<Rad Dev/>
8 min read·

My WordPress Site Got Hacked: What to Do Right Now (Step-by-Step)

Your WordPress site is hacked. Here's the correct order of operations — from the first 15 minutes through full recovery — so you don't make it worse.

Need help with this?

We offer a dedicated service for this: WordPress Security Audit + Malware Removal$200–$400, 24–48 hours (same-day emergency available).

Learn more

Discovering your WordPress site has been hacked triggers panic. Before you do anything reactive, slow down for 30 seconds and read this. The order of your actions matters — some instinctive responses (like immediately taking the site down) can make recovery harder.

How Do You Know You've Been Hacked?

Common signs:

  • Visitors are being redirected to spam, pharma, or gambling sites
  • Google or your browser is showing a "dangerous site" warning
  • Your host sent a malware or suspension notice
  • You see content on your site you didn't add (spam links, foreign-language pages)
  • Unknown admin user accounts appeared in WordPress
  • Your Google Search Console shows a security issue notification

The First 15 Minutes

1. Don't panic-delete things

Your instinct might be to start deleting files. Don't. You need the evidence to diagnose how they got in. If you delete files randomly, you might miss infection sources — or break WordPress entirely.

2. Change all passwords immediately

Change: your WordPress admin password, your hosting account password, your FTP/SFTP password, your database password, any email accounts associated with the site. Use unique, strong passwords for each. The attacker may have all of these.

3. Put the site in maintenance mode

If visitors are being redirected to malicious sites, put up a maintenance page to stop the damage to your reputation. Your host may have a one-click maintenance mode, or you can add a Coming Soon plugin via FTP.

4. Notify your host

Tell your hosting provider. They have server-level tools to help identify the scope of the infection and may have automatic malware scanning. They also need to know if your account is being used in attacks that could affect other customers.

Identifying the Infection

Log in to your WordPress admin (if accessible) and run a full scan with Wordfence or MalCare. These scanners identify malicious files, backdoors, and code injections.

Also check:

  • Recent file modifications (via FTP, look for files modified in the past few days)
  • Unknown admin accounts (Users → All Users)
  • Recently added or modified plugins
  • Your .htaccess file for redirect rules you didn't add

Cleaning the Infection

WordPress core files are known-good references. Compare your core files against a fresh WordPress download. Any core file that differs from the original is likely infected.

For infected plugin or theme files: if the plugin has an update available, the update will overwrite the infected file. If not, re-download the plugin from WordPress.org and re-upload it to replace infected files.

Database cleaning: malware often injects PHP or JavaScript into the WordPress database — posts, options, or user metadata. Search your database for common injection strings: eval(base64_decode, <script src=, iframe src=. These can be found with a plugin like Search Regex or directly in phpMyAdmin.

Post-Cleanup Hardening

After cleaning, immediately harden to prevent re-infection:

  • Update all plugins, themes, and WordPress core
  • Remove any plugins or themes you don't actively use
  • Add two-factor authentication
  • Change the WordPress admin URL (WPS Hide Login)
  • Set up a web application firewall (Cloudflare or Wordfence)
  • Verify file permissions (644 for files, 755 for directories)

Google Blacklist Removal

If Google flagged your site:

  1. Log into Google Search Console
  2. Go to Security Issues report
  3. Verify the site is clean (your scan shows no issues)
  4. Click "Request Review" and explain what you found and fixed
  5. Reviews typically take 24–72 hours

Frequently Asked Questions

How did they get in?

Most commonly: an outdated plugin with a known vulnerability. Second most common: a compromised password (brute force or credential stuffing from a data breach). Less common: a vulnerable theme, a compromised hosting account, or a server vulnerability.

Should I restore from backup instead of cleaning?

If you have a recent clean backup (from before the infection), restoration is faster than cleaning and guarantees a clean state. The risk: if you don't know when the infection happened, your backup may already be infected. Check the backup for signs of infection before restoring.

Is my customers' data at risk?

Potentially, if the attacker had database access. Check your database for signs of data exfiltration. If you collect payment card data (you shouldn't be storing this — payment gateways handle it), notify your processor. If you store personal customer data (emails, addresses), consult a lawyer about disclosure requirements.

How much does professional malware removal cost?

Our WordPress security service starts at $200 for a standard 24–48 hour cleanup, and $400–$700 for a same-day emergency response. This includes full cleaning, hardening, and a written report.

Related service

WordPress Security Audit + Malware Removal

Hacked site? We clean it, lock it down, and tell you exactly what happened.

Get a quote — $200–$400
Back to Blog

More from the blog

8 min

How to Build a High-Converting Landing Page (A Developer's Perspective)

Read
7 min

How to Choose a WordPress Developer on Upwork (Without Getting Burned)

Read
7 min

Stripe vs PayPal vs Square for WooCommerce: Which Gateway Is Right for You?

Read