Discovering your WordPress website has been hacked stops you in your tracks. Your homepage might be showing content you never put there, your hosting provider might have suspended your account, or a client might have called to say something looks wrong. Whatever the first sign was, what you do in the next few hours matters more than the hack itself.
Around 13,000 WordPress sites are hacked every single day globally. If it has happened to your business, you are not alone. Here is exactly what to do.
Don’t Panic. But Act Fast.
A hacked WordPress site is fixable. What you cannot afford to do is leave it up and running while you decide what to do. Every hour your compromised site stays live, your visitors could be exposed to malware, your search rankings could take a hit, and Google could blacklist your domain entirely.
Take a breath. Then work through the following steps in order.
Step 1: Take Your Site Offline
Your first job is to limit the damage. If you can still access your WordPress dashboard, put the site into maintenance mode straight away. If you can’t get in, contact your hosting provider and ask them to take the site offline temporarily.
This protects your visitors from any malicious scripts or redirects running on the site while you work through the recovery. Your hosting provider may have already suspended the account if they detected unusual activity, so check your emails first.
Step 2: Find Out Whether You Still Have Admin Access
Try logging in at yourwebsite.co.uk/wp-admin. If you can get in, that’s a good start. If not, attackers may have changed your password or deleted your admin account. You can usually reset access through your email or directly via your hosting provider’s control panel and database tools.
If there are admin accounts you don’t recognise in the Users section, make a note of them. Don’t delete them yet as you may need them for investigation.
Step 3: Back Up the Compromised Site Before You Touch It
This step surprises a lot of people, but it matters. Taking a backup of the hacked version of your site gives you a record of exactly what happened. That record is useful if you need to investigate the attack, report it to the ICO, or work with a security professional later.
Do not use this backup to restore your site. It contains the malware. You need a clean, pre-hack backup for restoration.
Step 4: Restore from a Clean Backup
If you have a recent backup from before the hack occurred, restoring it is the fastest route to a clean site. Your hosting provider may keep automated backups — contact them to check. Most managed WordPress plans include regular backups as standard.
One important point: restoring from backup removes the symptoms but does not close the door that let the attacker in. If you restore without finding the root cause, your site can be compromised again within days. Once you’ve restored, keep reading.
If you don’t have a clean backup, you’ll need to clean the site manually or bring in professional support. This is where specialist WordPress malware removal becomes the right move.
Step 5: Scan for Malware and Remove It
Run a thorough malware scan across your WordPress files and database. Security plugins such as Wordfence or Sucuri can help identify infected files. You’re looking for:
- Modified core WordPress files
- Obfuscated PHP code or unfamiliar scripts injected into existing files
- New files added to upload folders or plugin directories
- Database entries containing suspicious code
Remove infected files and code carefully. If you leave even one backdoor in place, attackers can regain access without needing to crack a password again. If you’re not comfortable working at file level, get a professional in.
Step 6: Change Every Password and Access Credential
Once the site is clean, change everything. That means your WordPress admin password, your hosting account password, your FTP and SFTP credentials, your database password, and any email accounts connected to the site.
Use long, unique passwords for each. A password manager makes this easy to keep on top of. Do not reuse any password that was in place before the hack.
Step 7: Update WordPress, Every Plugin, and Every Theme
Around 91% of WordPress security issues stem from vulnerable plugins and themes, not from WordPress core itself. Outdated software is the single most common entry point for attackers.
After cleaning the site, update WordPress core, every installed plugin, and your active theme to the latest versions. While you’re there, delete any plugins or themes you no longer use. Unused software with known vulnerabilities is an open invitation.
Step 8: Remove Rogue Admin Accounts and Hidden Backdoors
Go to Users in your WordPress dashboard and check for any admin-level accounts you don’t recognise. Delete them. Then check your wp-content directory, particularly the uploads folder, for files that shouldn’t be there. Attackers often hide backdoor scripts in the uploads folder because it needs write access and gets overlooked.
A security plugin can help automate this check, but a manual review by someone who knows what to look for is always more thorough. Our WordPress support team handles exactly this kind of investigation every week.
Do UK Businesses Have Legal Obligations After a Hack?
Yes, and this catches many businesses off guard. If your WordPress site collects or processes personal data, such as customer names, email addresses, or payment details, a hack may constitute a data breach under UK GDPR.
The ICO requires you to report a notifiable breach within 72 hours of becoming aware of it. Failing to report when required can result in fines of up to £8.7 million or 2% of your global annual turnover. If the breach is likely to affect individuals, you must also notify the people whose data was involved.
If you’re not sure whether your breach needs to be reported, err on the side of contacting the ICO. Their guidance for small organisations is clear and straightforward.
How to Stop It Happening Again
Recovering from a hack is the reactive part. Preventing the next one is where the real work pays off.
Keep everything updated, automatically if possible. Enable two-factor authentication on all admin accounts. Move your WordPress login URL away from the default /wp-admin, which attackers target constantly. Limit failed login attempts to block brute-force attacks. Set up a security plugin to actively monitor your site around the clock.
The most effective approach is to put a proper WordPress care plan in place. A managed plan covers updates, security monitoring, and regular off-site backups so your site is protected without you having to think about it. If something unusual does happen, you’ll know about it before your customers do.
When to Get Professional Help
Not every business owner has the technical knowledge to clean a hacked site themselves, and there is no shame in that. If you’re unsure what you’re looking at, if the hack is complex, or if your time is better spent running your business, professional support is the right call.
Our WordPress malware removal service covers the full recovery process: identification, cleaning, hardening, and ongoing monitoring so the problem doesn’t return. Our website maintenance team can then put protection in place to keep your site secure going forward. Get in touch and we’ll tell you exactly what’s needed.
Frequently Asked Questions
How do I know if my WordPress site has been hacked?
Common signs include your homepage displaying unfamiliar content, Google showing a security warning about your site, your hosting account being suspended, or visitors being redirected to a different website. New admin users you don’t recognise or a sudden drop in search traffic can also indicate a compromise. Running a malware scan is the quickest way to confirm.
Can I fix a hacked WordPress site myself?
In many cases, yes, particularly if you have a clean backup and some technical knowledge. You’ll need to restore from a clean backup, update all software, change every password, and check for backdoors. If the hack is complex or you’re not comfortable working with files and databases, professional help is the safer and faster option.
Will Google penalise my site if it’s been hacked?
Yes. Google flags compromised sites through its Safe Browsing system. Your site may show a security warning to visitors or be removed from search results. Once the site is clean, you can request a review from Google Search Console to have the warning lifted. Acting quickly reduces the long-term damage to your rankings.
Do I have to report a WordPress hack to the ICO?
If your site processes personal data and the hack led to a breach of that data, you are likely required to report it to the ICO within 72 hours under UK GDPR. This covers customer email addresses, names, and any other personal information stored on the site. The ICO has straightforward guidance for small organisations on its website.
How long does it take to recover a hacked WordPress site?
It depends on the severity of the attack. A straightforward restore from a clean backup can take a few hours. A complex hack requiring manual file cleaning, database scanning, and hardening can take several days. Having an up-to-date backup significantly cuts recovery time. Without one, the process is much more involved.
How can I stop my WordPress site being hacked again?
Keep WordPress, all plugins, and your theme updated at all times. Use strong, unique passwords and enable two-factor authentication on your admin account. Remove plugins and themes you no longer use. Set up a security plugin and configure it to monitor your site actively. A managed WordPress care plan takes care of all of this automatically and is the most reliable long-term solution.