This guide provides a detailed, step-by-step framework for IT professionals, site administrators, and agencies to perform a deep-dive cleanup and recover a hijacked WordPress website. We focus on crucial file-level access and security best practices to ensure a complete removal of malicious code and hackers' backdoors.

A website hijack can be catastrophic, leading to data breaches, loss of SEO ranking, and reputational damage. When your WordPress site is compromised and both the front-end and WP Admin are inaccessible, time is critical.

This guide provides a detailed, step-by-step framework for IT professionals, site administrators, and agencies to perform a deep-dive cleanup and recover a hijacked WordPress website. We focus on crucial file-level access and security best practices to ensure a complete removal of malicious code and hackers' backdoors.

Phase 1: Gaining Access and Initial Assessment

When a hacker has locked you out, you must bypass the standard WordPress login to perform forensic investigation and recovery.

1. Secure Access to Website Files

You cannot rely on the WP Admin interface, so file-level access is mandatory.

• Option A (Recommended): cPanel/Hosting Control Panel: Log in directly to your hosting provider’s cPanel, Plesk, or similar dashboard. Locate the File Manager. This is often the simplest route.
• Option B (Alternative): FTP/SFTP: If you do not have control panel access, use an FTP/SFTP client (like FileZilla) and your saved credentials to log in and access your website's files. The root directory is typically named public_html or the domain name.

2. Identify and Delete Malicious Root Files

Hackers frequently place malicious files in the root directory (public_html) to maintain access and serve junk content. WordPress core files are easily identifiable; anything that looks unfamiliar or oddly named must be investigated.

• Examine Unfamiliar Files: Look for files that are not standard WordPress files (e.g., unusual names, files with recent modification dates that you didn't touch).
  • Common Hacker Files: Files named aggressively (like admin_ax.php), strange characters, or files disguised as legitimate names.
• Forensic Check (Viewing Code): Before deleting, view the file's code. If you see obfuscated code, PHP functions like base64_decode, eval, or blocks of strange text, it is highly likely malicious.
• Action: Immediately delete these files, ensuring you select the permanent deletion option.

Phase 2: Restoring Compromised Core WordPress Files

Hackers often target the core WordPress directories to inject backdoors. The safest and most efficient way to clean these folders is by replacing them entirely with fresh copies from a clean WordPress download.

3. Deleting and Replacing Core Directories

The most critical directories to check and replace are those that contain WordPress's core functions, as these are non-negotiable for the site's operation but frequently targeted:

• Target Directories for Deletion:
  • wp-admin/
  • wp-includes/
• Action: In your File Manager (or FTP client), select and permanently delete the wp-admin and wp-includes folders.

4. Uploading Clean Core Files

To restore the site's functionality, you must upload clean versions of the deleted directories.

• Download Clean WordPress: Go to wordpress.org and download the latest version of WordPress as a .zip file.
• Extraction: Extract the downloaded file locally on your computer.
• Create Backup Archive: Select the clean wp-admin and wp-includes folders from the extracted download and compress them into a new archive (e.g., backup.zip or clean_core.zip).
• Upload: Upload this new, clean ZIP file to your website's root directory (public_html) via the File Manager.
• Extract and Overwrite: Use the hosting panel's "Extract" function to unpack the clean folders. This restores the core functional files of WordPress.

5. Confirming Site Recovery

• Refresh Site: After extraction, refresh your website's front-end and attempt to access the WP Admin dashboard. If the core files were the main issue, the site should now load, although malicious content may still reside in the database or other directories.
• Cleanup: Immediately delete the uploaded ZIP archive (backup.zip) from your server to ensure no unnecessary files remain.

Phase 3: Deep Cleaning and Security Audit

Site functionality is restored, but the system is not yet clean. You must now systematically check themes, plugins, and the database for residual malicious code or backdoors.

6. Audit and Delete Malicious Themes

Hackers often install a fake, empty, or malicious theme folder to hide their code.

• Check Themes Directory: Navigate to wp-content/themes in your File Manager.
• Look for Red Flags: Identify any theme folders that are unknown, suspicious, or are missing required files (e.g., a theme folder named "theme-name" where the stylesheet is missing).
• Verification: View and edit the files within suspicious theme folders. If you see non-standard code, delete the entire folder immediately.

7. Audit and Remove Suspicious Plugins

Malicious plugins are a primary vector for reinfection and backdoor access.

• WP Admin Plugin Review: Go to WP Admin

  

  Plugins

  

  Installed Plugins.
• Deactivate/Delete: Deactivate and delete any plugin that is unknown, unused, or not installed by you. Even if a plugin is familiar, check for duplicates or versions that may have been tampered with.

8. File-Level Review of Remaining WordPress Core

While you replaced the core directories, some root files and common folders are still vulnerable.

• Target Files: Check index.php, wp-config.php, and .htaccess in the root directory for injected code.
• WP-Content Cleanup: Navigate to wp-content. While you cannot delete the entire folder, you can clean out non-essential, old directories:
  • Delete Old Backup Folders: Remove any old, unnecessary backup folders (e.g., from old backup plugins).
  • Delete Old Plugin/Theme Assets: Remove any old or unused plugin or theme folders that are no longer active. Always take a backup before deleting any file or folder.

Phase 4: Final Security Scan and Database Repair

The final phase involves a comprehensive scan to catch residual code and verify user accounts.

9. Deploying a Professional Security Scanner (Wordfence)

Manual cleanup is effective, but a robust security plugin is necessary for a full-system audit.

• Install Scanner: Go to Plugins

  

  Add New and search for "security." Install and activate a trusted plugin like Wordfence or Sucuri.
• Full Scan: Run a full scan of the entire website.
• Actioning Scan Results: The scanner will highlight all affected files as "Critical" or "Major."
  • Core File Modification: If a core file (like index.php) is modified, use the scanner's "View Difference" feature to see the malicious code and the "Repair File" option to restore the file to its original state.
  • Malicious Files: For entirely malicious files created outside of WordPress, the safest action is to delete the file.

10. User and Database Integrity Check

Hackers often create new administrator accounts for backdoor access.

• Review All Users: Go to WP Admin

  

  Users

  

  All Users.
• Delete Unknown Admins: Scrutinize the list. Immediately delete any unknown user, especially those with Administrator privileges.

By following this four-phase process, you systematically remove the hacker's files, close backdoors, and verify that your system is running on a clean, trusted foundation. A compromised website must always undergo a deep scan to ensure complete security restoration.