Instructions – Tips
WordPress Website Hacked: What to Do When Your Website Is Hacked? (2025 Guide)
Oct
A hacked WordPress site is every website owner’s nightmare — lost data, SEO drops, and customer trust at risk. But don’t panic. In this guide from Thememin (https://thememin.com), we’ll walk you through what to do immediately after discovering your WordPress site has been hacked, and how to prevent it from happening again.
🚨 Step 1: Identify the Hack
Common signs your WordPress site has been hacked:
- Unexpected redirects to other sites
- Unknown admin users in your dashboard
- Spammy popups or defaced pages
- Google marks your site as “Not Secure” or “This site may be hacked”
- Drop in site traffic or warnings from Google Search Console
If any of these sound familiar, your site may have been compromised.
🛡️ Step 2: Put Your Site into Maintenance Mode
Immediately take your site offline to protect users and limit damage:
- Use a maintenance plugin (if you can still access the dashboard)
- Or ask your host to temporarily disable public access
This gives you breathing room to fix the issue without spreading malware or affecting your visitors.
🔍 Step 3: Scan for Malware and Backdoors
Run a full malware scan using tools like:
- Wordfence Security (plugin)
- Sucuri SiteCheck (online tool)
- MalCare (plugin with auto-cleanup)
These tools help you detect injected code, malicious files, or modified themes/plugins.
Tip: If you’re locked out of wp-admin, install Wordfence or Sucuri via FTP and trigger scans manually.
💾 Step 4: Restore from a Clean Backup (If Available)
If you have a recent backup from before the hack, restore it. Most good hosts provide automatic daily backups:
- Log in to your hosting panel
- Choose a backup dated before the attack
- Restore files and database
Make sure to change all credentials afterward.
🧹 Step 5: Remove the Hack Manually (If No Backup Exists)
If no backup is available:
- Delete and reinstall all core WordPress files
- Replace all themes and plugins with fresh versions
- Clean your uploads folder and check for suspicious files
- Use malware scanners to identify and delete rogue code
- Search your database for injected spam content (e.g. base64, iframes)
If you’re unsure, hire a WordPress malware cleanup expert.
🔐 Step 6: Change All Passwords and Credentials
Change credentials for:
- All WordPress users (especially Admin)
- FTP/SFTP accounts
- Hosting panel (e.g. cPanel or Plesk)
- Database user (optional but recommended)
Enable 2FA where possible.
📬 Step 7: Check Search Engine Status and Submit for Review
If your site is blacklisted:
- Log in to Google Search Console
- Go to Security Issues
- Fix all flagged issues
- Click Request Review to have your site rechecked
It may take a few days for warnings to disappear after approval.
🔄 Step 8: Harden WordPress for the Future
Once clean, strengthen your site security:
- Install a security plugin (e.g. Wordfence, Sucuri, or iThemes Security)
- Keep themes, plugins, and WordPress core updated
- Disable XML-RPC if not needed
- Limit login attempts
- Use unique, strong passwords for all accounts
At Thememin, we recommend regular scans, off-site backups, and firewall protection for every site.
🏁 Final Thoughts
Getting hacked is stressful, but recovery is possible. The key is quick action, clear steps, and long-term protection. Follow this guide to get back online fast — and don’t forget to learn from it.
Need help choosing a secure theme or plugin? Explore vetted products at Thememin.com — performance, security, and peace of mind come standard.
