What To Do When Your WordPress Site is Hacked

Discovering your WordPress site has been hacked is a gut-punch moment. Your traffic drops, Google starts showing warnings, your host suspends your account, or customers are seeing pharma spam where your homepage used to be. Whatever tipped you off, the clock is ticking.

The good news? Most WordPress hacks are recoverable. The key is acting fast, staying calm, and following the right steps in the right order. This guide walks you through exactly what to do, from confirming the hack to hardening your site so it does not happen again.

How to Tell If Your WordPress Site Has Been Hacked

Sometimes it is obvious. Other times, hackers hide for weeks. Here are the most common signs:

Google Search shows warnings: “This site may be hacked” or “Deceptive site ahead” appear in search results or the browser
Your hosting provider suspended your account: Most hosts actively scan for malware and will suspend on detection
Unexpected admin users appeared: You did not create them, but they are in your Users list
You are redirected to a different website: Especially to spam, pharma, or adult sites
Strange files or code in your theme or plugin files: Base64-encoded strings, eval() calls, or foreign-language content injected into pages
Google Search Console sent a manual action or security notice
Your site loads slowly or crashes: Malware scripts consume server resources
Visitors are complaining about pop-ups or weird content: Sometimes malware is only shown to visitors, not to logged-in admins

If you are seeing any of these, assume the worst and start the recovery process immediately.

Step 1: Do Not Panic, But Act Immediately

The instinct to delete everything or restore a backup right away can make things harder. Before you touch anything, take a breath and gather information. You need to understand what was compromised so you can close the actual vulnerability, not just the symptom.

Step 2: Put Your Site in Maintenance Mode

If visitors are currently landing on a hacked or defaced page, the first thing to do is limit the damage. Either:

Contact your host and ask them to temporarily take the site offline or place it behind a maintenance splash
Use a maintenance mode plugin if you still have admin access

Hiding the hacked state from visitors protects your brand reputation while you work on the fix.

Step 3: Change All Passwords Immediately

Before you do anything else in your WordPress environment, lock down access:

WordPress admin passwords: Change all admin-level users, not just yours
Hosting control panel password (cPanel, Plesk, etc.)
FTP/SFTP credentials
Database password: Update wp-config.php to match
Email account passwords tied to your domain

Use strong, unique passwords for each. A password manager makes this manageable. If you need guidance on safe sharing practices, check out our guide on how to safely share passwords.

Step 4: Check for Unauthorized Admin Users

Log into your WordPress dashboard and go to Users > All Users. Sort by Role and look for any Administrator accounts you do not recognize. Delete them immediately.

Also check for:

Users with roles that seem elevated for no reason, such as an Editor promoted to Admin
Usernames that look like random strings or email addresses you do not recognize

Step 5: Scan Your Site for Malware

You need a reliable malware scanner. Do not rely on a visual inspection alone. Malicious code is often obfuscated and hidden deep in plugin or core files.

Recommended Scanning Tools

Wordfence Security (free and paid): Scans files against the WordPress core repository and flags changes
Sucuri SiteCheck: Free online scanner at sitecheck.sucuri.net; checks for denylisting, malware, and injected code
MalCare: Heuristic-based scanner that catches zero-day malware effectively
Your host’s malware scanner: Many managed WordPress hosts such as Kinsta, WP Engine, and SiteGround have built-in tools

Run at least two scanners. They do not all catch the same things.

Step 6: Remove the Malware

Once you have identified infected files, you have a few options depending on severity.

Option A: Use a Malware Removal Plugin

Wordfence, MalCare, and Sucuri all offer one-click or guided malware removal. This is the fastest path if you are not comfortable editing files manually.

Option B: Manual Removal

If you need to go hands-on:

Reinstall WordPress core files: Download a fresh copy from WordPress.org and overwrite wp-admin/ and wp-includes/. Do not touch wp-content/ yet.
Reinstall all plugins: Delete and reinstall from the official WordPress repository. Do not reactivate a plugin until it has been reinstalled clean.
Reinstall your theme: Same principle. If you have custom child theme code, inspect it carefully before reactivating.
Check wp-config.php: Look for injected code at the top or bottom of the file.
Check .htaccess: A common target for redirect hacks. Compare against a clean default and remove anything foreign.
Inspect wp-content/uploads/: Hackers sometimes plant PHP files here. There should be no .php files in your uploads directory.

