WordPress Site Hacked: What to Do Right Now (2026 Guide)

9 min read · AstraLoop Studio

You open your site and instead of the homepage there's a page in Chinese. Or Google flags it with "this site may harm your computer." Or a client emails you saying spam is going out from your domain. However it shows up, the verdict is clear: your WordPress site has been hacked. And the first instinct, wipe everything and start over, is almost always the most expensive mistake you can make. You lose the evidence, you never find out how they got in, and within two weeks you're breached again through the exact same door.

This guide gives you the emergency procedure in the right order, no unnecessary jargon, and explains the root cause behind most of these attacks in 2025. Because the real problem isn't cleaning the site once. It's understanding why it happened and closing that hole for good.

Illustration of a website with a broken padlock and a person following an organized emergency procedure

First things first: stay calm and don't make it worse

A compromised site triggers panic, and panic leads to bad decisions. Before you touch anything, keep three rules in mind.

  • Don't delete anything in the first few hours. Infected files, logs, and suspicious accounts are the evidence that will tell you how the attacker got in. Wipe everything right away and you're starting over blind.
  • Don't pay any ransom demand without first assessing the situation with someone who knows what they're doing. Many WordPress "ransom" notes are bluffs: the site is recoverable from backup.
  • Don't just change the admin password and hope that's enough. If the attacker already planted a backdoor in the files, changing the password won't lock them out.

You need a method. And that's exactly what's missing when people improvise: the urge to "get the site back online" before understanding what actually happened is why so many sites get hit again within days. A job done properly is part of a broader cybersecurity audit of your site, not a one-off first-aid patch.

The step-by-step emergency procedure

1. Put the site into maintenance mode (or take it offline)

If the site is serving spam pages, redirecting visitors to scam sites, or spreading malware, every minute it stays online damages your visitors and your reputation. Turn on a maintenance page, or better yet, ask your host to take the site temporarily offline. That's not an embarrassment, it's containment. Google penalizes a site that spreads malware for days far more harshly than one that's briefly unreachable.

2. Change every password, not just the WordPress one

Compromised credentials are rarely limited to just one. Change, in this order:

  1. Your hosting panel password (cPanel, Plesk, or client area)
  2. WordPress admin users (and check whether new ones have appeared that you didn't create)
  3. Database username and password (then update wp-config.php)
  4. FTP/SFTP account
  5. The secret keys (SALTs) in wp-config.php: regenerating them invalidates every active session, kicking out anyone still logged in

Turn on two-factor authentication (2FA) on both hosting and WordPress while you're at it. Many intrusions start with a simple brute-force attack on the admin password, and 2FA renders that useless.

3. Take a forensic copy of the current state

Before cleaning anything up, download a full copy of the files and database exactly as they are now, infection included. You'll need it for analysis (figuring out how they got in) and, if the attack involved a personal data breach, as documentation. Name the folder clearly, something like site-compromised-2026-07-05, and keep it separate from your clean backups.

4. Find and remove the malware

This is where DIY parts ways with a serious job. There are three tools to start with.

  • Comparison against original files: the WordPress core files and official plugin or theme files can be downloaded clean. Any difference in the core is 99% suspicious.
  • Searching for obfuscated code: strings like eval(base64_decode(, gzinflate, .php files with random names inside wp-content/uploads (where executable PHP should never exist).
  • Scanning plugins (Wordfence, Sucuri, MalCare) for a first automated pass.

An honest warning: scanning plugins catch the obvious malware, but well-hidden backdoors survive. If the site gets reinfected after cleanup, it means a backdoor was left behind. That's why, past a certain point, it's worth having a manual review done by someone who actually reads the code, not just a tool that runs a scan and declares "clean."

5. Restore from a clean backup (if you have one)

If you have a backup from before the infection and you're reasonably confident about the date, restoring it is often the fastest, safest route. Two things to watch out for: pin down when the infection started (yesterday's backup might already be infected), and if you restore, apply every update immediately, or you'll bring back the exact vulnerability that caused all this in the first place.

6. Update everything and rebuild the site

WordPress core, every plugin, every theme. Delete plugins and themes you don't use: every piece of inactive code is still a potential way in. A deactivated theme that's still sitting there can be exploited just as easily as an active one.

Abstract illustration of stacked plugin blocks with one cracked, representing third-party vulnerability

7. Clean up your online reputation

Once the cleanup is done, the job isn't over. You need to let the world know the site is clean again.

  • Google Search Console: request a review to remove any "this site may be hacked" warning.
  • Blacklists: check whether the domain has ended up on any blocklists (Google Safe Browsing, antispam blacklists) and request removal.
  • Email: if the site sent spam, your domain may now have deliverability issues. Check your authentication records: properly configured SPF, DKIM, and DMARC reduce the risk of your emails landing straight in spam.

The root cause: why your site got breached

Cleaning up without understanding the cause is like bailing out a boat with a bucket without patching the hole. And statistically, the hole is almost always the same one.

In 2025, 11,334 new WordPress vulnerabilities were discovered, a 42% jump over the previous year. But the figure that should really make you stop and think is this: 97% of those flaws weren't in WordPress core at all, they were in third-party plugins and themes. WordPress core is generally solid and gets patched fast. The problem is you installing a free plugin of dubious origin, or one you haven't updated in two years, or a "premium" theme downloaded from a pirate site with a backdoor already baked in.

On top of that, there's the scale of automated attacks. WordPress sites get probed on average every 32 minutes by bots hunting for known vulnerabilities, and in 2025 AI-powered botnets grew by 45%. Nobody needs to be targeting you personally, it's an industrial-scale sweep. If you have a vulnerable plugin, a bot will find it sooner or later. We covered this in depth in our dedicated guide to WordPress plugin vulnerabilities, worth a read if you manage several sites.

