8th & Palm
WordPress Problems

Your WordPress Site Got Hacked — Here's What to Do Right Now

Erik Palmquist · 8th and Palm · March 26, 2026

If your WordPress site has been hacked, here’s what to do right now: take the site offline or enable maintenance mode, change every password (WordPress admin, hosting, FTP, database), and contact your hosting provider. Then scan for malware, restore from a clean backup, and check Google Search Console for security warnings. Below is the full step-by-step recovery plan.

Step 1: Don’t Panic, But Move Quickly

A hacked site is stressful, but rushing through fixes without a plan can make things worse. The goal in the first 30 minutes is containment: stop the bleeding before you start cleaning up.

If you can still access your WordPress dashboard, install a maintenance mode plugin or add a simple maintenance page. If you can’t log in at all, contact your hosting provider and ask them to take the site offline temporarily. Most hosts (GoDaddy, SiteGround, WP Engine) have emergency support lines for exactly this situation.

This matters more than you might think. According to Patchstack’s 2025 State of WordPress Security report, 7,966 new WordPress vulnerabilities were disclosed in 2024, a 34% increase from the previous year. And 96% of those vulnerabilities came from plugins.

Step 2: Change Every Password — All of Them

Hackers who get into WordPress typically grab stored credentials. Change these immediately:

  • WordPress admin password for every user account
  • Hosting control panel password (cPanel, Plesk, or your host’s dashboard)
  • FTP/SFTP credentials — if you have them, change them
  • Database password — your hosting provider can help with this
  • Email accounts connected to your WordPress login

Use unique, complex passwords for each. If you’ve been reusing the same password across services, this is the wake-up call. A password manager like 1Password or Bitwarden makes this manageable.

Step 3: Scan for Malware and Identify the Breach

Before restoring anything, you need to understand what happened. Most hosting providers offer free malware scanning tools. You can also use services like Sucuri SiteCheck (free) or Wordfence to scan your files.

Look for:

  • Unknown admin accounts — hackers often create backdoor admin users
  • Modified core files — especially wp-config.php, .htaccess, and files in wp-includes
  • Suspicious plugins — anything you don’t recognize or didn’t install
  • Injected code — particularly in theme files (functions.php, header.php, footer.php)
  • Strange database entries — spam links or redirect scripts hiding in post content

According to Sucuri’s annual hacked website report, 50.58% of compromised WordPress sites had at least one backdoor installed. Simply cleaning the visible hack without finding the backdoor means you’ll be hacked again within days.

Step 4: Restore from a Clean Backup

If you have a backup from before the hack, this is your fastest path to recovery. Check with your hosting provider. Most maintain at least 30 days of backups.

When restoring:

  • Verify the backup date predates the hack (check your access logs for when suspicious activity started)
  • After restoring, immediately update WordPress core, all themes, and all plugins
  • Re-scan for malware after the restore to confirm it’s clean
  • Delete any plugins or themes you’re not actively using

If you don’t have a clean backup, you’ll need to manually clean each infected file or hire a WordPress security service. Sucuri, Wordfence, and MalCare all offer professional cleanup services, typically ranging from $200-500 per incident.

Step 5: Check Google Search Console

Google may have already flagged your site. Log into Google Search Console and check:

  • Security Issues report — Google will list specific pages with malware, phishing, or deceptive content
  • Manual Actions — if Google has penalized your site, this is where you’ll see it
  • Index coverage — look for unusual spikes in indexed pages (hackers sometimes create thousands of spam pages)

If your site has been flagged, Google will display a warning to visitors that says “This site may harm your computer.” That warning kills your traffic instantly. After you’ve cleaned the site, you can request a review through Search Console. Google typically reviews within 72 hours.

The business impact of a hack goes beyond the cleanup cost. With 78% of local mobile searches leading to a purchase within 24 hours (BrightLocal), every day your site is offline or flagged by Google is real revenue lost.

