General

Your WordPress Site Was Hacked: A Calm, Step-by-Step Recovery Plan

Finding out your site is hacked is stressful, but panic makes things worse. This plain-English recovery plan walks you through what to do first, how to clean up, and how to stay safe afterward.

WPSentry TeamJuly 16, 20267 min read
Table of Contents 6 sections

Discovering that your website has been hacked is one of the worst feelings a site owner can have. The instinct is to start deleting things immediately, but that panic usually makes the situation worse. The good news is that most WordPress hacks are recoverable, and working through a calm, deliberate plan gets you back online faster than frantic guessing ever will.

This guide walks you through recovery in plain language. You do not need to be a developer to understand the shape of what needs to happen, and knowing the steps helps you take control of the situation whether you clean the site yourself or hand it to a professional.

30,000+
Websites hacked every day
277 days
Average time to contain a breach
60%
Small businesses that close within 6 months of a breach
Contain
The right first move, not delete

The Recovery Sequence at a Glance

1. Contain and preserve
Take the site into maintenance mode and back up the infected state before changing anything.
2. Regain access
Reset every password from a trusted device and remove unfamiliar administrator accounts.
3. Clean thoroughly
Replace core and plugin files with clean copies and hunt for hidden backdoors.
4. Close the entry point
Update everything and fix the vulnerability that let the attacker in, or it happens again.
5. Restore your reputation
Request a review from Google so blocklist warnings are lifted from your listings.

First, Slow Down and Protect the Evidence

The most common mistake is rushing. When you start randomly deleting files or plugins, you often destroy the clues that reveal how the attacker got in, which almost guarantees the hack will return. Before you change anything, take a complete backup of the site in its current infected state. It feels strange to back up a compromised site, but that snapshot is your record of what happened, and you can investigate it safely later.

If your host offers a maintenance mode or a way to take the site temporarily offline, use it. This protects your visitors from any malware the attacker planted and stops your site from being used to send spam or attack others while you work. A short period of downtime with a friendly maintenance message does far less damage than leaving an infected site live.

Regain Control of Your Accounts

Once the site is contained, focus on locking the attacker out. Change your WordPress administrator password, your hosting account password, your database password, and your email password, and do it from a device you are confident is clean. Attackers frequently create hidden administrator accounts, so review the user list and remove anyone you do not recognize. If your login details were the way in, this step alone shuts the door behind the intruder.

Why passwords come first

If you clean every file but leave a compromised password in place, the attacker simply logs back in and reinfects the site. Rotating credentials early stops the bleeding while you do the slower cleanup work.

Clean the Infection Methodically

With access secured, the real cleanup begins. The goal is to remove every trace of the attacker, not just the obvious symptom. That means replacing WordPress core files and plugin files with fresh copies from official sources, because attackers love to tuck malicious code inside otherwise normal-looking files. It also means checking the database and configuration files for injected content, since sophisticated infections hide in several places at once so that cleaning one still leaves the site compromised.

This is the stage where many do-it-yourself efforts fall short. A backdoor is a small piece of code that lets the attacker return at will, and a single missed backdoor undoes all your work. If the infection is deep, if you find code you do not understand, or if customer or payment data is involved, hiring a professional cleanup service is money well spent.

Find and Close the Entry Point

A hack is a symptom. Something let the attacker in, and until you fix it, you are simply waiting to be hacked again. In the overwhelming majority of cases the entry point is an outdated plugin, theme, or WordPress version with a known vulnerability, or a weak password that was guessed or reused from another breach. Update absolutely everything to the latest version, remove any plugins and themes you no longer use, and turn on two-factor authentication so a stolen password is no longer enough to log in.

Restore Your Reputation

If your site was flagged by Google or added to a blocklist during the attack, cleaning the files is not quite the end. You will need to request a review through Google Search Console so the warning is removed and your visitors stop seeing scary red screens. This can take a little time, which is another reason to act quickly. The sooner you clean up, the sooner your standing with search engines recovers.

Recovery is not the same as prevention

Getting back online proves you can respond to an attack. Staying online proves you can prevent the next one. The habits you build after a hack, regular updates, strong unique passwords, and routine scanning, are what keep it from happening a second time.

Turn a Bad Day Into Better Habits

Every site owner who has been through a hack says the same thing afterward: they wish they had taken security seriously before it happened. The recovery process is a hard but effective teacher. Once your site is clean, commit to updating promptly, keeping good backups you actually test, and scanning your site on a regular schedule so the next problem is caught while it is still small.

Make sure your site is really clean

Run a free external security scan to check for blocklisting, outdated components, and the weaknesses that let attackers in.

Scan Your Site Free

FAQ

Frequently Asked Questions

Stay calm and avoid making rushed changes that destroy evidence. Take your site into maintenance mode or offline if you can, take a full backup of the current infected state for investigation, and change your passwords from a device you trust. Then work through cleanup methodically rather than deleting things at random.

In most cases yes, at least temporarily. Putting the site into maintenance mode protects your visitors from malware and stops the compromise from spreading or sending spam while you investigate. It also prevents further damage to your search reputation.

Sometimes, if the infection is simple and you are comfortable working with files and the database. However, hidden backdoors are easy to miss, and a half-cleaned site gets reinfected quickly. If you are unsure, or if payment or customer data is involved, it is worth hiring a professional cleanup service.

Cleaning the infection is only half the job. You must find and close the entry point, which is usually an outdated plugin or a weak password, then update everything, reset all credentials, enable two-factor authentication, and start scanning regularly so you catch problems early.

A simple infection caught early might be resolved in a few hours. A deep compromise with multiple backdoors, blocklisting, and a Google review request can take days to fully resolve. Acting quickly and methodically shortens the timeline considerably.

Tags

Related Posts