Top view of someone holding an phone next to laptop

Web Design & Development Insights

My WordPress Site Was Hacked

First: don't panic, and don't delete anything yet. Here's exactly what to do, in order, if your WordPress site has been hacked.

My WordPress Site Was Hacked A ceramic bowl repaired in the Japanese kintsugi style, its cracks filled with gold
A ceramic bowl repaired in the Japanese kintsugi style, its cracks filled with gold

If you're reading this because your site is currently hacked: take a breath. It's a bad afternoon, not the end of your business. Most hacked WordPress sites are recoverable, and the situation is almost always less catastrophic than it feels in the first ten minutes.

Here's what to do, in order. Work through it calmly.

First: don't delete anything

The instinct is to start tearing things out. Resist it. Right now the compromised site is also evidence - it tells you how they got in, and if you scorch it all immediately, you can end up cleaning the site only to get reinfected through the same hole a week later.

Contain first. Delete later, carefully.

Step 1 - Confirm it's actually hacked

Sometimes what looks like a hack is a broken plugin or a billing lapse. Signs of a real compromise:

  • Content you didn't write - spam links, pop-ups, redirects to other sites.
  • Google or your browser showing a red "deceptive site" warning.
  • Your host has suspended the account, or emailed about malware.
  • You can't log in to wp-admin, or there are admin users you don't recognise.
  • Customers or visitors telling you the site is doing something strange.

Step 2 - Contain it

Limit the damage before you clean:

  1. Put the site into maintenance mode if you still can, or ask your host to take it offline temporarily. A hacked site can actively harm your visitors and your reputation while it's live - better dark for an hour than spreading malware.
  2. Change your passwords - WordPress admin, hosting, FTP, and the database. Use new, strong ones. If you reused any of these anywhere else, change those too.
  3. Call your hosting company. Good hosts deal with this constantly. Many can tell you what they're seeing, and some will help contain or even clean it. This is a completely reasonable thing to phone them about.

Step 3 - Find out how bad it is

Run your site through a free external scanner like Sucuri SiteCheck. It'll tell you whether you're serving malware and whether you've been added to any blacklists - which matters, because being blacklisted is what starts getting your emails binned and your site flagged in search results.

This gives you the honest scope. Sometimes it's a single injected file. Sometimes it's spread through many. Either way you now know what you're dealing with instead of guessing.

Step 4 - Clean it (the careful part)

This is where it gets genuinely technical, and where honesty is more useful than false confidence. A proper cleanup means:

  • Identifying and removing every piece of malicious code - not just the obvious symptom.
  • Checking core WordPress files against known-good versions.
  • Inspecting the database for injected content and rogue admin accounts.
  • Finding the entry point - the vulnerable plugin or weak password they used - and closing it, so you don't simply get reinfected.

If you're comfortable in the files and the database, you can work through this. If a phrase like "check core files against known-good versions" makes your stomach drop, this is the point to hand it to someone who does it regularly. A missed backdoor means you'll be doing all of this again next week.

Step 5 - Restore from a clean backup (if you have one)

If you have a backup from before the compromise, restoring it is often the fastest route back - provided you then immediately close whatever let them in. Restore the clean site, then update everything and change every password, or you've simply reset the clock on the same break-in.

And if you don't have a backup - that's the lesson landing at the worst possible moment, and we'll come back to it.

Step 6 - Lock the door behind you

Once you're clean, close the holes:

  • Update WordPress core, every plugin, and your theme.
  • Delete any plugin or theme you're not using - inactive ones are still an entry point.
  • Strong, unique passwords everywhere, and two-factor authentication on your admin login.
  • Get on a hosting setup that includes real security, or add a reputable security plugin.
  • Make sure backups are running - off-site, automatic, and actually tested.

How to make sure this never happens again

Here's the uncomfortable truth about almost every WordPress hack: it got in through a known vulnerability in an out-of-date plugin. Not a sophisticated targeted attack - an automated bot, scanning the whole internet for sites running a specific old version with a specific published hole, and finding yours. (If you want the full mechanism, we broke it down in what happens if you don't update your plugins.)

Which means it was preventable. Keeping everything updated, backed up and monitored is unglamorous, easy to forget, and the single most effective protection there is. The sites that get hacked are, overwhelmingly, the ones nobody was tending.

That's the entire case for ongoing maintenance - not as an upsell, but as the difference between "a plugin update ran on Tuesday and you never thought about it" and the afternoon you're having right now.

If you'd like someone to handle the cleanup, or simply to make sure this doesn't happen again once you're back on your feet, that's exactly what we do - a Website Care Plan keeps everything updated, backed up and monitored so this stays in the past. But first - work through the steps above. Contain it, and you've already done the most important part.

Related reading

Wondering what shape your own site is in?

Get a free 27-point Website Health Check - security, speed, accessibility and SEO. Plain English, no pitch.

Check my site

More to read

Image for A Step-by-Step Tutorial on Using Shopify Metaobjects

A Step-by-Step Tutorial on Using Shopify Metaobjects

In this tutorial, we will walk you through the process of using Shopify Metaobjects effectively, enabling you to extend your store's functionality and customize your data storage.

Continue reading
Image for Shopify Websites: How to Create Effective Lead Generation

Shopify Websites: How to Create Effective Lead Generation

Getting leads doesn't have to be difficult. Here's a guide on how to create an effective lead generation system.

Continue reading
Image for COVID-19: How to use Shopify to get your small business website up and running

COVID-19: How to use Shopify to get your small business website up and running

With most brick and mortar stores closed during this pandemic, we are seeing more and more online sales. It's relatively easy to start selling on Shopify and to continue your revenue stream.

Continue reading

Let's keep in touch

* We won't spam you or give your email to anyone.

Signup for Shopify Free Trial Try for Free