Option C: Restore from a Clean Backup

If you have a clean, recent backup from before the hack occurred, this is often the cleanest option. This part is critical: do not restore and call it done. The vulnerability that let the attacker in is still there. You must also identify and fix what was exploited, otherwise you will be hacked again within hours.

Step 7: Update Everything

Once the malware is removed, update immediately:

WordPress core: Go to Dashboard > Updates
All plugins: Outdated plugins are the number one vector for WordPress hacks
Your theme: Including parent themes
PHP version: Ask your host to upgrade if you are on PHP 7.x or older. PHP 8.1 and above is significantly more secure

For more on keeping your site secure long-term, see our comprehensive guide on how to perform WordPress website maintenance.

Step 8: Request a Google Review If You Were Denylisted

If Google flagged your site, you need to formally request a review once the site is clean. Here is how:

Log into Google Search Console
Go to Security and Manual Actions > Security Issues
Confirm the issues are resolved
Click Request a Review

Google typically processes these within a few days to a week. Do not skip this step. Your organic traffic will not recover until the warning is lifted.

Step 9: Contact Your Hosting Provider

Let your host know what happened, even if you have already cleaned the site. They can:

Confirm from their end that the site is clean
Check server-level logs to identify the entry point
Reinstate a suspended account once you have cleared the malware
Advise whether neighboring sites on shared hosting were affected

Step 10: Harden Your WordPress Site Going Forward

Cleaning up a hack is reactive. Preventing the next one is where you win.

Core Hardening Steps

Enable two-factor authentication (2FA) for all admin accounts
Limit login attempts with a plugin like Limit Login Attempts Reloaded
Change the default /wp-admin/ login URL using WPS Hide Login or a similar plugin
Disable XML-RPC if you do not use it, as it is a common brute force target
Set proper file permissions: directories at 755, files at 644, wp-config.php at 440 or 400
Use a Web Application Firewall (WAF): Cloudflare’s free plan or Wordfence’s firewall both work well

Ongoing Monitoring

Set up uptime monitoring so you are alerted the moment something goes wrong
Enable email alerts in Wordfence or your security plugin for failed logins, file changes, and plugin updates
Run monthly security audits. See our guide on how to run a security audit in WordPress

Backup Best Practices

Maintain off-site backups on at least a weekly schedule, and daily for ecommerce sites
Test your backups. A backup you have never restored is an untested backup
Use a dedicated backup solution like UpdraftPlus, BlogVault, or your host’s backup service

For a deeper look at locking down a WordPress store, read how to secure your WordPress ecommerce website.

Why WordPress Sites Get Hacked

Understanding the attack vectors helps you close them permanently.

Attack Type	How It Works	Prevention
Outdated plugins/themes	Known vulnerabilities are public; bots auto-exploit	Update immediately; enable auto-updates for minor releases
Brute force login	Bots guess username/password combos at scale	2FA plus login rate limiting
Nulled plugins/themes	Pirated software often comes pre-loaded with malware	Only use licensed, official sources
Weak passwords	Credential stuffing from data breaches	Strong unique passwords plus a password manager
Compromised hosting	Shared hosting cross-site contamination	Managed hosting or isolated environments
SQL injection / XSS	Exploits in poorly coded plugins	WAF plus regular audits

For more context on the broader security landscape, see what is the difference between cybersecurity and website security and how secure is WordPress.

When to Call in a Professional

Some situations call for expert help:

The hack keeps coming back after multiple cleanup attempts
You do not have technical access to the server or files
The site contains sensitive customer data and you need documented remediation
You have lost all admin access and cannot get back in
Your host has suspended the account and you cannot navigate the process alone

A professional malware remediation service such as Sucuri or Wordfence Care typically runs $200 to $500 for a one-time clean, and includes a post-cleanup hardening pass.

Final Thoughts

Getting hacked is stressful, but it is survivable. The businesses that come out of it stronger are the ones who treat it as a wake-up call. They clean up, lock down, and put ongoing maintenance in place so it does not happen again. If you want help keeping your WordPress site secure on an ongoing basis, explore our WordPress website maintenance services or learn more about what a Chief Web Officer can do for your business’s web security posture.

Have questions about recovering a hacked site or want a professional security audit?Contact the WebProGeeks team. We are here to help.