WordPress Site Hacked What to Do Right Now

Your WordPress Site Was Hacked. Here Is What to Do Right Now.

Stay calm. A hacked WordPress site is recoverable. The actions you take in the next hour will determine how much damage is done and how quickly you get back online. This guide tells you exactly what to do, in order.

Step 1: Put Your Site Into Maintenance Mode Immediately

A hacked site can damage your visitors, spread malware, and get your domain blacklisted by Google. Take it offline now. If you can access wp-admin, use a maintenance mode plugin. If you cannot, ask your host to temporarily suspend the site, or add a redirect at the DNS level. Do not leave a compromised site serving visitors while you investigate.

Step 2: Change All Passwords Immediately

Change passwords for: WordPress admin accounts (all of them), your hosting control panel, database, FTP/SFTP, and email accounts associated with the domain. Use a password manager to generate unique 20+ character passwords for each. If the attacker has your admin password, they will return as soon as you clean the site.

Step 3: Identify How the Site Was Compromised

Check your server access logs and WordPress error logs. Common entry points: an outdated plugin or theme with a known vulnerability, a brute force attack on wp-admin (look for hundreds of failed login attempts), a compromised FTP credential, or a vulnerability in another site on the same shared hosting account.

Run Wordfence or Sucuri site scanner to identify infected files. These tools compare your files against known clean WordPress versions and flag any changes.

Step 4: Restore From a Clean Backup If You Have One

If you have a backup from before the infection, this is the fastest path to a clean site. Restore the backup, immediately patch whatever vulnerability allowed the hack, change all passwords, and harden the site before bringing it back online. Do not skip the hardening step — restoring without fixing the root cause means the site will be hacked again, often within hours.

Step 5: Clean the Infection Manually

If you do not have a clean backup, you need to clean the site file by file. Download all site files via FTP. Delete and reinstall WordPress core files from a fresh download at wordpress.org. Delete and reinstall all plugins from their original sources — do not restore plugin files from the compromised server. For themes, delete and reinstall from the original source.

Check the wp-content/uploads folder carefully — this is often where attackers hide PHP shells since it is writable. Delete any .php files in uploads that you did not put there. Check your .htaccess file for injected redirect rules. Check wp-config.php for any code that was not there before.

Step 6: Harden WordPress Against Re-infection

After cleaning: install Wordfence with firewall rules enabled, add two-factor authentication to all admin accounts, change the default wp-admin login URL using a plugin, disable XML-RPC if not needed, set file permissions correctly (folders 755, files 644, wp-config.php 600), and consider adding a WAF through Cloudflare.

Step 7: Request Google to Re-evaluate Your Site

If Google has flagged your site as dangerous in Search Console, submit a reconsideration request after cleaning. Go to Search Console, find the Security Issues report, and click Request Review after confirming the site is clean. This process takes 1 to 3 days.

How to Prevent This Happening Again

Keep WordPress, plugins and themes updated within 48 hours of security releases. Use daily off-site backups with 30-day retention. Run a web application firewall. Use strong unique passwords and two-factor authentication. Never install plugins from untrusted sources. Monitor your site with an uptime and security monitoring service.

The best time to set this up was before you were hacked. The second best time is now. Contact Nuvelo Agency for same-day emergency hack cleanup and hardening. We also include full security monitoring and hardening in all our WordPress care plans.