WordPress Hacked? How I Restored a Client’s Site After Everything Was Deleted

Recently, we faced one of the most challenging hacked WordPress recovery cases. A client’s blog site hosted on an old Bluehost VPS had been completely hacked. The WordPress version was outdated (around v4.x), and the hacker had wiped out almost everything—themes, plugins, and the uploads folder containing all images. To make matters worse, there were no backups available.

This case study walks through how we approached the problem, what worked, and what lessons we learned from the WordPress malware removal process.

---

The Challenge

When we first accessed the VPS, the situation was grim:

• All custom themes and plugins were deleted.

• The uploads folder, containing all images, was gone.

• Only the database remained intact.

• The client’s site was a blog, so losing images meant a significant content gap.

Without backups, the typical WordPress recovery route was not possible. Everything had to be rebuilt from scratch using whatever clues we could find in the database.

---

What We Still Had

Despite the destruction, the database still contained valuable information:

• Posts & Pages: All textual content was intact.

• Theme & Plugin References: Stored in wp_options and sometimes in serialized data.

• Image Paths: Stored in wp_posts as attachment entries, though the actual files were missing.

The challenge was to reconstruct the site using only the database and any recoverable files from external sources.

---

Recovery Process

Here’s the step-by-step approach we took to restore WordPress:

1. Fresh WordPress Install

   • Set up a new WordPress instance on an updated VPS.

   • Updated PHP version to meet modern WordPress requirements.

2. Database Import

   • Imported the client’s database to restore posts, pages, and settings.

   • Ensured the site could read the database without breaking links to non-existent files.

3. Theme & Plugins Restoration

   • Extracted active theme and plugin names from the database.

     

   • Reinstalled fresh copies of the themes and plugins.

   • Adjusted settings as needed to match the original configuration.

4. Recovering Images

   • This was the most challenging part of the restore WordPress site after hack process.

   • Used Wayback Machine (archive.org) to recover most images.

     

   • Cross-checked with Google cache to recover additional assets.

   • For images that could not be recovered, assigned placeholders to maintain post layout.

---

Outcome

• The blog site was restored and fully functional after the hacked WordPress incident.

• All posts and pages were recovered.

• Approximately 40–50% of images were restored.

• The client avoided total data loss, and the site was secure and updated.

---

Key Takeaways

1. Always maintain regular backups

   • Offsite backups (cloud storage, managed WordPress backup solutions) are essential to recover from hacks.

2. Use a CDN or external image host

   • Services like Cloudinary, Bunny CDN, or Amazon S3 can prevent total image loss after a hack.

3. Keep software updated

   • Outdated WordPress, plugins, or themes are an easy target for hackers.

4. Harden security

   • Firewalls, malware scanners, strong passwords, and PHP updates reduce the risk of hacks.

---

Conclusion

This recovery case demonstrates the critical role of a WordPress database in disaster recovery. Even when almost everything else is gone, the database can help rebuild the site after a hack.

However, the case also highlights the limitations of relying solely on local storage for images. Moving forward, regular backups, external image hosting, and proactive security measures are essential to prevent similar disasters.