What to do if your WordPress site is hacked?

Here’s a step-by-step guide for responding effectively if your WordPress site is hacked. You’ll learn how to recognize an attack, contain and assess damage, clean and restore your site, strengthen security measures, and set up ongoing monitoring and backups to prevent future incidents.

This process draws on best practices from leading security experts—Sucuri, Wordfence, Kinsta, WPBeginner, and more—and provides clear, actionable steps to get your site back online safely and securely.

Recognizing the Hack

Common Signs of a Compromise

• Defaced Public Pages: Unexpected changes to your homepage or content indicate tampering.
• New or Suspicious Users: Unknown administrator accounts can signal that attackers have gained control.
• Redirects and Spam Links: Visitors sent to unfamiliar sites or seeing spammy links means malware is present.
• Security Plugin Alerts: Tools like Wordfence will flag malicious files or login attempts.
• Hosting Account Suspension: Some hosts disable hacked sites to prevent further spread.
• Performance Issues: Sudden CPU spikes or slow loading times may result from hidden backdoors running malicious scripts.

Initial Assessment

1. Verify the Hack: Use a scanner—Sucuri SiteCheck or Wordfence—to confirm malware presence.
2. Check Server Logs: Review access logs for unusual IPs, POST requests, or file changes.
3. Determine Scope: Identify which files and database tables have been modified.

Containment and Triage

Put Your Site into Maintenance Mode

Prevent further damage and protect visitors by enabling a maintenance or “coming soon” page.

Reset All Passwords

Immediately change passwords for:

• WordPress admin users;
• Database user;
• FTP/SFTP and hosting control panel;
• Email accounts associated with the site.

Revoke Unnecessary Access

Remove any suspicious or inactive user accounts, and ensure only trusted administrators remain.

Cleaning the Infection

1. Backup Your Compromised Site

Even a hacked copy is useful for forensic analysis. Create a full backup of files and database before making changes.

2. Scan and Identify Malicious Code

• Use Security Plugins: Run full scans with Sucuri, Wordfence, or MalCare to locate infected files.
• Check File Integrity: Compare core WordPress, theme, and plugin files against known good versions.

3. Remove Malicious Files and Code

• Delete Unknown Files: Remove any files not part of your original install.
• Clean Infected Files: Carefully edit or replace infected core, plugin, or theme files.
• Database Clean-Up: Remove malicious entries from wp_options, wp_users, wp_posts, and other tables.

4. Reinstall Core, Themes, and Plugins

• Core WordPress: Download a fresh copy and replace all core files.
• Themes & Plugins: Delete and reinstall from official sources to eliminate backdoors.

5. Update Everything

Ensure WordPress core, all themes, and plugins are updated to their latest secure versions.

Restoring from Clean Backups

If cleaning isn’t feasible or too time-consuming, restore your site from a clean, recent backup:

1. Verify Backup Integrity: Confirm the backup predates the hack.
2. Restore Files & Database: Use your host’s backup service or a plugin like UpdraftPlus.
3. Re-secure the Restored Site: Immediately apply the security hardening steps below.

Security Hardening and Prevention

1. Enforce Strong Authentication

• Two-Factor Authentication (2FA): Implement via plugins like Two Factor Authentication or Wordfence.
• Limit Login Attempts: Throttle or block after repeated failed attempts.

2. Principle of Least Privilege

Assign users only the permissions they need. Remove unused admin accounts and restrict file permissions to 644/755.

3. Implement Web Application Firewall (WAF)

Use Sucuri or Cloudflare WAF to block malicious traffic before it reaches your site.

4. Disable File Editing in Dashboard

Add define('DISALLOW_FILE_EDIT', true); to wp-config.php to prevent attackers from modifying files via the admin interface.

5. Keep Regular, Automated Backups

Schedule off-site backups to services like Dropbox, Google Drive, or your host’s storage. Test restores periodically.

6. Harden wp-config.php and .htaccess

• Move wp-config.php one directory level up.
• Restrict access to .htaccess and wp-config.php via server rules.

Ongoing Monitoring and Maintenance

1. Continuous Security Scans

Schedule daily or weekly scans with your security plugin to catch new threats early.

2. Uptime and Performance Monitoring

Use tools like UptimeRobot and Query Monitor to detect downtime or performance degradation that might indicate a reinfection.

3. Audit Logs and Alerts

Maintain an audit trail of user logins, file changes, and plugin updates to trace suspicious activity.

4. Security Checklist Reviews

Regularly consult comprehensive guides—such as WPBeginner’s security checklist—to ensure no hardening step is overlooked.

When to Seek Professional Help

If the hack is complex—rootkits, database injections, or mass defacements—consider:

• Managed Malware Removal Services: Kinsta’s free pledge for hosted sites or Wordfence Care.
• Security Consultants: Firms like Sucuri and MalCare offer incident response and forensic analysis.

Final Words

By following these structured steps—detection, containment, cleaning, restoration, hardening, and ongoing monitoring—you can recover swiftly from a hack and significantly reduce the risk of future compromises. Vigilance, regular maintenance, and a layered security approach are the keys to keeping your WordPress site safe.