My WordPress Site Has Been Hacked: What to Do Right Now

Updated: June 25, 2026
Table Of Contents

My WordPress site has been hacked: here’s exactly what to do in the next 30 minutes, in order, before you touch anything else. Acting in the wrong order, or panicking and changing things randomly, is what turns a recoverable hack into a much bigger problem.

My WordPress Site Has Been Hacked, Now What? Start Here

If your WordPress site has been hacked, the first priority is stopping further damage, not fixing everything immediately. That means securing access, preserving evidence of what happened, and avoiding the common mistakes that make recovery harder. The actual cleanup can come once those three things are in place.

We get this call constantly, usually from someone who’s just noticed strange redirects, a defaced homepage, or a “this site may be hacked” warning in Google. The good news: most hacks are recoverable, often within a day, if you act in the right order from here.

The First 5 Things to Do Right Now

my-wordpress-site-has-been-hacked
1
Change every password, from a different device. Your WordPress admin, hosting account, FTP/SFTP, and database passwords could all be compromised. Do this from a phone or laptop you know is clean, not the device you usually manage the site from, in case that device is also compromised.
2
Don’t delete anything yet. It’s tempting to start deleting suspicious files immediately. Resist it. Whoever cleans this up, you or a specialist, needs to see what was actually injected to confirm every piece of it is found, not just the obvious part.
3
Check if you’ve been flagged by Google. Log into Google Search Console and check the Security Issues report, or run your domain through Google’s Safe Browsing site status checker. This tells you whether visitors are currently seeing a warning page instead of your site.
4
Take a backup of the site exactly as it is now. Even though it’s infected, this snapshot matters if cleanup goes wrong or you need to compare before-and-after states. Store it somewhere other than the compromised server.
5
Get a specialist involved if you’re not confident with a server. If the next steps involve phrases like “check the database for new admin users” or “scan for backdoors” and that’s unfamiliar territory, this is the point to bring in help rather than guess.

Don’t restore an old backup without checking it first. If the backup predates the hack, you’ve solved nothing. If it’s from after the hack occurred, you’ve just restored the infection. Confirm the backup’s date against when you first noticed anything unusual before relying on it.

Common Mistakes That Make a Hack Worse

In our experience cleaning up hacked WordPress sites, the same three mistakes show up again and again, and each one extends the recovery time.

Deleting files at random, which removes evidence needed to confirm the infection is fully gone
Restoring a backup without checking its date against when the hack started
Reusing the same passwords after “cleaning up,” which lets the attacker straight back in
Waiting to see if it “goes away,” while the infection spreads to more files and tanks your search rankings

How Long Does It Take to Fix a Hacked WordPress Site?

A straightforward WordPress hack is usually fully cleaned within 24 to 48 hours by someone experienced. The harder, more variable part is getting any Google warning lifted afterward. Google’s own documentation states that malware reviews typically take a few days to process, while sites hacked with spam content can take several weeks because those reviews involve manual investigation.

Most business owners assume the warning disappears the moment the malware is removed. It doesn’t. You have to request a review through Search Console, and Google has to verify the site is genuinely clean before lifting it.

What Does WordPress Malware Removal Cost?

Emergency cleanup for a straightforward infection typically runs $500 to $2,000, depending on severity and how deeply the malware has spread. This is priced and scoped as its own job, separate from any ongoing maintenance plan, because recovering a compromised site is a different scope of work to keeping a healthy one running.

Signs You Need a Professional Right Now, Not a DIY Attempt

You don’t recognise admin users in your WordPress dashboard
The site is redirecting visitors to another domain
You’ve already tried a security plugin’s “clean” function and the problem returned
The site handles client contact forms, payments, or sensitive data of any kind
You’re not comfortable working in phpMyAdmin, SFTP, or your hosting control panel

Any one of these on its own is reason enough to call in professional malware removal rather than risk an incomplete cleanup that gets reinfected within days.

FAQs

How do I know for sure my WordPress site has been hacked?

Common signs include unexpected redirects, a defaced homepage, new admin users you didn’t create, a Google Search Console security warning, or your hosting provider suspending the account for “malicious activity.” If you’re unsure, our guide on signs your WordPress site is hacked covers the subtler indicators too.

Will my hosting provider fix this for me?

Some will suspend the account to protect their other customers, but very few hosts include actual malware removal in a standard plan. Most point you back to your own team or a security specialist.

Should I just delete my site and start over?

Rarely necessary. Most hacks are contained to specific files or database entries that can be identified and removed without rebuilding from scratch. A full rebuild is usually a last resort, not a first response.

Can a hacked site recover its search rankings afterward?

Yes, in most cases, once the malware is removed and Google’s review confirms the site is clean. Recovery of rankings can take longer than the cleanup itself, which is another reason to act quickly rather than wait.

If Your Site Is Hacked Right Now, Don’t Wait on This

Every hour an infected site stays live is another hour of potential damage to your search rankings, your visitors, and your reputation. Get emergency malware removal started today, or book a free call if you want to talk through what you’re seeing first.

Related: WordPress Security & Migration · WordPress Care Plans

sitelab digital footer icon

Built to perform and maintained to last. Specialist WordPress studio for service businesses.

© 2026 Sitelab Digital | All Rights Reserved!