My WordPress site has been hacked: here’s exactly what to do in the next 30 minutes, in order, before you touch anything else. Acting in the wrong order, or panicking and changing things randomly, is what turns a recoverable hack into a much bigger problem.
If your WordPress site has been hacked, the first priority is stopping further damage, not fixing everything immediately. That means securing access, preserving evidence of what happened, and avoiding the common mistakes that make recovery harder. The actual cleanup can come once those three things are in place.
We get this call constantly, usually from someone who’s just noticed strange redirects, a defaced homepage, or a “this site may be hacked” warning in Google. The good news: most hacks are recoverable, often within a day, if you act in the right order from here.

Don’t restore an old backup without checking it first. If the backup predates the hack, you’ve solved nothing. If it’s from after the hack occurred, you’ve just restored the infection. Confirm the backup’s date against when you first noticed anything unusual before relying on it.
In our experience cleaning up hacked WordPress sites, the same three mistakes show up again and again, and each one extends the recovery time.
A straightforward WordPress hack is usually fully cleaned within 24 to 48 hours by someone experienced. The harder, more variable part is getting any Google warning lifted afterward. Google’s own documentation states that malware reviews typically take a few days to process, while sites hacked with spam content can take several weeks because those reviews involve manual investigation.
Most business owners assume the warning disappears the moment the malware is removed. It doesn’t. You have to request a review through Search Console, and Google has to verify the site is genuinely clean before lifting it.
Emergency cleanup for a straightforward infection typically runs $500 to $2,000, depending on severity and how deeply the malware has spread. This is priced and scoped as its own job, separate from any ongoing maintenance plan, because recovering a compromised site is a different scope of work to keeping a healthy one running.
Any one of these on its own is reason enough to call in professional malware removal rather than risk an incomplete cleanup that gets reinfected within days.
Common signs include unexpected redirects, a defaced homepage, new admin users you didn’t create, a Google Search Console security warning, or your hosting provider suspending the account for “malicious activity.” If you’re unsure, our guide on signs your WordPress site is hacked covers the subtler indicators too.
Some will suspend the account to protect their other customers, but very few hosts include actual malware removal in a standard plan. Most point you back to your own team or a security specialist.
Rarely necessary. Most hacks are contained to specific files or database entries that can be identified and removed without rebuilding from scratch. A full rebuild is usually a last resort, not a first response.
Yes, in most cases, once the malware is removed and Google’s review confirms the site is clean. Recovery of rankings can take longer than the cleanup itself, which is another reason to act quickly rather than wait.
Every hour an infected site stays live is another hour of potential damage to your search rankings, your visitors, and your reputation. Get emergency malware removal started today, or book a free call if you want to talk through what you’re seeing first.
Related: WordPress Security & Migration · WordPress Care Plans

Built to perform and maintained to last. Specialist WordPress studio for service businesses.