Discovering your website has been hacked is one of the most stressful moments for any business owner. Your first instinct may be to panic — but what you do in the next few hours determines how much damage is done and how quickly you recover. This guide gives you a clear, step-by-step action plan.
Do Not Delete Everything
Your first instinct may be to delete all the files. Do not. You need the hacked files to understand what happened, which backdoors were left, and whether data was compromised. Delete without forensics and the attackers likely left hidden backdoors that will reinfect you within days.
Step 1: Take the Site Offline Immediately
Put your site into maintenance mode or take it down completely. A hacked site can spread malware to your visitors, damage your Google ranking, and get your domain blacklisted. The short-term pain of downtime is far less than the long-term damage of staying live while compromised.
Step 2: Change All Passwords
Immediately change passwords for: cPanel/hosting account, FTP/SFTP accounts, WordPress admin, database (MySQL/MariaDB), email accounts on the domain, domain registrar account. Use strong, unique passwords for each. Enable 2FA where available.
Step 3: Identify the Scope
Before cleaning, identify what was affected:
- Run your domain through Google Safe Browsing: transparencyreport.google.com/safe-browsing/search
- Check Google Search Console for security alerts
- Scan with Sucuri SiteCheck (free): sitecheck.sucuri.net
- Check file modification dates — files modified recently that should not have been are the attack entry points
- Check for new admin users added to WordPress that you did not create
Step 4: Clean the Infection
- WordPress sites: Reinstall WordPress core files from a clean download. Do not overwrite wp-content or wp-config.php yet.
- Plugins and themes: Reinstall all plugins and themes from their original sources — do not trust existing files
- Database: Check for injected spam links or redirects in post content, options table, and user data
- Backdoors: Search for eval(base64_decode), system(), exec(), passthru() in PHP files — these are common backdoor signatures
- Restore from backup: If you have a clean backup from before the attack, restore it — this is the safest option
Step 5: Find and Fix the Entry Point
If you do not fix how they got in, they will be back within days. Common entry points:
- Outdated plugins or themes: The #1 cause of WordPress hacks — over 90% of WordPress infections come through unpatched vulnerabilities
- Weak admin passwords: Brute-forced admin accounts
- Compromised FTP credentials: Credentials stolen via malware on your local machine
- Shared hosting: Another site on the same server being compromised and infecting yours
Step 6: Harden and Monitor
- Install a security plugin (Wordfence, Sucuri) with active monitoring
- Set up daily automated backups to an offsite location
- Enable a Web Application Firewall (WAF)
- Keep all software updated — WordPress core, themes, plugins
- Remove any unused themes or plugins
Step 7: Request Google Review
If Google has flagged your site, submit a review request via Google Search Console after cleanup. Typically takes 1-3 days. Do not skip this — blacklisting kills your organic traffic.
Related Reading
- WordPress Security Checklist: 15 Things to Do Before Launch — prevent the next attack
- cPanel vs VPS Hosting — shared hosting increases your attack surface significantly
Need Help Cleaning a Hacked Site?
NextCode Solutions has cleaned dozens of compromised WordPress and PHP sites. We identify the entry point, remove all malware, and harden your site to prevent reinfection.
Get Emergency Help