Getting hacked is one of the worst things that can happen to a WordPress site owner. But with a methodical approach, you can recover fully without losing your data.
I've cleaned dozens of WordPress malware infections over 14+ years. Here's the process:
1. Back up everything immediately — even the infected files. Download public_html via FTP and export your database from phpMyAdmin.
2. Scan for malware — Wordfence (free plugin) is the most reliable for server-side scanning. Sucuri SiteCheck handles external scanning. MalCare gives you file-level diff comparison.
3. Remove malicious code — Key locations to check: wp-config.php (base64 eval strings), active theme's functions.php, .htaccess (injected redirect rules), and wp-content/uploads/ (no PHP should ever be here).
Replace wp-admin/ and wp-includes/ with a fresh WordPress copy of the same version.
4. Change every credential — WordPress admin, database password, FTP, hosting account. Regenerate secret keys at wordpress.org/secret-key.
5. Update everything — WordPress core, all plugins, all themes. Delete unused themes and nulled plugins permanently.
6. Clean the database — Run SQL queries in phpMyAdmin looking for eval(, base64_decode, and injected scripts in wp_posts and wp_options.
7. Harden security — Block PHP execution in uploads/ via .htaccess, limit login attempts, enable 2FA, set correct file permissions.
8. Request Google review — If your site was blacklisted, go to Search Console → Security Issues → Request Review after cleanup.
The most common root cause is always outdated plugins or nulled themes. Never skip updates and never use pirated software.
Full guide with SQL queries and hardening code: https://amanurrahman.com/blog-post/wordpress-site-hacked-recovery