WordPress hacked? How to fix for free

An intermediate guide

A guide to securing and cleaning up a hacked site using only free plugins. This solved the ‘Disapproved Landing Pages’ and ‘Malicious’ Site violations on a Google Ads account. **This will only work if you have access to your WP dashboard.

Step #1: Virus Scan

The first step is to use a trusted malware-scanner plugin to look through your site’s code to find vulnerabilities and suspicious changes to your data.

Let’s download the free plugin, Wordfence.


Search for Wordfence in the plugin store, then install Wordfence Security

Follow instructions to get your license! It will involve Wordfence sending a license key to your email, which you will then use to activate the free software.

Once you have the key, go back to the Wordfence plugin, click the button to activate your license, then enter your key & email. 

And the, when your key is activated, go to the left side of the WP dashboard, hover over Wordfence > Scan > click ‘Start New Scan’

Step #2: After the scan

When the scan is complete, it will tell you all of the vulnerabilities and issues it finds on your wordpress site by using Wordfence’s database of known attacks/hacking methods. Possible results will include:

  • Critical problems found – If wordfence finds suspicious code in your PHP files, you will need to delete the suspicious code from your theme files.
  • Plugin updates – Make sure to update out-dated plugins which may allow hackers to exploit your site
  • Back up – Make sure to back up your site before editing any of this code. Updraft Plus recommended.

* Note: This guide follows a specific case where the scan found suspicious code in the PHP file. After deleting the code, the problem was fixed.

Before editing code

Again, before editing the code, you really should backup. With all due respect, if you don’t feel comfortable backing up, then you probably shouldn’t be editing your code at all.

I’d recommend reaching out to a programmer friend or family member or contact me for help.

If you’re dedicated to doing it yourself, I recommend commenting out the malicious code instead of deleting it, so you can easily revert changes.

Consider other scanners!

Since Wordfence does not pay me, I will admit that other malware scanners may work just as well. Just search the WordPress plugin store & pick a couple with good ratings, and follow instructions.

Step #3: Fix disapproved landing pages

Even after your site is cleaned from malware, you still may be unable to get your landing page approved by Google Ads or others due to its previous code.

Ask the support team what malware links they are finding on the site, and make sure that they are permanently gone & that your site’s cache is cleared.

As long as the malware is gone from your site, you can easily fix landing page disapprovals by just duplicating the original landing page & submitting it with a new URL.

Yep. That’s it.

If you’re not familiar with how to redirect:

  • Duplicate the disapproved landing page & give it a new URL
  • Delete/unpublish the original landing page
  • Download the Redirection Plugin
  • Redirect the original (now unpublished) URL to the new (duplicated landing page) URL 

If you’re not familiar with caching:

  • Download the plugin W3 Total Cache
  • Purge all caches

If you’d like me to talk more about caching, leave a comment or email me! 

**Note: Again, only do this if you’re sure the hack is fixed. Otherwise, you might be violating Google or another advertiser’s Circumventing Systems policy.

Step #4: Delete pages, posts, and comments from hacker

Now, it’s time to delete the content created by the hack. If this didn’t happen to you, congrats.

While you could manually delete all of the posts, categories, pages, and comments caused by the hack, I recommend downloading a magical & trusty ‘Bulk Delete’ plugin.

It will allow you to mass delete content, saving potentially hours of time of deleting page by page.

Step #5: Prevention

To prevent future hacks, I recommend downloading the following or similar plugins:

  1. Limit Login Attempts – It does what it says & helps to stop Brute Force attacks to your site.
  2. WP All in One Security (AIOS) – This plugin is incredible, and gives you tons of control over your security. I got a paid plan myself & recommend it!
  3. Google reCAPTCHA – These are the ‘Prove your Human’ tests which help prevent bots. Make sure this app is up-to-date! AI and ML is growing so fast, it’s important that your always using the cutting-edge reCAPTCHA.


AOIS – maximize security!

When setting up AIOS, make sure to hover over the WP Dashboard icon (on the left sidebar) in order to use all of the available features:

By using the “User Login” setting to change the wordpress login from “/wp-admin” to something secret, i stopped login attempts to my site!

General – Consider deleting your email or phone number on your site.

I know that this seems crazy for a marketer to say, but for my site, this is the best option.

I got so tired of mass marketing spam emails to my personal email and phone that I removed my email address from my site. And guess what—it stopped the spam.

If someone needs to contact me, they can do it through my contact-us page. Oh well.

Theory: I think certain people in certain countries with low energy costs create massive email/phone address scraping bots which go through the google search results, scraping the addresses from website.

General – Backup, Update, and scan regularly.

Like I said, out-dated plugins & themes can cause vulnerabilities.

Also, regularly backup your site (especially before updates) with Updraft Plus or through your hosting provider.

Lastly, don’t be afraid to run an anti-virus scan even if nothing is wrong! You never know what you’ll find

It’s simple, but makes a big difference.

General – Don’t display your theme name on your site.

AIOS allows you to rename/hide theme files so it’s more difficult for hackers to figure out what theme you’re using.

Often, themes will display their name in the footer of your website by default, which should be deleted if possible! This gives hackers the blueprint to your website. Don’t do that.

In conclusion

I hope this guide was helpful in fixing existing hacks and/or preventing future ones!

With this knowledge, it should be easier to get back to marketing, advertising, and existing online.

Thanks for reading!

Appaloosa horse runing on the meadow in summer time






Leave a Reply

Your email address will not be published. Required fields are marked *