Step 6: Harden Your WordPress Site

Once you’re clean, take these steps to reduce (but not eliminate) future risk:

  • Update everything — WordPress core, every plugin, every theme
  • Remove unused plugins and themes — each one is a potential entry point
  • Enable two-factor authentication for all admin accounts
  • Limit login attempts to prevent brute-force attacks
  • Change your database prefix from the default wp_
  • Set proper file permissions (755 for directories, 644 for files)

These steps help, but they don’t solve the fundamental problem.

Why This Keeps Happening: The WordPress Architecture Problem

The uncomfortable truth: if you stay on WordPress, you’re managing an ongoing security operation. Every plugin is a potential vulnerability. Every update is a potential conflict. Every month brings new patches you need to apply before someone exploits the hole.

WordPress powers over 40% of the web and it works well for many use cases. But for service businesses that depend on their website to generate leads, the security maintenance burden is a real cost.

Consider what your time is worth. If you spend 2-4 hours per month on WordPress security updates, plugin maintenance, and backup verification, that’s 24-48 hours per year. For a business owner billing $150-300/hour, that’s $3,600-$14,400 in opportunity cost annually — on top of the hosting, security plugins, and the ever-present risk of a breach like the one you’re dealing with right now.

For a deeper look at the vulnerability landscape, read our guide on WordPress security vulnerabilities every business owner should understand.

The Alternative: Eliminate the Attack Surface Entirely

Modern static-site architecture works fundamentally differently from WordPress. Instead of running a database, a server-side language, and dozens of plugins on every page request, modern frameworks generate plain HTML files at build time. Those static files get served from a global content delivery network.

There’s no database to inject into. No admin login page to brute-force. No plugins with unpatched vulnerabilities. No PHP execution on the server.

The result is an attack surface so narrow it functionally disappears for the kinds of automated exploits that hit WordPress sites every day.

This is why we help service businesses migrate off WordPress to modern static architecture. After migration, security patches and plugin monitoring disappear from your to-do list. So does the worry about waking up to a hacked site.

Curious how your current site performs? Our free speed grader tests your site against Google’s performance benchmarks and shows you exactly where you stand.

Frequently Asked Questions

Q: How do I know if my WordPress site has been hacked?

A: Common signs include unexpected redirects to other websites, new admin users you didn’t create, spam content appearing in your pages, your hosting provider suspending your account, Google Search Console security warnings, and a sudden drop in search traffic. If your site is loading unfamiliar content or behaving unpredictably, assume a compromise and start the triage steps above.

Q: How much does it cost to clean up a hacked WordPress site?

A: Professional cleanup services range from $200-500 per incident. But the real cost includes lost revenue while the site is down, potential damage to your Google rankings, and the time you spend managing the recovery. For businesses that generate leads through their website, a hack that takes the site offline for a week can easily cost thousands in lost opportunities.

Q: Can I prevent my WordPress site from being hacked?

A: You can reduce the risk significantly with regular updates, strong passwords, two-factor authentication, and security plugins. But you can’t eliminate the risk entirely — WordPress’s architecture requires ongoing vigilance. With nearly 8,000 new vulnerabilities disclosed in 2024 alone (Patchstack), staying ahead of every threat is a full-time job. The only way to truly eliminate the risk is to move to an architecture that doesn’t have the same attack surfaces.

Q: Will migrating to a modern site protect me from all security threats?

A: No technology is 100% immune, but modern static sites eliminate entire categories of attack. There’s no database to breach, no server-side code to exploit, and no plugin ecosystem to patch. The most common WordPress attack vectors — SQL injection, cross-site scripting through plugins, brute-force login attempts — simply don’t apply. For most service businesses, this reduces security risk by 95%+ compared to a typical WordPress setup.

Q: How long does it take to migrate off WordPress?

A: A typical migration takes 4-8 weeks depending on site complexity. You can see our complete process at how it works, and our services page breaks down the three migration tiers we offer. If you’re recovering from a hack right now, reach out — we’ve helped businesses use the recovery moment as the catalyst for a permanent upgrade.