Weird redirects? Spammy blog posts? Warnings in Google Chrome or Firefox?
If your website gets compromised, it’s crucial that you take action right away.
Stop, drop, and roll.
1. Take the site offline (or go into maintenance mode)
If your site is actively spreading malware, redirecting users, or exposing customer data, yank it. You can throw up a quick maintenance mode page using a plugin like WP Maintenance, or Admin Site Enhancements (ASE) or set a 503 response manually via your server or .htaccess.
This stops the infection from spreading further and shows visitors that you’re on top of it.
Secure Access Points
2. Reset all passwords, everywhere
Start with your WordPress admin users—then move on to FTP/SFTP, cPanel/hosting accounts, and database logins. If your email or Google account is connected to admin recovery, change those too.
And don’t just change your password—log everyone out. Force reauthentication using a plugin like “WP Sessions Manager” or a security plugin with session control.
3. Check for rogue admins or users
Pop into your Users panel. See someone you don’t recognize? Kill their account immediately. Better yet, compare against a recent backup if you’re not sure who should be there.
Contact the People Who Can Help
4. Notify your hosting provider
Good hosts take this seriously. Some will scan and clean your site for you. Others can at least help you trace activity logs, restore from backup, or isolate infected files.
If they seem annoyed or useless? Might be time to shop around for a host that actually supports WordPress security.
5. Update everything
Hackers often slip in through outdated plugins, themes, or WordPress core. Update them all—but only after you’ve quarantined or fixed the hack. You don’t want to overwrite evidence or lock yourself out.
And if a plugin or theme is no longer maintained or was the source of the breach? Ditch it.
Clean House
6. Scan your site for malware
Use a trusted plugin like Wordfence, Solid Security (formerly iThemes Security), or MalCare to scan for malicious code, backdoors, and injected scripts. Some plugins offer automatic clean-up—but don’t blindly trust that everything is fixed.
Check your theme files, core directories (wp-includes, wp-admin), and functions.php for anything suspicious or recently modified.
7. Browse your files manually
Log in via FTP, SFTP, or your hosting file manager and sort files by “last modified.” Look for:
- Files with weird names (e.g.,
zxcasdqwe.php) - Recently added files in your theme or uploads folders
- Modifications to
wp-config.php,.htaccess, orindex.php
You don’t have to be a PHP wizard—but if something looks fishy, back it up and investigate before deleting.
Get Google Back On Your Side
8. Check Google Search Console
If your site got flagged, GSC may have already picked it up. Look for any messages, security warnings, or indexing changes.
Under the “Pages” or “URL Inspection” tool, check for URLs you don’t recognize—sometimes hackers create hundreds of spammy pages to exploit your domain reputation.
9. Request a review if blacklisted
If your site got tagged with a “This site may be hacked” label, you’ll need to submit a reconsideration request through Google Search Console. Clean the site first, then submit a request with proof that it’s secure again.
Final Touches (Don’t Skip These)
10. Add or upgrade your security plugin
Wordfence and iThemes Security are solid options. Make sure you enable:
- Firewall protection
- Brute force login protection
- File integrity monitoring
- Login attempt limits
Bonus: Set up email alerts so you know the next time something sketchy happens—before it spreads.
11. Re-enable two-factor authentication
If you weren’t using 2FA, now’s the time. Use apps like Google Authenticator, Authy, or built-in 2FA plugins. And don’t just protect admin users—editors and authors can be exploited too.
12. Backup your site
Once everything’s clean and stable, take a fresh backup. Store it offsite—Dropbox, Google Drive, Amazon S3—anywhere that’s not on the same server as your site.
Plugins like UpdraftPlus or BlogVault can automate this going forward.
13. Review site logs (if available)
Some hosts provide server-level logs that let you track suspicious login attempts, file edits, or POST requests. If you have access, dig into them. They can help you spot what went wrong—and when.
14. Notify clients, users, or your team (if relevant)
If data was exposed or your site handles user accounts, you may have a legal obligation to notify affected users. Even if you don’t, being transparent builds trust.
One Last Word of Advice
Don’t just patch the hole and walk away. Hackers often leave backdoors behind so they can waltz back in later. Treat this like you would a break-in at your house. Change the locks, check the cameras, and maybe get a better alarm system.
If it all feels overwhelming, it’s worth hiring a professional to do a full cleanup and audit. Some agencies and WordPress security services can have you back online within hours.