WordPress Website Hacked? Here's Exactly What To Do (Step by Step)
Quick Answer
If your WordPress site is hacked, act in this order: isolate access, take forensic backups, remove malicious code, reset all credentials, and patch the vulnerability before going live again. The biggest mistake is restoring without fixing the entry point, because reinfection is common. A structured incident workflow protects both revenue and reputation.
If your WordPress site is hacked, the first goal is containment, not redesign. Lock down access, preserve a backup for investigation, remove malware safely, and close the original vulnerability before relaunch. Acting in the wrong order can destroy evidence, extend downtime, or lead to reinfection.
This guide gives a practical incident sequence that site owners and operators can use under pressure.
Step 1: Confirm and contain the incident
Not every alert means full compromise, but unusual redirects, unknown admin users, modified files, spam pages, and host abuse notices are strong indicators.
Is your WordPress site properly maintained? View our care plans โ
Containment actions:
- Put the site in maintenance mode if possible.
- Restrict wp-admin and hosting panel access to trusted IPs.
- Disable new plugin/theme installs temporarily.
- Notify internal stakeholders that incident response is active.
Do not begin random file deletion at this stage. Containment first prevents more damage while preserving forensic context.
Step 2: Take forensic snapshots before cleanup
Before you clean anything, capture current state:
- Full file backup
- Full database export
- Web server and access logs
- List of active users and roles
This evidence helps identify the initial entry point. Without it, teams often clean visible malware but miss the backdoor mechanism.
| Wrong order | Better order |
|---|---|
| Delete suspicious files first | Capture forensic copy first |
| Reset one password only | Rotate all credentials in sequence |
| Restore old backup immediately | Verify backup + patch root cause first |
| Go live quickly without tests | Run security and functional QA before launch |
Step 3: Find the likely entry point
Common entry points include vulnerable plugins, weak admin passwords, compromised hosting credentials, outdated themes, and exposed admin tools.
Start with:
- Recent plugin and theme changes
- File modifications in
wp-content/uploads,mu-plugins, and unknown directories - Unknown admin accounts or privilege changes
- Cron jobs and scheduled tasks you did not create
If you skip root cause analysis, recovery is temporary.
Step 4: Remove malware and backdoors safely
Malware cleanup should be systematic. Delete only confirmed malicious artifacts and compare core files against known clean WordPress versions.
Typical cleanup actions:
- Replace WordPress core files with clean originals
- Remove injected PHP in uploads
- Remove unknown admin users
- Remove malicious scheduled tasks
- Clean infected database rows (e.g., injected scripts in options or posts)
Use caution with automated cleanup tools. They are useful, but manual verification is still required for business-critical sites.
Step 5: Reset every credential, not just one
Credential hygiene after a breach is mandatory. Rotate:
- WordPress admin passwords
- Hosting panel password
- SFTP/SSH credentials
- Database credentials
- API keys used by plugins and forms
Enable 2FA for admin users and enforce unique credentials. Partial resets leave attacker persistence paths open.
Step 6: Patch and harden before relaunch
Recovery is incomplete until you close vulnerabilities. Apply pending updates, remove abandoned plugins, harden login paths, and review file permissions.
A practical hardening checklist:
- Update WordPress core, plugins, and theme.
- Remove unused plugins and themes.
- Enable login rate limiting and 2FA.
- Disable file editing in wp-admin.
- Verify secure file permissions.
- Add ongoing malware scanning and uptime alerts.
Step 7: Validate business-critical functionality
Before relaunch, test key business flows:
- Homepage and top landing pages
- Contact and lead forms
- Checkout and payment events
- Transactional emails
- Mobile and desktop rendering
Then monitor logs and uptime closely for 48 hours.
Step 8: Handle blacklist and trust recovery
If your domain was flagged by Google Safe Browsing or security vendors, submit review requests only after full cleanup and hardening.
Also communicate clearly with stakeholders:
- What happened
- What data was affected (if known)
- What you fixed
- What monitoring is now in place
Clear communication reduces reputational fallout.
Emergency vs prevention economics
Hack cleanup is usually more expensive than steady operations. Prevention costs are predictable; emergency work is not.
If your team wants a proactive option, review SyntaxWP WordPress care plans. If you need deeper cleanup guidance, also read WordPress malware removal in 2026 and WordPress security best practices.
The key takeaway is simple: incident response is a process, not a panic sprint. Contain, preserve evidence, clean, patch, test, then relaunch.
FAQ
Should I restore a backup immediately after a hack?
Only after you identify and patch the entry point. Restoring too early can reintroduce the same vulnerability and lead to reinfection.
Can I clean malware myself without downtime?
Minor incidents can sometimes be handled with low disruption, but active compromise often requires maintenance mode to prevent further damage.
How long does hacked WordPress recovery usually take?
Simple incidents may be resolved in hours, while complex or long-running compromises can take one to several days including validation and blacklist review.
Related Posts
Comments are currently disabled. Have a question? Contact us โ