) plugins.
Also, take this opportunity to go through your installed plugins and remove the ones you aren’t actively using. Fewer plugins means less potential entry points for hackers.
To do the automatic method, go back to Sucuri Security > Settings. Select the Post-Hack tab.
Select all plugins except for the Sucuri plugin. No need to re-install this plugin as you only just installed it in Step 1.
Step 6: Harden your WordPress installation
The final step is to harden your WordPress. This will help prevent re-infection of malware or potentially getting hacked again.
Select the Hardening tab.
Apply Hardening to block PHP files in your Uploads, wp-content, and wp-includes directories.
Hopefully this has fixed your hacked WordPress site or removed your WordPress malware issues.
If, after following this tutorial, you are still experiencing hack related symptoms or malware warnings, then you may need to dig a little deeper and fix your hacked WordPress manually.