The most common ways in

CauseHow it shows upPrevention
Vulnerable, unpatched plugin or themeBackdoor, spam injection, redirectsTimely updates, remove what you don't use
"Nulled" (pirated) plugin or themeMalware pre-installed in the codeOfficial sources only, never cracked software
Weak passwords and no 2FABrute-force attack on the admin accountStrong passwords, 2FA, login attempt limits
Poorly isolated shared hostingContagion from another site on the same serverQuality hosting, proper site isolation
Outdated PHP and server softwareExploitation of known server-level flawsUpdated versions, server hardening

The lesson is clear: in the vast majority of cases, your site wasn't breached through some sophisticated technique, it was breached through missed maintenance. And that's actually good news, because it means it's preventable.

Has your site been breached, or do you suspect something's off? Ask us for an assessment: we track down the root cause, clean the site, and tell you how to stop it happening again.

It's not just a hacked site, you may have a data problem too

There's an angle owners tend to underestimate. If the site holds customer data (accounts, orders, contact forms, newsletter subscribers) and the attacker was able to access it, you're looking at a potential personal data breach under GDPR. In that case, cleaning the files isn't enough: you may be required to notify the Italian Data Protection Authority (Garante Privacy) within 72 hours of discovery. That's not a formality, the timing is what separates a well-handled incident from a fine.

We cover this in detail in our guide on what to do in the 72 hours after a data breach and in the one on what counts as a data breach under GDPR. The point for you today is simple: a hacked site with customer data on it isn't just a technical problem, it's also a compliance issue that needs to be assessed right away.

How to avoid ending up here again in six months

The difference between getting hacked once and becoming a repeat target comes down entirely to prevention. Here's the essential list, in order of importance.

  • Constant updates. Core, plugins, and themes. It's tedious, but it's the single most effective thing you can do. Turn on automatic updates, at least for security releases.
  • Fewer plugins, better ones. Every plugin is attack surface. Keep only what you actually use, downloaded from official sources, actively maintained by its developer.
  • Automated backups, actually tested. A backup you've never tried to restore isn't a backup, it's a hope. Verify that it works.
  • 2FA and real passwords everywhere. Hosting, WordPress, FTP, database.
  • A web application firewall (WAF) that blocks bots before they reach the site.
  • Monitoring that alerts you the moment a file changes without you touching it.

If you run an e-commerce store, the stakes are higher: payment data, orders, the entire continuity of the business depend on the site. It's worth reading our dedicated guide on cybersecurity for e-commerce, which covers the risks specific to online stores.

The next step up: from emergency to audit

Cleaning up a hacked site is the cure. An audit is the prevention. A website security audit doesn't just run a scanner, it manually reviews configuration, attack surface, permissions, and access management, and hands you a concrete priority list. It's the difference between "seems fine" and "we know exactly where the holes were, and we closed them."

For a structured company, the thinking goes beyond a single site and becomes part of a broader cybersecurity strategy for SMBs, where the website is just one front among several. According to the 2026 Clusit Report, SMBs account for 72% of attack targets in Italy, and vulnerability exploitation has grown 65% since 2024. This is no longer just a "big company" problem: anyone with a website, and with data, is a target.

In short: the sequence to remember

  1. Contain it: maintenance mode, no panic, don't destroy the evidence.
  2. Lock down access: change every password, turn on 2FA, regenerate the SALTs.
  3. Take a forensic copy of the infected state.
  4. Clean up: remove malware and backdoors (manually, if the site keeps getting reinfected).
  5. Restore from a clean backup and update everything.
  6. Recover your reputation: Search Console, blacklists, email.
  7. Assess GDPR exposure if customer data was involved.
  8. Close the root cause and move on to prevention.

A hacked site isn't the end of the world, but it is a warning sign that shouldn't be silenced by simply cleaning up and moving on. The real problem is almost always neglected maintenance, and that's exactly where you need to step in to stop it happening again.

Frequently asked questions

How long does it take to clean up a hacked WordPress site?

It depends on how bad it is. A surface-level infection with a clean backup available can be fixed in a few hours. A site with multiple backdoors and no reliable backup can take one or more full days of manual work, because every file has to be checked to keep the malware from resurfacing.

Can I clean the site myself, or do I need a professional?

If you have technical skills, a clean backup, and the infection is recent and contained, you can try it with plugins like Wordfence or Sucuri. If the site gets reinfected after cleanup, if customer data was involved, or if you don't understand how they got in, it's worth turning to someone who does manual cleanup and audits: automated scanners often miss hidden backdoors.

How do I know if my WordPress site has been hacked?

Typical signs include redirects to unknown sites, spam pages you never created, warnings from Google or your browser, sudden slowdowns, spam emails sent from your domain, admin users you don't recognize, or PHP files with random names in the uploads folder. A security plugin will flag suspicious changes for you.

Is changing the admin password enough to secure the site again?

No. If the attacker has already installed a backdoor in the files, changing the password won't lock them out, they can come back whenever they want. You need to remove the malware, regenerate the SALT keys in wp-config.php, update everything, and close the vulnerability that let them in.

Why does my site keep getting hacked even after cleanup?

Almost always for one of two reasons: a hidden backdoor survived the scan, or the original vulnerability was never closed (an unpatched plugin, a pirated theme). Cleaning up without eliminating the root cause inevitably leads to reinfection.

Can a hacked WordPress site cause legal problems under GDPR?

Yes, if the site holds customers' personal data and the attacker was able to access it. In that case, you may be required to notify the Italian Data Protection Authority of the breach within 72 hours of discovery. It's something to assess right away, not just after the files are cleaned.

Want to find the holes before a bot does? Talk to us and let's look at a security audit for your site together.