How to Fix & Protect Your Hacked WordPress Website

If you have a website, the chances of it being hacked is possible especially if it’s a web-based content management system like WordPress. Websites get hacked all the time unfortunately but the symptoms a website experiences differs from case to case.

With this in mind, we have created the ultimate step by step guide to help you put together a plan of action should you find your website suddenly redirects to another site altogether or is flagged as malicious by Google. So whether your website has been hacked or you are looking for ways to prevent this from happening to you, read on to discover the critical steps you need to take.

How do I know if I’ve been hacked?

There are a number of ways to tell if your website has been hacked but one of the most common ways is if you are redirected to another site or you simply see a 403 Forbidden error when you try to access your website. The signs will differ from website to website but if the appearance of your website has changed or you are unable to access it, it would appear your site has been compromised. If your site has been hacked, you may receive a message in Google Search Console (formally Google Webmaster Tools) or have a “site may be hacked” tag underneath your website listing in Google search.

What to do next

If this is the case, stay calm. Firstly, you’ll need access to your website on your computer. To do this, you will need your computer’s IP address (unique number that your computer identifies on the internet with). You can find your device’s IP simply by visiting Once you have this information, you can access your website from your computer. The underlined number in the image below is an example of your IP. Write down your unique IP as you’ll need to reference it later on.

What Is My IP

Allowing your IP access

To allow your IP to access your website you will need to make a small change to your .htaccess file. Locate your ‘File Manager’ ‘in your web hosting control panel, open your public_html’ folder (the folder may be renamed as something else as it differs from hosting providers) and then open your ‘.htaccess’ file. Once it is opened, you should see a text file just like the one in the image below:

Allowing IP

The ‘deny from all’ line, is what is blocking users from visiting your website. To grant yourself access, below ‘deny from all’ add ‘allow from *enter your IP*’.

Deny From All Code for Hacked WordPress Website

Once saved, you and only you will be able to access your WordPress admin panel from this single device. Now that you have access to your admin panel, you can take steps to identifying and removing malicious content form your website. To do this, we recommend that you download and install the Wordfence plugin which is one of the best anti-malware plugins that scans your website for issues.

Identifying Malicious Content Using WordFence Plugin

Additional measures: secondary scan

In case Wordfence doesn’t find any malware, you can run your website through a second scan using Sucuri, an excellent third-party company that specialises in malware detection. This will hopefully flag up any suspicious elements on your site.

Restore a backup of a clean website

You could also restore your website from a backup generated when it has been cleaned.

Reactivating your website

Once you have removed the malicious content, you can reactivate your website so that it is once again accessible by anyone. Go back in to the admin panel, and remove the ‘deny from all’ line from the .htacess file in your public_html folder.

Reactivating Your Site Using Code

Protect your website from future hacking attempts

Once you have reactivated your website, it is time to make your site more secure. The first step is to update WordPress to the latest version, update all of your current plugins and even your WordPress theme and if you haven’t already, download the Wordfence plugin that will make scanning your site for potential security threats in the future easy.

When installing new plugins, always do your research to ensure they don’t make your site vulnerable to hackers. Forgetting to update your plugins to the latest versions or using plugins that aren’t compatible can increase your chances of being hacked.

So, there you have it, three easy steps to getting your site back online. Getting hacked isn’t a fun part of owning a website but with these helpful tips, your website will be protected from future security issues.


Does your WordPress site suffer from annoying lag when loading? What does Google Speed Insight have to say about your loading times? Don’t worry, we have put an article together for you on the 5 Best WordPress Plugins To Speed Up Your Website.