Sometimes a Wordfence scan shows up thousands of infected files and its hard to know what action to take. Hopefully this short guide will be useful next time you have a hacked site.

Pre-requisites:

1. Clean copy of WordPress
2. FTP Access details to the website
3. Download a backup of your site using All in One WP Migration
4. Clean .zip copy of the Wordfence plugin
   (not installed from the Plugin repository – as this can be intercepted)

Clean your site:

1. Check for any hidden administrator accounts and delete/demote them
2. Change cPanel, FTP, WordPress admin login details
3. Connect to your site via FTP
4. Delete all folders in the root directory except ‘wp-content’:

5. Now upload the ‘wp-includes’ and ‘wp-admin’ directories to your site:

6. Delete all files except wp-config.php in the root directory:

7. Upload all files from the clean version of wordpress (there will be no wp-config.php)

8. Create a new file in the root directory called .htaccess

9. Edit the file and paste in the following, then save:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

This will ensure all of your pretty links and slugs work.

10. Now navigate to your site and delete (not just deactivate) any themes or plugins which you do not 100% require for everyday site running. Update any themes or plugins which require an update also.

11. Upload and activate the downloaded version of Wordfence, then run a scan.

12. (Advanced) manually check wp-config.php and all theme files for irregularities. Wordfence can scan plugins against changes from the WP repository, but it isnt great at detecting malicious code within themes.