What immediate actions should I take when I discover that my WordPress site has been hacked?

Immediately put the site into maintenance mode, revoke all FTP/SFTP credentials, and change your WordPress admin, hosting account, and database passwords. Check for suspicious admin users and unexpected redirects. If your hosting account is suspended, wait for support to re‑enable access.

How can I verify that the hack has been fully removed from my WordPress files?

Run a full file integrity scan using a reputable plugin like Wordfence or Sucuri. Cross‑check the list of modified files against your backup to spot anomalies. Re‑upload clean core files from the official WordPress repository to replace any altered files.

What tools can help me identify malware or unauthorized files on my WordPress installation?

Use Wordfence’s malware scan, Sucuri SiteCheck, and an external service like VirusTotal to analyze files. A file‑by‑file hash comparison against the official WordPress checksum can reveal hidden backdoors. Regularly schedule scans to catch future threats early.

How do I prevent future hacks after cleaning my site?

After cleaning, update all themes, plugins, and WordPress core to their latest versions. Replace weak passwords with complex, unique ones and enable two‑factor authentication for admin accounts. Implement a web‑application firewall and limit login attempts to block automated attacks.

When is it safe to bring my website back online after a hack?

Once scans confirm no malware remains and all core files are intact, remove the maintenance mode notice. Test critical functions such as login, form submissions, and content display before announcing the site is live. Keep a backup of the clean state so you can revert if an issue re‑emerges.

WordPress Hacked? Here’s What to Do in the Next 60 Minutes

You get an email from your hosting provider flagging suspicious activity. Or your homepage is redirecting to a spam site. Or a client texts: “Your site is showing something weird.”

Your WordPress site has been hacked. The next hour matters more than you think — and how you respond in the first 60 minutes will determine how much damage is done and how fast you recover.

This guide walks you through the exact recovery sequence: confirming the breach, cleaning the infection, finding the entry point, and locking things down so it doesn’t happen again.

How to Know If You’ve Been Hacked

Before you act, confirm you’re dealing with a real incident. The most common signs of a compromised WordPress site are:

Google Search Console shows a “This site may be hacked” warning
Your hosting provider suspended the account for malware
Visitors get redirected to spam, pharmaceutical, or phishing sites
You see new admin users you didn’t create
The site loads a blank page or displays strange content
Your organic search traffic dropped suddenly without explanation
WordPress won’t accept your correct credentials

If any of these apply, you’re dealing with a real incident. Time to move.

The 60-Minute Recovery Plan

Work through these steps in order. Each one builds on the last.

Minutes 0–10: Contain the Damage

Your first priority is stopping the bleeding. Put your site into maintenance mode immediately — this prevents visitors from seeing defaced content or being exposed to malware. If your hosting provider has already suspended the account, skip this step.

Next, log in to your hosting control panel and revoke all FTP/SFTP credentials. Immediately change three passwords: your WordPress admin password, your hosting account password, and your database password. Do this now, before anything else, because attackers frequently leave backdoors tied to your original credentials.

Minutes 10–25: Scan for Malware

Run a deep malware scan. If you have the SwissWPSuite Security & Firewall module installed, trigger a full server-side scan from the Security Hub dashboard — it scans every PHP file, checks file integrity against known WordPress core hashes, and flags any injected code automatically.

If you’re running a manual scan, focus on these high-risk locations:

wp-includes/ and wp-admin/ directories — attackers often inject PHP files here
wp-config.php — check for eval() or base64_decode() code at the top or bottom
.htaccess — look for suspicious rewrite rules that redirect visitors
Any recently modified files — sort by modification date in your hosting file manager

Malware signatures to watch for: eval(base64_decode(...)), gzinflate, str_rot13, or long strings of obfuscated characters. These are not part of any legitimate plugin or theme.

Minutes 25–40: Remove the Infection

Once you’ve mapped the damage, you have two paths forward:

Option 1: Restore from a clean backup. This is the fastest and most reliable method. If you have an off-site backup from before the breach, restore it. Make sure the backup predates the infection — restore from at least 48–72 hours before the first sign of compromise. The SwissWPSuite Cloud Backup & Sync module stores automated daily snapshots off-site (S3/Google Drive), making this a one-click operation.

