OpsHelp
Guides

What to do if your WordPress site gets hacked

By OpsHelp Team

Something's off. Visitors are being redirected to a strange site, Google is flagging you with a big red warning, your admin dashboard keeps logging you out, or there's suddenly a new admin user you don't recognise. Breathe. This is very fixable, and panicking makes it worse.

Here's what to do, in order, without losing your head.

1. Confirm it's actually a hack

Not every weird thing is a compromise. Before you do anything destructive, check a few boring things first:

  • Is your domain pointing somewhere it shouldn't? Sometimes it's a DNS change, not a hack.
  • Did a plugin update break something? Rolling that back is a lot easier than a malware clean.
  • Is your hosting account paid up? An unpaid invoice can look a lot like a takedown.

If none of those explain it — and you're seeing redirects, unknown admin users, files you don't recognise, or a big Google warning — it's likely a compromise.

2. Take the site offline, safely

Don't just delete things. Put the site into maintenance mode so your customers see something sensible instead of a half-broken page. Most managed hosts have a one-click option. If yours doesn't, a simple "We'll be right back" HTML page served from the web root works.

Pulling the site offline does two things: it stops the attacker causing more damage, and it protects your visitors from whatever has been planted.

3. Change every password — yes, every password

The attacker may still have valid credentials. You need to assume every password associated with the site is compromised:

  • Your hosting control panel (cPanel, Plesk, etc.)
  • Your FTP / SFTP accounts
  • Your WordPress admin users
  • Your database user
  • Any email account tied to WordPress password resets

Generate long random passwords with a password manager. Don't reuse old ones.

4. Work out what happened

Before you clean up, try to understand how they got in. Common entry points:

  • An out-of-date plugin with a known vulnerability
  • A reused password that leaked elsewhere
  • A weak admin password that got brute-forced
  • A file-upload form that didn't sanitise inputs

Check your wp-content/plugins folder dates, your access logs around the first sign of trouble, and any plugins you installed recently. If you can't tell, that's fine — a competent clean will handle both sides.

5. Clean, don't patch

Trying to delete the dodgy files you can see and calling it done is how hacks come back a week later. The only reliable approach is:

  1. Restore from a known-clean backup that predates the compromise, if you have one.
  2. If not: wipe the WordPress install, reinstall core cleanly, re-upload a clean copy of your theme and plugins (from official sources), and migrate only your content and wp-content/uploads folder — after scanning it.
  3. Reset the database's WordPress user password and salts (wp-config.php).

A malware scanner on top of this is a sensible last step, not a first step.

6. Harden what let them in

Before you bring the site back:

  • Remove any plugin you don't actively need.
  • Update everything that's left.
  • Turn on two-factor authentication for admin users.
  • Limit login attempts (Wordfence, Limit Login Attempts Reloaded, or similar).
  • Review all admin accounts and delete any you don't recognise.
  • Change your database prefix if it was the default wp_.

7. Ask Google to re-check you

If you were flagged with a "This site may harm your computer" warning, go to Google Search Console and request a review once you're clean. It usually takes 24-72 hours to clear.

8. Take backups seriously from now on

Daily offsite backups, tested monthly. A backup you haven't tested restoring is not a backup — it's a hope.

Honestly, though

If you're dealing with an active hack and the above list reads as overwhelming, it is. This is the kind of thing we do in a couple of hours with everything in place and the right tooling. If you want help, get in touch — we'll sort it calmly and show you exactly what happened.