What this problem is
Your WordPress site was compromised (malware, redirects, spam content, unknown admins).
Why it happens
- Outdated components
- Weak or reused passwords
- Insecure file permissions or exposed admin endpoints
Prerequisites
- Known-clean backup (preferred)
- FTP/File Manager and database access
Diagnosis
List indicators of compromise: redirects, malware flags, modified files, unknown users, spam pages.
Detailed steps
Step 1) Contain
- Put site in maintenance or restrict access if actively harming users
- Take a snapshot/backup of current state for reference
Step 2) Replace code with clean sources
- Reinstall WordPress core
- Delete and reinstall plugins/themes from trusted sources
Step 3) Clean database and users
- Remove unknown admin accounts
- Search and remove injected scripts/links in options/posts/widgets
Step 4) Rotate secrets
- Change hosting, FTP/SFTP, DB, and WP passwords
- Regenerate SALT keys
Step 5) Harden and monitor
- Enable WAF, 2FA, and least privilege
- Disable file editing and review permissions
- Monitor logs for reinfection attempts
Expected results
- Clean site, no reinfection, stable performance
What to do if it fails
- Restore from a clean backup and consider a full rebuild if reinfection persists
Best practices
- Regular updates, backups, and security monitoring