Option 2: Manually remove the malicious code. If you don’t have a clean backup — and this is exactly why backups matter — you’ll need to manually strip the infection. For core WordPress files, re-download a fresh copy from WordPress.org and replace the wp-admin/ and wp-includes/ directories entirely. For themes and plugins, inspect each file and remove any injected code blocks. After cleaning, run another scan to confirm the site is clear.

Minutes 40–50: Find the Entry Point

Do not skip this step. If you clean the site without understanding how attackers got in, they’ll be back within days using the same vulnerability.

The most common WordPress attack vectors:

Outdated plugins and themes — responsible for over half of all WordPress compromises
Weak or reused admin passwords — brute-force attacks are automated and relentless
Nulled or pirated plugins/themes — these almost always contain pre-installed backdoors
Unprotected wp-login.php or xmlrpc.php — mass scanners probe these endpoints constantly
Compromised shared hosting environment — a vulnerable neighbor site can cross-contaminate yours

Check your server access logs and WordPress login history for clues. Look for unusual IP addresses, repeated failed login attempts, or POST requests to unexpected file paths.

Minutes 50–60: Harden and Lock Down

Now that you’re clean, close the doors:

Update everything — WordPress core, every plugin, every theme. Zero exceptions.
Delete unused plugins and themes — every inactive one is an attack surface, even if it’s deactivated.
Enable a Web Application Firewall (WAF) — a WAF blocks malicious requests before they reach WordPress. The SwissWPSuite Security & Firewall module includes an AI-powered WAF that adapts to your traffic in real time.
Protect wp-login.php — add two-factor authentication, limit login attempts, or IP-restrict admin access.
Set up automated off-site backups — daily snapshots mean the next incident is a 1-click restore, not a 4-hour nightmare.
Enable file integrity monitoring — know the instant any file is modified unexpectedly.

What This Experience Is Really Telling You

A hack is painful, but it forces clarity. It makes you answer questions you should have answered before it happened:

Do I have a clean, off-site backup I can restore from in minutes?
How long would it take to rebuild this site from scratch if I had to?
Do I know exactly who has admin access, and are their credentials secure?
Is there anything watching my site for changes right now?

If any of those answers made you uncomfortable, you have actionable work ahead of you.

Stop Reacting. Start Preventing.

The best time to set up security was before the hack. The second best time is right now.

SwissWPSuite includes everything in this checklist — military-grade WAF, deep malware scanning, login protection, automated off-site backups, and real-time file integrity monitoring — all in one plugin, managed from one dashboard. No patchwork of six separate plugins. No configuration hell. One tool, built for WordPress professionals who can’t afford downtime.

Explore Security & Firewall

See All SwissWPSuite Plans

Frequently Asked Questions

What should I do first if my WordPress site has been hacked?

Contain damage immediately: put the site in maintenance mode, revoke all FTP/SFTP credentials, and change your WordPress admin password, hosting password, and database password. Do this before running any scans — attackers often leave backdoors tied to original credentials that remain valid until you change them.

How do I know if my WordPress site has actually been hacked?

Key signs: Google Search Console shows a ‘site may be hacked’ warning, your hosting provider suspended the account for malware, visitors are being redirected to spam or phishing sites, you see new admin users you didn’t create, or your organic search traffic dropped suddenly without explanation. Any one of these is sufficient reason to initiate an incident response.

Can I recover from a WordPress hack without a backup?

Yes, but it’s significantly harder and slower. You’ll need to re-download WordPress core files from WordPress.org and replace wp-admin/ and wp-includes/ entirely, manually inspect each theme and plugin file for injected code, and then re-secure every credential. With an off-site backup, the same recovery takes minutes instead of hours.

How do I prevent my WordPress site from being hacked again?

The five most impactful measures: keep WordPress core, themes, and plugins updated (outdated software causes over 50% of compromises), enable a Web Application Firewall, use strong unique passwords with two-factor authentication on all admin accounts, run automated off-site backups daily, and enable file integrity monitoring so you’re notified the moment any file changes unexpectedly.