Support Start > Web Hosting Technical Information > Recommended Software and Scripts > WordPress > Cleaning Infected Sites

When a website (including a WordPress site) gets “hacked”, we can usually restore a backup from before the infection. In some cases, though, an investigation will reveal that the site has been infected for a long time and all of the backups are also infected. This makes it impossible to fix a site by restoring an old copy. A related situation is when a customer transfers infected files to our servers.

In these cases, there’s no easy way to ensure that all infections have been removed. Security experts agree that in these situations, the only safe course is to start over with a new set of script files.

We recognize that “replace all the files” sounds overwhelming, but it isn’t nearly as bad as it sounds. For WordPress, you would:

1. Delete all the PHP files you’ve put on our servers (including all WordPress plugin and theme files), but not the database or any non-PHP files in “/wp-content/uploads”;
2. Reinstall a fresh copy of the WordPress files using our WordPress installer;
3. Connect the new files to the old database, by changing the database username and password in the new wp-config.php file to be the old database values;
4. Use the WordPress dashboard to install fresh versions of any plugins and themes you want to keep (use only newly obtained files, not ones copied from the site with the infection);
5. Change your WordPress passwords and make sure the hackers didn’t add any new users.

We can do steps 1-3 for you if you have trouble. We can also do step 4 for you if the site uses only free plugins and themes (you’ll need to reinstall any paid plugins or themes yourself). Step 5 you can do yourself within the WordPress dashboard.

After this is done, you may also need to “tweak” your site to account for new versions of WordPress or your plugins or themes, but that’s the same thing you would have needed to do if you updated them normally over time.

Doing this (and keeping your themes and plugins updated in the future) will permanently fix almost all “hacked” WordPress sites. It should take an hour or two for an average site — and importantly, it takes far less time, expense and effort than dealing with your site later being de-listed by Google and other services, which is likely to happen if you don’t fix it.