A hacked WordPress website: what I did and how to prevent it
What happened?
A client sent me an email:
My website stopped working for no reason, even though I have paid for my domain and hosting. When I type the address, a completely different, unrelated page comes up.
Last changed: 9. 2. 2026
In WordPress, this can mean a few things — a problem with hosting, with the htaccess file, with some other redirect, or a plugin that does not work well with others. But the worst reason is a hacked website. In this case, sadly, that was it.
The "other page" was from the hosting company — the server had sent her site there because something was using too much power. When I pointed it back to her site, I got a blank white page. There was no way to get into WordPress at that point.
First steps: changing passwords
First, I changed the passwords for FTP and the database, and downloaded the whole site to my computer.
I then put clean copies of the wp-admin and wp-includes folders onto the server — using WordPress version 6.6.1, which was the client's current version. Not the newest version, to avoid problems with things not working together. The first goal was to clean the site and get it running again. Updates could come later.
Note: putting new copies of wp-admin and wp-includes does not touch any of the site's content — text and settings are in the database, and images and plugins are in the wp-content folder.
After putting in the clean files, it was possible to log in again. I changed the passwords for all users in WordPress and took away their admin rights — setting them to visitors (because they could still ask for a new password by email). If the client did not know who they were, the plan was to delete them. Which is what happened next.
I made a new account for the client and deleted the old admin account with the username admin right away — but only after moving all posts to the new account first.
Looking for clues: wp-config.php
I connected via FTP and started where I always start — in wp-config.php. Right away, I found a line that did not belong:
define('WP_TEMP_DIR',dirname(__FILE__).'/wp-content/uploads');
Why is this strange? WordPress has its own system for short-term files. When someone changes the path to point to uploads, it often means they want to hide something there.
I searched through uploads and deleted one PHP script I found there. PHP scripts have no place in uploads. Never. The uploads folder is for images, PDFs, and so on — not for code that can be run.
I checked .htaccess
Above the main WordPress folder, there were extra .htaccess files that had been put there — more proof that the attackers had access to FTP.
Plugins, themes, and strange PHP scripts
Next I looked at plugins — and found more problems.
In wp-content/plugins/ I found two plugins that had no reason to be there:
wp-content/plugins/klqchah/wp-content/plugins/cqdpztr/
Both folders were made on 12 September 2025 — most likely the day the attack happened.
In wp-content/themes/, there was more to find:
- theme
lwkybtx - theme
bsjzgee - a file called
cong.php— a PHP script sitting right in the themes folder? That does not belong there.
I deleted all of it.
Wordfence
I put in Wordfence and ran a full check. It found one more bad file:
- wp-advanced-suite — a plugin that looked like a normal one, but Wordfence said it had bad code inside.
I updated WordPress and all plugins
The site had not been updated for a long time. After cleaning it, I updated everything to the newest versions.
The result
After 4 hours of work:
- ✅ The site works again
- ✅ Bad code removed
- ✅ Passwords changed
- ✅ WordPress and plugins updated
- ✅ Wordfence check is clean
And now the most important part: how to stop this from happening again?
This story has one big lesson: a website that is not kept up to date is an open door for attackers. And this is not the only story like this — I wrote about a similar one before, and I have cleaned several more.
If you do not want to be in this situation, you have two options (the third option is what this article is about — it is not a question of if, but when):
1. Take care of the site yourself
- Keep plugins, themes, WordPress itself, and PHP on your server up to date.
- Do not have more users on the site than you need. Not everyone needs admin access. If more users are needed, think about two-step login or moving the login page to a different address.
- Use a good security plugin. Wordfence is one — I wrote about how to set it up here.
- Make backups. And keep more than one, from different points in time.
2. Let someone who does this for a living take care of it
That is exactly why I offer website management. I take care of:
- 🔄 Regular updates of WordPress, plugins, and themes.
- 🔒 Security monitoring.
- 💾 Automatic backups.
- 🚨 When something goes wrong, I act before it becomes a big problem.
When someone looks after a site regularly, the chance of it being attacked goes very close to zero. And if something does happen, I take care of it — not after the site has "stopped working for no reason."
I hear the question: "But if cleaning the site took four hours of work... didn't she pay much less for that than she would for years of management?" Yes and no. Add to that the cost of lost business: even if just one person could not reach her because the site was down... And it does not even need to be a fully broken site — a contact form that does not work is enough. That can mean losing thousands.
Interested in website management? Write to me and we will find a way that makes sense for your site and your budget.