Your Site Got Hacked. Now What?
The first sign is usually something off: Google Search Console warning, visitors reporting spam redirects, your hosting company suspending the account. However you found out, the situation is recoverable โ but speed matters. Every hour a hacked site stays infected risks search engine blacklisting, customer data exposure, and deeper damage to your database.
Here's the complete process, in the right order.
Step 1: Don't Panic and Don't Delete Everything
The instinct is to restore a backup and forget it happened. Resist this for now. If you restore a backup without understanding how the site was compromised, you're rebuilding the same vulnerable target. The attacker will be back within days using the same entry point.
First, take inventory. Download a copy of your current (infected) site for forensic reference. Note what you're seeing: spam links injected into pages, redirects to suspicious sites, new admin users you didn't create, files modified recently without your involvement.
Step 2: Lock It Down Immediately
While you work on the cleanup, prevent further damage:
Change all passwords immediately. WordPress admin accounts, FTP/SFTP access, cPanel or hosting panel, your database user. If the attacker has valid credentials, cleaning the malware means nothing โ they'll re-inject.
Enable maintenance mode so visitors aren't exposed to whatever the malware is serving. A simple maintenance plugin handles this, or drop a maintenance HTML file at the root if you need speed.
Check for unknown admin users. Go to Users โ All Users in WordPress admin. Any admin account you didn't create is a backdoor. Delete them.
Revoke all active sessions. In your wp-config.php, add a new Auth Key/Salt (use the WordPress Salt Generator). This logs out everyone, including any attacker with a live session cookie.
Step 3: Scan for Malware
Two tools are essential here:
Wordfence Security (free tier) โ Install it, run a full scan. Wordfence compares your WordPress core files, themes, and plugins against the official repository versions and flags any modifications. Most common malware injections show up immediately.
Sucuri SiteCheck โ Run your domain through Sucuri's free scanner at sitecheck.sucuri.net. It checks your site from the outside, the way search engines and visitors see it, and flags blacklisting, spam content injection, and malware signatures.
Manual file check for recently modified files:
``bash find /path/to/wordpress -type f -name "*.php" -newer /path/to/reference-file -ls `
Replace the reference-file with any file you know is clean and dated before the compromise. This surfaces PHP files modified after your reference point โ exactly where attackers hide their code.
- Common injection locations:
- wp-includes/functions.php (added code at the top or bottom)
- wp-content/themes/[your-theme]/functions.php
- .htaccess (redirect rules sending visitors to spam sites)
- Fake plugin directories in wp-content/plugins/
Step 4: Clean the Infected Files
WordPress core files: If core files have been modified, don't edit them โ replace them. Download a fresh copy of the same WordPress version from wordpress.org and replace wp-admin and wp-includes entirely. Don't touch wp-content โ that's where your site data lives.
Theme files: If your active theme's files show modifications, the cleanest path is to restore them from the original theme source. If you've made custom modifications, compare line by line using a diff tool and remove only the injected code. Malware in theme files usually appears as obfuscated PHP โ long strings of base64-encoded content that don't look like legitimate theme code.
Plugin files: Remove any plugins you don't recognize. For legitimate plugins with infected files, delete the plugin entirely and reinstall a fresh copy from wordpress.org or the original source.
Database cleaning: Malware often hides in the database โ injected into post content, option values (wp_options table), or widgets. In phpMyAdmin, search your wp_posts table for known malware strings like eval(base64_decode, document.write, or the specific domain your site was redirecting to. Export the database, clean the strings with find-and-replace, re-import.
.htaccess: Replace with a clean WordPress default:
` ``BEGIN WordPress
END WordPress
Step 5: Find and Close the Entry Point
This is the step most people skip, and it's why sites get reinfected.
Check your activity log (if you had one running โ this is why you should). Look for unusual admin logins, unexpected file modifications, or plugin/theme uploads around the time of compromise.
- Common entry points in 2026:
- Outdated plugins โ The most common vector. Attackers scan the web for sites running known-vulnerable plugin versions and exploit them automatically.
- Nulled themes and plugins โ Pirated WordPress software almost always contains backdoors. If you've used any nulled software, this is likely your entry point.
- Weak admin credentials โ Brute force against admin/password or common credentials is still effective when there's no rate limiting.
- Compromised hosting account โ If other sites on the same hosting account were hacked, cross-contamination is possible.
- Compromised local machine โ If your developer's computer has malware and they use FTP with saved credentials, the credentials can be stolen.
Step 6: Harden Before You Reopen
- Before you take the site off maintenance mode:
- Update everything. WordPress core, every plugin, every theme. No exceptions.
- Remove everything you don't use. Inactive plugins and themes are attack surface. Delete them.
- Install a security plugin. Wordfence or Solid Security (formerly iThemes Security) for ongoing monitoring, login protection, and file change detection.
- Enable two-factor authentication for all admin accounts.
- Set up automatic offsite backups. Not just your hosting's built-in backup โ an independent backup to a separate service. Hostao's managed hosting plans include automated daily backups to offsite storage.
- Configure login attempt limits. Five failed logins should trigger a lockout. This kills brute force attacks at the first stage.
Step 7: Submit for Review If Blacklisted
If Google blacklisted your site (you'll see the warning in Search Console), clean the site first, verify it's clean, then submit a reconsideration request through Google Search Console under Security Issues.
The review typically takes 1-3 days. Google is generally responsive to genuine cleanup โ they want clean sites too.
Prevention Going Forward
- The clean install is the easy part. Staying clean requires consistent habits:
- Update schedule: Check for plugin and theme updates weekly. Enable WordPress core auto-updates for minor security releases.
- Monitoring: Uptime monitoring and security scanning should run continuously. You want to know about a problem in minutes, not days.
- Backup verification: Monthly, actually restore a backup to a test environment and verify it works. A backup you've never tested is a backup you can't trust.
- Minimal plugin footprint: Every plugin is attack surface. Run the minimum needed.
A hacked site is a setback, not a catastrophe. Handled correctly, you can be fully clean and hardened within a day. The businesses that handle it well come out more secure than they were before the incident.
Need professional help with a hacked WordPress site? Hostao's security team handles malware removal and hardening for sites on our platform. For managed hosting plans that include proactive security monitoring, see our plans.