WordPress website hacked: what now?
Has your WordPress website been hacked? Stay calm and work methodically. The fastest route to recovery is: take the site offline or into maintenance mode, change every password, make a safe backup of the current (infected) state, scan for malware and remove the malicious code, restore from a clean backup where needed, and then close the hole the attacker used. Below you will find exactly how — step by step, in the right order.
How do you know WordPress has been hacked?
A hack is not always obvious. Watch for these signs: unwanted redirects to dubious sites, sudden spam content or unknown pages, a warning in the browser or via Google Search Console (“This site may harm your computer”), emails being flagged as spam, unknown administrator accounts, a sharply slower site or spikes in server load, and file modification dates you cannot explain. If you see one or more of these, assume the site is compromised and act immediately.
Immediate steps — in this order
The order matters; cleaning up in the wrong sequence often makes things worse.
- 1. Take the site offline or into maintenance mode. This stops visitors getting infected and limits further penalties from Google.
- 2. Change every password. WordPress admins, hosting/cPanel, FTP/SFTP, the database and linked email accounts. Force a logout of all active sessions too.
- 3. Make a full backup now of files and database in their current state. You need it as evidence and to clean up safely.
- 4. Scan thoroughly. Use a reliable malware scanner (a server-side scan plus a plugin as a second opinion) and check the integrity of the WordPress core.
- 5. Review users and keys. Remove unknown admins, refresh the security keys (salts) in wp-config.php and rotate database passwords.
Cleaning up and restoring
There are two routes. Restoring from a clean backup made before the hack is by far the safest, provided you are sure that backup was not already infected. If you do not have one, you must clean manually: replace the WordPress core and all theme and plugin files with fresh official downloads; remove unknown or suspicious files (watch for base64 code and odd .php files in upload folders); and check wp-config.php, .htaccess and scheduled tasks (cron) for injections. Delete plugins and themes you do not use or that are no longer maintained — these are often the entry point. Then update everything to the latest version and test that the site is clean and functional again.
Hardening: stop it happening again
Cleaning up without closing the hole almost always leads to a fresh hack. At a minimum: keep core, themes and plugins always up to date; use strong, unique passwords with two-factor authentication on all admins; limit login attempts and hide or protect the login page; install a web application firewall; set up automatic off-site backups and test restoring them; remove unused plugins/themes; and run a current PHP and server platform. Much of this belongs in ongoing WordPress maintenance and in secure hosting with monitoring.
When should you call in help?
Bring in a specialist if the hack keeps coming back, if you handle personal data (think WooCommerce customers or form data and a possible GDPR breach notification), if the site is critical to your revenue, or simply if you are not sure the site is truly clean. A professional does not just clean up — they prove the site is safe again and close the original hole. If you are stuck cleaning up or facing recurring outages, see also fixing website and hosting problems.
Frequently asked questions
Short, direct answers to the most common questions.
Take the site offline or into maintenance mode immediately, then change every password: WordPress admin, hosting, FTP/SFTP, database and linked email. Next, make a full backup of the current state before you change anything. Only then start scanning and cleaning. This order stops visitors getting infected and prevents you accidentally wiping evidence or a recovery point.
Common signs are unwanted redirects, unknown pages or spam content, a warning in Google Search Console or the browser, unknown administrator accounts, sudden slowness and unexplained file modification dates. One sign is reason to investigate; several at once strongly indicate a compromise. A thorough server-side malware scan gives certainty either way.
For a light infection, sometimes yes: restore from a clean backup, or replace the core, themes and plugins with official downloads and remove suspicious files. But cleaning up without closing the original hole often leads to a fresh hack. If you are unsure, handle personal data, or the infection returns, call in a specialist who can also prove the site is clean again.
Possibly. If personal data is involved — for example customer or form data — and there is a real risk to those individuals, under the GDPR you usually must report it to your supervisory authority within 72 hours, and sometimes to the individuals as well. Document what happened and which data may have been affected, and when in doubt have a privacy or security specialist review it.
Keep core, themes and plugins up to date at all times, use strong passwords with two-factor authentication, limit login attempts and put a web application firewall in front of the site. Remove unused plugins and themes, make automatic off-site backups (and test restoring them) and run a current, secure server platform. Ongoing maintenance and managed, secure hosting reduce the risk considerably.
Not necessarily. With a recent, clean backup you usually recover nearly all content. You may temporarily lose visitors and Google rankings while the site is offline or flagged as unsafe; rankings generally recover once the site is clean and you request a review via Search Console. Acting quickly and correctly limits the damage the most.
