WordPress hacked: what to do in the first 24 hours

The first hours: contain, don't improvise

The first step is not reinstalling plugins or changing passwords blindly. It is limiting damage and understanding what happened.

If you can, put the site in maintenance mode or restrict public access while you assess. Do not delete files or the database without a copy: that makes it harder to see what changed and recover legitimate content.

Write down what you see: odd redirects, Google Search Console warnings, emails from your host, plugins that deactivated on their own, admin users you do not recognize, or new files in core folders.

• Back up files and database even if infected (useful to compare and analyze).
• Change passwords for WordPress, FTP/SFTP, hosting panel, and email tied to the domain.
• Review administrator users and active API keys.
• Check whether the SSL certificate is still valid and whether DNS changed without your action.

Typical signs of a compromised WordPress site

There is not always a red screen that says “hacked.” Often the site “works” but redirects elsewhere, shows spam in the source code, or sends unwanted mail from the server.

• Redirects to unknown sites (sometimes mobile-only or Google referrer-only).
• Suspicious PHP files in wp-content, wp-includes, or the web root.
• Plugins or themes you did not install.
• Sharp drop in organic traffic or browser “dangerous site” warnings.
• Bounce-back emails from spam sent using your domain.
• Hosting resource usage spiking without more visits.

What not to do (even if you want to)

Installing “the most popular security plugin” before cleaning often leaves backdoors active. The same happens if you restore an old backup without knowing when the site was last clean.

Ignoring the problem hoping it fixes itself is also a bad idea: infected sites are often used for phishing, spam, or attacks on other servers, and your host may suspend the account.

• Do not pay ransoms or trust services promising cleanup in 5 minutes without reviewing access.
• Do not reuse the same password for hosting, WordPress, and email after the incident.
• Do not take the site offline without keeping evidence if you may need to claim or audit later.

One-off cleanup vs. full review

A proper cleanup includes: finding the entry point, removing malware, reviewing themes and plugins, updating core and extensions, tightening permissions, and checking for hidden cron jobs or users.

On cheap shared hosting the plan may be saturated or misconfigured: cleaning WordPress helps, but sometimes the root cause is leaked credentials, an abandoned plugin, or an environment not updated for years.

When the site is business-critical — sales, bookings, brand — it is worth reviewing hosting, backups, and access, not only deleting infected files.

When to get help

It makes sense to reach out if you have no reliable backup, if the site got reinfected after cleaning, if you do not know how the attacker got in, or if you need to go back live quickly without losing SEO or email.

On an initial review we look at the site, hosting, and access. We tell you whether a targeted fix is enough, or whether migrating or hardening the environment makes sense — without pressure or inflated packages.