What to do if your WordPress website gets hacked

by Jason Sindram | Oct 22, 2025 | Security & Recovery, Website Issues & Fixes, WordPress Maintenance, WordPress Security

Introduction

Finding your WordPress site hacked is stressful: redirects, warning banners from Google, or strange pop-ups. The best first response is calm, not panic. With a set of clear actions you can limit damage and restore your site quickly. Below: immediate actions, recovery steps, and prevention measures, all focused on practical WordPress help.

Immediate actions (do these right away)

  1. Stay calm and document what you see
    Take screenshots, note error messages, and list suspicious URLs. This information helps you and any professional who assists.

  2. Take the site offline / enter maintenance mode
    Prevent further damage by temporarily disabling the public site via your hosting control panel or a maintenance plugin.

  3. Change all passwords immediately
    Update passwords for:

    • WordPress admin accounts

    • Hosting / FTP / cPanel

    • Any email accounts linked to the site
      Use strong passwords and enable two-factor authentication (2FA) where possible.

  4. Create a full backup (files + database)
    Even an infected backup is useful for analysis and recovery, download it and store it safely.

  5. Inform your hosting provider
    Many hosts offer incident procedures, scanning, or temporary isolation; they can also provide logs.

Recovery steps (what professionals do)

  1. Run malware scans
    Use reputable scanners (e.g., Wordfence, Sucuri) or request a deep scan from a security specialist.

  2. Check file changes and unknown files
    Hackers often add rogue PHP files or modify core WordPress files. Compare files to a clean WordPress install.

  3. Remove infected files and restore core files
    Replace compromised core files with clean versions, update themes and plugins to the latest secure releases.

  4. Audit users and permissions
    Remove suspicious admin accounts and correct file permissions (644 for files, 755 for folders).

  5. Reset API keys & integrations
    Replace keys for services like reCAPTCHA, payment gateways, and other integrations.

  6. Request Google review
    If Google flagged your site, submit a re-review after cleaning so warnings are removed.

Prevention — stop it happening again

  • Keep WordPress core, themes and plugins updated.

  • Remove unused plugins and themes. Less code = fewer vulnerabilities.

  • Add 2FA and limit login attempts. Use a firewall and reCAPTCHA.

  • Use a Web Application Firewall (WAF) such as Cloudflare or Sucuri.

  • Daily off-site backups and occasional restore tests.

  • Limit admin accounts and grant only necessary privileges.

  • Regular security scans and monitoring.

How DP Websolutions helps

If you’d rather not handle this yourself, we provide:

  • Fast malware removal and site recovery (from €149)

  • Forensic reports and hardening (security improvements)

  • 24/7 monitoring and daily backups in our maintenance plans
    Don’t panic, we’ll act quickly and clearly.

Conclusion & Call to Action

If your site has been hacked: back up, change passwords, and take the site offline. Need us to fix it for you? Contact DP Websolutions for immediate WordPress help. No stress, no panic,  we’ve got this.