A malware infection on a WordPress site can be a devastating experience, often resulting in “Blacklisted” warnings from Google or the sudden appearance of unauthorized admin users like “wertuslash.” When your site is compromised, the primary goal is to reclaim control and harden the environment without losing years of data. To fix a hacked site effectively, you must move beyond simple plugin scans and perform a deep surgical cleaning of the core files, database, and hosting environment. Solving this within the first 24 hours is critical to maintaining your search engine rankings and user trust.
Identifying Unauthorized Users and Malicious Payloads
The first sign of a sophisticated hack is often the creation of a hidden administrator account. Hackers use these to maintain a “backdoor” even after you change your main password. Check your WordPress “Users” list and the wp_users table in phpMyAdmin for any names you didn’t create. Simultaneously, inspect your index.php, .htaccess, and wp-config.php files. Malicious code is often disguised as long strings of Base64 encoded text. If you see code that looks like gibberish at the top of these files, your site’s entry points have been compromised and require immediate manual removal.
Manual File Replacement and Database Sanitization
Using a security plugin like Wordfence is a good start, but for a “deep clean,” you should manually replace the /wp-admin/ and /wp-includes/ folders with fresh copies from a clean WordPress download. This ensures that any core files modified by the hacker are overwritten. Next, scan your /wp-content/uploads/ directory for any .php files; there should only be images and media in this folder. Finally, check your database’s wp_options table for a field called siteurl. If this has been changed to a different domain, your traffic is being redirected to a malicious site.
Hardening the Hosting Environment for the Future
Once the site is clean, you must prevent a reinfection. Change all passwords, including FTP, cPanel, and MySQL database credentials. Move your wp-config.php file one level above the root directory to hide it from public access. Additionally, implement a Web Application Firewall (WAF) such as Cloudflare to block bot-driven “Brute Force” attacks before they even reach your server. Regularly updating your PHP version to 8.2+ and keeping plugins to a bare minimum are the two most effective ways to reduce your “attack surface” and keep your digital assets secure.