/ Blog · SecurityPost
/ Security · WordPress

Hacked WordPress Site? The Calm, Step-by-Step Checklist

A clear emergency checklist for a hacked WordPress site — redirects, spam pages, or browser warnings. Preserve evidence, protect access, clean it properly, and close the entry point so it stays gone.

RA
Ryan AlldridgeFounder, Superpress
May 17, 20269 min read
Operator calmly working through a hacked-site recovery instead of panicking
/ Post · 9 min readBody

Step 1 — Control and evidence, not panic

The instinct is to start deleting. Resist it — you need to understand the incident first, both to clean it properly and to prove what happened.

  • Screenshot the warnings, redirects, or spam pages before you change anything.
  • Change admin, hosting, FTP/SFTP, and database passwords if access may be exposed.
  • Check what customers are hit by: can they still buy, book, submit forms, or log in safely?
  • Confirm which backup points exist — and roughly when the site was last known clean — before destructive changes.

Step 2 — Clean beyond the obvious file

A real cleanup assumes the visible infection is not the whole story. Attackers leave backdoors precisely so a surface cleanup fails.

  • Scan files, uploads, themes, plugins, and the database — not just the homepage.
  • Remove unknown admin users, stale accounts, and any rogue API keys.
  • Replace compromised core files from clean WordPress.org sources.
  • Patch or remove the vulnerable plugin, theme, or access path that let them in.
  • Re-scan after cleanup to catch reinfection or a missed backdoor.

Step 3 — Close the entry point (the step that actually matters)

This is where most DIY cleanups fail. If the vulnerable plugin, weak password, or stale account that let the attacker in is still there, the site gets reinfected within days. Patchstack’s 2025 security report attributes 96% of new vulnerabilities to plugins, and Sucuri’s Hacked Website Report found 39% of compromised CMS sites were on outdated software — so the entry point is usually an unpatched plugin or old core. Find it, patch it, then harden so the same door cannot reopen.

Step 4 — Restore trust and monitor

Once the site is genuinely clean, submit a review request if Google, browsers, antivirus tools, or your host flagged it, following Google’s hacked-site recovery guidance. If you run a store, treat it as a payments incident too — see WooCommerce malware cleanup. Then add monitoring so the next warning reaches you in hours, not via a customer.

Surface cleanup vs proper recovery

The difference between “the warning went away” and “it won’t come back.”

StepSurface cleanup (fails)Proper recovery
EvidenceDeletes files immediately.Screenshots and notes the incident first.
ScopeCleans the visible infected page.Scans files, uploads, plugins, and database.
Entry pointIgnored — so it reinfects.Found, patched, and hardened.
AccessLeft unchanged.All credentials reset; rogue users removed.
AfterHopes it’s over.Review request, clean re-scan, monitoring.

What to do right now

Triage by customer impact first — protecting visitors comes before saving appearances.

If visitors are being redirected or warned, put up a maintenance page

A temporary maintenance page protects customers from redirects, exposed data, or a skimmer while you clean up. A short, controlled outage beats actively harming visitors.

If you can’t find how they got in, get specialist help

Backdoors and database injections are easy to miss, and a missed entry point means reinfection. If you cannot confidently identify and close the hole, bring in someone who can.

Once clean, harden so it does not recur

Reset credentials, update everything, remove abandoned plugins, and add monitoring — the full security hardening checklist.

Hacked-site mistakes that make it worse

  • Panic-deleting files before understanding the incident, destroying the evidence of how they got in.
  • Cleaning the visible malware but never finding and closing the entry point.
  • Restoring an old backup that is itself infected or still vulnerable.
  • Forgetting to reset hosting, FTP, and database credentials, not just the WordPress admin.
  • Skipping the review request, so the site stays flagged in Google or browsers after it’s clean.

How we run a hacked-site recovery

In our experience, the temptation in a hack is to make the warning disappear as fast as possible — and that is exactly how sites get reinfected. We work the opposite way: protect visitors, preserve evidence, then methodically clean and, above all, find the door. A recovery is not finished when the malware is gone; it is finished when we know how they got in and that door is shut. Anything less just buys a few quiet days before it happens again.

  • Protect customers and preserve evidence before deleting anything.
  • Assume there is a backdoor until a full scan says otherwise.
  • Reset every credential, not just the WordPress login.
  • Close and harden the entry point, then monitor for the next attempt.

Frequently asked questions.

Should I take a hacked WordPress site offline?

If customers are being redirected, exposed, or warned away, a temporary maintenance page is usually the safer move while you clean up. A short, controlled outage protects visitors and your reputation far better than leaving a compromised site live.

Why does WordPress malware keep coming back?

Almost always because the entry point was missed — a backdoor, a vulnerable plugin, a weak account, or an infected database entry survived the cleanup. Removing visible malware without closing the hole that let it in just resets the clock until the next infection.

Can I recover a hacked site without losing content?

Usually yes. Your content normally sits in the database, and a careful cleanup or a clean backup restore preserves it. The key is not to delete or overwrite in a panic — preserve evidence, identify a clean restore point, and clean methodically.

How did my WordPress site get hacked in the first place?

Most often through an outdated or vulnerable plugin, an old WordPress core version, or a weak/reused admin password. The data is clear: plugins account for the large majority of vulnerabilities, and outdated software is present in a large share of breaches. Closing that gap is what stops a repeat.

Research sources.

This guide was checked against current platform and search documentation before publication.

About the author

Ryan AlldridgeFounder, Superpress. Ryan Alldridge founded Superpress in 2016 and has kept business-critical WordPress and WooCommerce sites online ever since — the boring-but-vital maintenance work, and the 1am "the site is down" calls. In our experience, what keeps a business site online is not clever tricks — it is the boring maintenance done on time, which is exactly what we built Superpress to handle.

Reviewed by the Superpress team and fact-checked against the official sources cited above. Last reviewed May 17, 2026. Contact us with a correction.

/ Keep readingRelated
/ More on operations

The rest of the operator playbook.

SecurityWordPress Malware Cleanup Cost: What Affects the Price?What drives the cost of WordPress malware cleanup — infection depth, hidden backdoors, search warnings, and whether hardening is included — plus why reinfection is the real expense.Read post →SecurityWordPress Security Hardening Checklist for Serious Business SitesA practical hardening checklist for business WordPress sites — access control, safe updates, file protection, monitoring, and a real recovery path, backed by current security data.Read post →WooCommerceWooCommerce Malware Cleanup: What Store Owners Need to KnowA hacked WooCommerce store is a payments and trust emergency, not just a website bug. Here is what cleanup must check — checkout, payment settings, card-skimming scripts — and how to stop reinfection.Read post →