What to Do When Your WordPress Site Gets Hacked

Confirm It’s Actually Hacked

Before panicking, confirm what you’re dealing with. “Hacked” covers a wide range:

• Defacement: Your homepage is replaced with someone else’s content.
• Pharma hack: Hundreds of spam pages about viagra or cheap sneakers appear in Google results for your domain, but your site looks normal when you visit directly.
• Redirect hack: Visitors (especially from Google) get redirected to gambling or phishing sites.
• Backdoor: An unknown admin account appeared, or files were modified without anyone on your team making changes.
• SEO spam injection: Hidden links or content injected into your pages that you can only see in the source code.
• Google Safe Browsing warning: A red warning page appears before your site loads, telling visitors the site may be harmful.

Each of these requires a slightly different approach, but the response sequence is the same.

Step 1: Don’t Delete Anything Yet

Your first instinct is to start deleting suspicious files. Resist that. Deleting evidence makes it harder to identify the attack vector and confirm you’ve found everything. If you have backups, the original infected files are your forensic trail.

Step 2: Contain the Breach

Limit the damage before you start cleaning:

• Change all passwords immediately. WordPress admin, FTP/SFTP, hosting control panel, database. Use a password manager and make them long and random.
• Revoke all active sessions. In WordPress, go to Users, edit each admin account, and click “Log Out Everywhere Else.”
• Put the site in maintenance mode if visitors are being redirected to malicious content. A simple maintenance.html served by your host is better than actively serving malware to your visitors.
• Remove unknown admin accounts. Check Users in wp-admin. Any account you don’t recognize should be deleted.

Step 3: Scan for Malware

You need to find every infected file, not just the obvious ones. Attackers typically plant multiple backdoors so they can regain access even after you clean the primary infection.

Tools that help:

• Wordfence scan compares your core, plugin, and theme files against the official repository versions and flags modified files.
• Sucuri SiteCheck (free online scan) detects known malware signatures, blacklisting status, and injected spam.
• Server-level scan using ClamAV or Imunify360 (if your host provides it) catches malware that WordPress-level scanners miss.

Common hiding spots: wp-content/uploads (attackers love hiding PHP files among your images), theme files with random names, .htaccess (redirect rules injected here are invisible from wp-admin), and wp-includes where modified core files blend in.

Step 4: Clean the Infection

If you have a clean backup from before the hack, the fastest path is:

1. Restore the backup to a staging environment
2. Verify it’s clean
3. Update all plugins, themes, and core to latest versions
4. Change all passwords and security keys
5. Push the clean version live

If you don’t have a clean backup, you’ll need to clean manually:

• Replace WordPress core files. Download a fresh copy from wordpress.org and overwrite wp-admin and wp-includes entirely.
• Reinstall plugins from the repository. Don’t just update — delete the plugin folders and install fresh copies.
• Review theme files line by line. Look for eval(), base64_decode(), gzinflate(), and any obfuscated code blocks.
• Check the database. Malware often injects JavaScript into post content, widget settings, or options. Search the wp_options table for suspicious entries, especially in active_plugins and siteurl.
• Clean .htaccess. Replace it with the default WordPress version and re-add only rules you recognize.

Step 5: Harden Access

Cleaning without hardening means you’ll be hacked again through the same vector:

• Update WordPress security keys in wp-config.php. Use the official generator. This invalidates all existing login sessions.
• Enable two-factor authentication on every admin account.
• Install a WAF (Cloudflare or Wordfence) to block the automated attacks that found you in the first place.
• Set proper file permissions: directories at 755, files at 644, wp-config.php at 440.
• Disable file editing: Add define('DISALLOW_FILE_EDIT', true); to wp-config.php.

Step 6: Request Review

If Google flagged your site, submit a review request through Google Search Console after cleaning. Google typically reviews within 72 hours. If you’re on a hosting provider’s blacklist, contact their abuse team with evidence of the cleanup.

Preventing Reinfection

Most sites that get hacked once get hacked again within 6 months — because the same conditions that allowed the first breach still exist. The fix isn’t just cleaning; it’s establishing ongoing operations: automatic updates with staging, daily monitored backups, WAF, and regular security scans.

That’s exactly what Parameter Protect handles. If you’re dealing with an active breach right now, our emergency diagnostic gets to the root cause within 2 hours — and the $250 fee credits toward annual protection so you’re not back in this position again.