WordPress Hacked?

Do not wait. A hacked WordPress site can often be recovered with CLI access, clean core files, plugin review, user checks and proper hardening.

Act before backups rotate: if the hacked site remains online for days, your hosting backup may be overwritten with the same compromised data. If no clean backup remains, recovery may require rebuilding pages manually or recreating content from web archive copies.
WordPress hacked recovery using CLI

Common signs your WordPress site is hacked

Unexpected redirects

Visitors are redirected to unknown sites, ads, casino pages or fake warning pages.

Unknown admin users

New administrator accounts appear, or your admin password suddenly stops working.

Search result warnings

Google or browser warnings show unsafe site, spam title, Japanese keywords or strange indexed pages.

Modified core files

WordPress files show unexpected changes, unknown PHP files or suspicious code in uploads.

Plugin or theme issue

Old plugins, abandoned themes, nulled plugins and weak passwords are common entry points.

Email and hosting alerts

Your host suspends the site, CPU spikes, outgoing mail is abused, or malware scanners alert you.

How AXON recovers with CLI

CLI recovery is useful because it works even when wp-admin is broken. It also helps verify core files and repair safely without clicking through infected admin pages.

wp core verify-checksums
wp core download --force --skip-content
wp plugin list
wp theme list
wp user list --role=administrator
wp option get siteurl
wp rewrite flush --hard

These commands are examples of the recovery approach. Real cleanup depends on your hosting, WordPress version, database, plugins and available backups.

WordPress backup rotation warning

Recommended recovery workflow

1. Preserve a copy first

Take a full account backup or snapshot before cleaning. This keeps evidence and allows rollback if a file is needed later.

2. Put the site into safe mode

Temporarily block public access or use a maintenance page while recovery is happening. Avoid visitors triggering infected pages.

3. Check WordPress core

Use WP CLI checksums. Restore clean WordPress core files. Do not overwrite wp-content blindly because it contains themes, plugins and uploads.

4. Replace plugins and themes

Remove abandoned, nulled or unknown plugins. Reinstall clean copies from trusted sources and update everything.

5. Review users and passwords

Remove unknown admin users. Reset admin, FTP, database, hosting and email passwords. Rotate WordPress salts.

6. Scan uploads and database

Check uploads, cron, wp_options, injected scripts, strange redirects and suspicious PHP files inside writable folders.

7. Harden after cleanup

Disable file editing, correct file permissions, add firewall rules, update PHP version and set backup monitoring.

8. Request review

If Google or browser warnings appear, request review after the site is clean and stable.

Important: Cleaning the visible issue is not enough. The entry point must be closed, or the site can be reinfected.

When recovery may not be possible from backup

If the site was hacked for a long time, all hosting backups may already contain compromised files. In that case, AXON may need to rebuild the website, recover content from database exports, use old theme files, web archive copies, screenshots or manual page recreation.