Hacked WordPress Site? How to Decide Between a Cleanup and a Full Rebuild

ByJohn Hawkins Updated on

The Core Insight: When a WordPress site gets hit with malware, the first move is always to find a clean backup and restore from it. A full rebuild is the last resort, not the first one — but sometimes it’s the only option left.

We got a call from a guy after their WordPress site had been completely taken over by malware. Not “a few infected files” malware. We’re talking full system compromise. Virtually every file on the server had been touched, and the majority of their traffic was being silently redirected to third-party landing pages. Most of their visitors were never even seeing their site.

This kind of situation is stressful for a client, and the instinct is to want to just burn it down and start over. But that’s not actually where we start.

The First Thing We Check Is Backups

Before we talk about rebuilding anything, we want to know what backups exist. If there’s a clean backup from before the infection, restoring from that is almost always the fastest and safest path back online. No guessing what got infected, no manually recreating content. You just roll back to a known-good state and get the site secured before bringing it back up.

The catch is that backups aren’t always usable. Sometimes there are no backups at all (more common than you’d think). Sometimes the oldest available backup is already infected because the malware had been sitting in the site for weeks before anyone noticed. And sometimes a clean backup exists, but restoring from it would mean losing months of orders, form submissions, or other data that can’t just be recreated. In those cases, restoring from backup isn’t actually a solution.

That’s exactly where this client landed. A usable backup wasn’t on the table, so we had to find another way.

Starting From Scratch (When You Have To)

When a backup isn’t viable and the file system is this far gone, trying to clean it file by file is a losing battle. You patch one thing and miss three others. We’ve seen sites get “cleaned” and reinfected within days because something got overlooked. So in cases like this, we skip the cleanup entirely and rebuild.

What we did instead was go straight to the database. WordPress stores all of your actual content (pages, posts, settings, users) in MySQL, and in most cases that data is clean even when the file system is a mess. We exported it, went through it carefully to make sure nothing malicious had been injected into the content itself, and then spun up a fresh WordPress install on a new host. Clean slate. No contaminated files, no leftover back doors, nothing.

The site was back online in a few days.

How This Happens in the First Place

When we dug into the history of the site, the story was familiar. The previous developer had essentially left it on autopilot. No regular plugin updates, no monitoring, no one checking in to make sure things were running the way they should. WordPress plugins are the most common attack surface for sites like this. A vulnerability gets discovered, a patch gets released, and if you’re not applying that patch promptly, your site becomes a target. It’s not a matter of if. It’s when.

Attackers aren’t doing anything sophisticated here. They run automated scans looking for known vulnerabilities in popular plugins, and when they find an unpatched one, they get in. From there it spreads fast, which is also why a backup that predates the infection by long enough is so valuable. By the time most people notice something is wrong, the malware has already been in there for a while.

Don’t Let Your Site Get Forgotten

The frustrating part about this situation is that it was completely preventable. Not through anything complicated. Just regular plugin updates, good backups, and someone paying attention.

If your site is sitting on a server somewhere and nobody’s actively looking after it, it’s only a matter of time before something like this happens to you. And when it does, the difference between a two-hour restore and a multi-day rebuild often comes down to whether someone was keeping clean backups in the first place.

We offer a white glove maintenance service that covers exactly this. Regular plugin updates, monitored backups, and someone keeping an eye on things so small problems don’t turn into full-blown emergencies. If you want to make sure your site is being looked after, get in touch with us. We’d love to help.

FAQs

The first thing we do is look for a clean backup from before the infection. If one exists and restoring from it won’t cause unacceptable data loss, that’s almost always the fastest path back online. A rebuild is the last resort, not the first move.

A rebuild makes sense when no usable backup exists, when the oldest available backup is already infected, or when restoring from backup would mean losing important data like orders or form submissions that can’t be recreated. In those situations, going straight to the database to extract clean content and rebuilding on a fresh install is the better option.

The first thing we do is look for a clean backup from before the infection. If one exists and restoring from it won’t cause unacceptable data loss, that’s almost always the fastest path back online. A rebuild is the last resort, not the first move.

Three things cover most of the risk: keep plugins updated promptly, maintain regular offsite backups, and have someone actively monitoring the site. Most attacks exploit known vulnerabilities that already have patches available. If nobody is applying those patches, it’s just a matter of time.