Cleaning a Hacked WordPress Website

At WP Engine we take security very seriously. We continue to build security measures to ensure our customers are protected against a variety of attack vectors. However, security is a hand-in-hand partnership with our customers. One large aspect is ensuring our platform, servers, and WordPress® versions are up to date and secure.1 Since we leave plugin and theme updates to your discretion, the security of these aspects remains in our customers’ hands.


Security at WP Engine

WP Engine has tools and custom processes for vulnerability scanning, both externally and internally. We also partner with well-regarded security firms for auditing and remediation. Reports are processed internally and remedied as fast as possible with assistance from these firms. Any security announcements are reported on our public status blog, but only after we’ve made the necessary changes to reduce any chance of exposure.

For more information about WP Engine’s security environment, see our guide.


Update Plugins and Themes

Outdated software is number one cause of malware infections on sites. Most often, if a vulnerability is discovered within a plugin or theme, the developer patches it and releases an update fairly quickly. If the update is never performed, your site will remain at-risk to these vulnerabilities.

As such, it’s very important to keep your site’s plugins and themes up to date to ensure they are secure. If a widely-used plugin is discovered to contain vulnerabilities, we will notify our customers via email containing the known affected plugin(s), version(s) and which version(s) contain the security update.

If you aren’t able to manage future plugin and theme updates on your own, WP Engine offers an automated update service. This service includes automatic rollbacks if updates cause issues. Learn more about Smart Plugin Manager here.


Scan and Clean

If your site becomes infected with malware while on the WP Engine platform, you can contact Support through your User Portal. We will then follow our internal security procedures to do a deep level scan, malware cleaning of your site, and report back to you with our results. Keep in mind that a security scan and cleaning can take up to 24 hours to complete and may require changes to your website. Our processes include creating a backup checkpoint prior to cleaning should anything break.

When reaching out for assistance triaging a potential security issue please include any screenshots, logs or areas where the issue can be replicated. Replicating in these ways helps us resolve the issue far more quickly.


Scope of Support

We understand there are many concerns that come up if one of your sites becomes infected by malware – however, if you have no specific indication that a site has been infected by malware, we will not be able to submit it for a deep level scan and cleaning.

Some examples of free security scan services:

There are also a variety of security plugins that include malware scanning functionality:

If a site is migrated to our platform and you are already aware that it has been infected, since this isn’t an infection that happened on our platform, we would not be able to submit the site for a deep level scan or clean. Instead you can install security plugins to help detect and clean malware, or engage a third party service to help scan and clean the site instead. Sucuri, a web leader in security, has a free website check tool, and they also provide deep level scans and cleaning through their other services.


NEXT STEP: Learn how to fix mixed content and get a fully secured website

Automatically update plugins

WP Engine's Smart Plugin Manager keeps your site secure by updating plugins for you. It also uses visual regression to automatically revert to a backup if an update causes issues.