When a WordPress website is hacked, it is a disheartening thing to discover. A breach can tarnish your reputation, harm your SEO rankings, and even leak sensitive data. However, stay calm — there’s a logical approach you can take to restore your website and safeguard it from further attacks. In this post, GlassMedia provides several step-by-step solutions for what to do if your website is hacked.
Step 1: Stay Calm and Assess the Situation
Before you rush to respond, pause to assess the damage. Look for signs such as:
- Sudden traffic drops
- Suspicious admin accounts
- Redirects to malicious sites
- Unknown files or plugins
- Google alerts or hosting provider notices
Take screenshots and notes as proof should you need to pursue matters further professionally or formally.
Step 2: Put Your Website in Maintenance Mode
Reduce harm and visitor malware exposure by closing the site. You can:
- Use a maintenance mode plugin
- Deactivate the site for a while in your hosting panel
- You can place a static HTML file as a placeholder.
Step 3: Scan for Malware
Use security plugins like:
- Wordfence
- Sucuri Security
- iThemes Security
These scripts help you identify files infected with malware, as well as malicious user accounts.
Step 4: Restore From Backup (If Available)
If you have a good fresh backup:
- Restore your site through your hosting panel or using a plugin.
- All passwords should be updated as soon as the restore is complete.
If you do not have a backup, then clean your computer of malware manually.
Step 5: Manually Clean Infected Files
Login to your website using FTP or File Manager and:
- Remove any suspicious files in /wp-content/plugins/ /themes/ or /uploads/
- Diff your core files against a new download of WordPress.org
- Clear infected database tables (search for suspicious iframes/javascript/base64 code)
Pro Tip: Try using WP-CLI or an online diff tool to compare files much faster.
Step 6: Reset All Passwords
Change credentials for:
- WordPress admin users
- FTP/SFTP and cPanel
- Database (update wp-config.php with new credentials)
- API keys and integrations
Last but not least, remove any unknown or suspicious users from your WordPress.
Step 7: Update Everything
Make sure to:
- Update WordPress core
- Update all themes and plugins
- Uninstall Unused or Outdated Themes and Plugins
Obsolete software is one of the most common ways hackers break in.
Step 8: Implement Security Best Practices
- Add a security plugin (Wordfence, Sucuri)
- Turn on a WAF or Web Application Firewall
- Limit login attempts
- Employ two-factor authentication (2FA). Use two-factor authentication on your accounts.
- Never stop scouring for malware and security vulnerabilities
- Schedule automatic backups
Step 9: Submit for Google Review
However, if your website has been blocked or flagged, you can ask for a review with these:
- Google Search Console
- Google Safe Browsing
Get rid of security warnings by guaranteeing that your website is clean and secure.
Step 10: Consider Professional Help
If the attack is severe or prolonged, you may want to hire a WordPress security specialist or an agency such as GlassMedia to:
- Deep-Clean Your Files and Database
- Identify vulnerabilities
- Install advanced firewalls and hardening.
Wrapping Up
Dealing with a WordPress hack is a headache, but if you follow these steps, you should be able to restore your site and better protect it in the future. Prevention is always better — so use strong security, have backups, and keep your updates up to date. Need help? GlassMedia is a leading website recovery, security auditing, and ongoing protection service for your WordPress site.
