Website Hacked: What to Do and How to Secure WordPress

Immediate steps to contain damage

Confirm the breach and assess scope

Do not panic, but act quickly to confirm the WordPress hack. Check for red flags such as a defaced homepage, a spike in traffic from unknown sources, or sudden search engine warnings. Review recent admin users, posts, and comments for suspicious changes. Look for new files in wp-admin, wp-content, and theme folders with odd timestamps. Scan your .htaccess and wp-config.php for injected redirects or malicious code. Notify your hosting provider and ask if they see unusual processes or DDoS traffic. Avoid logging in from shared devices or unsecured networks until the situation is clear. Keep a timeline of what you observe and when, as this helps later forensics. If you cannot access the admin area, request a temporary account reset from your host. Consider asking a specialist like Amine Aziz for urgent triage.

Put the site in maintenance mode

Enable maintenance mode to protect visitors while you investigate. You can do this with a plugin or a simple snippet that returns a 503 status. Communicate with users via a short maintenance page and avoid broadcasting details to prevent copycat attacks. This step limits the spread of infections and reduces spam traffic. It also prevents search engines from indexing compromised pages during cleanup. If you run e-commerce, disable the cart and payment forms immediately. Redirect authenticated sessions to the maintenance page to prevent further abuse. Maintain this mode until the infection is fully removed and security is hardened. Communicate expected timelines with your team and clients. Record when maintenance started and ended for your incident log. Once the site is stable, disable the mode and verify functionality.

Take backups and preserve evidence

Before making changes, snapshot your current site files and database. Download a full backup if possible, including uploads, plugins, and themes. Save recent error logs, access logs, and any screenshots of suspicious activity. Label the backups clearly with the date and time of the incident. Store backups in a secure, offline location separate from your hosting account. Do not overwrite your latest backup with potentially infected data. These files are crucial for forensic analysis and proving compliance. They also allow you to restore a known-good state if cleanup fails. Preserve evidence even after recovery, as patterns may repeat. Keep logs for at least 90 days unless regulations require longer retention.

Rotate passwords and revoke sessions

Change passwords for all administrator and editor accounts immediately. Require strong passwords and avoid reused credentials across services. Revoke all existing sessions so attackers lose active logins. Reset passwords for hosting, FTP/SFTP, cPanel, and database access. Use unique passwords for each account and store them in a trusted password manager. Enable two-factor authentication (2FA) on WordPress and hosting control panels. Audit user roles and remove any accounts you do not recognize. Check for password reset emails or unexpected password change notifications. Monitor failed login attempts and lock out repeated offenders. Document every password change with timestamps. After rotation, test admin access to ensure everything works as expected.

Scan, clean, and restore safely

Run malware scans on files and database

Use reputable security plugins and server-side scanners to identify malicious code. Focus on core WordPress files, active plugins, and your current theme. Scan the database for suspicious admin users, obfuscated entries, or injected scripts. Look for base64-encoded strings, eval(), and suspicious file inclusions. Compare current files with original plugin and theme zip files to spot tampering. Quarantine flagged files and clean them before restoring access. Avoid partial cleanups that leave backdoors behind. Verify that all scans report clean results before moving to hardening. Keep a log of infected files and how you remediated each one. Repeat scans after changes to ensure nothing new was introduced.

Restore from a clean backup (if available)

Restoring from a clean backup is the fastest way to remove active infections. Identify the last known-good backup taken before the breach and verify its integrity. Disable maintenance mode before restoring to avoid serving outdated pages. After restore, immediately rotate passwords and re-enable 2FA. Update plugins, themes, and core WordPress to the latest patched versions. Remove unused plugins and themes to reduce attack surface. Monitor error logs and access patterns closely after restoration. If the backup is partial, supplement with manual cleanup. Do not reuse backups created after the breach, as they may contain malware. Document the restore process and outcomes for future reference.

Harden WordPress and prevent future attacks

Update everything and remove unused code

Keep WordPress core, plugins, and themes updated at all times. Remove any inactive themes and plugins, as they can be exploited even if not active. Subscribe to security advisories for your installed plugins and themes. Use managed updates or staging environments to test changes before production. Automate updates where possible but review changelogs to catch breaking changes. Check file permissions and ensure they follow the principle of least privilege. Avoid nulled themes and unofficial plugin sources, which often contain backdoors. Inventory your site monthly and prune unnecessary extensions. This reduces your attack surface and simplifies maintenance.

Strengthen authentication and authorization

Enforce strong password policies and unique passwords for every account. Enable two-factor authentication (2FA) for administrators and editors. Limit login attempts and block suspicious IPs automatically. Rename the default admin user and avoid obvious usernames like admin. Use custom login URLs to reduce automated brute-force traffic. Restrict wp-admin access by IP address where feasible. Rotate API keys, salts, and any third-party tokens after incidents. Audit user roles regularly and remove dormant or unauthorized accounts. Use single sign-on (SSO) with enforced MFA for team access. Track login activity and alert on unusual behavior patterns.

Lock down file permissions and server config

Set directories to 755 and files to 644 by default, unless a plugin requires otherwise. Disable file editing in wp-admin and prevent plugin and theme modifications. Protect wp-config.php and .htaccess from direct access. Block execution of PHP in uploads and any nonessential directories. Restrict SFTP/SSH access to trusted IPs and enforce key-based authentication. Enable PHP open_basedir to limit file access to WordPress directories. Use secure HTTP headers, including Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS). Turn off server signature and limit information disclosure in headers. Log file changes and enable real-time alerting on suspicious modifications. Audit your hosting configuration for outdated software or insecure defaults.

Monitoring and long?term resilience

Set up continuous monitoring and alerts

Install a reputable security plugin with file integrity monitoring and malware scanning. Enable real-time alerts for login attempts, file changes, and plugin updates. Track 404 spikes, sudden traffic surges, and unusual redirect chains. Monitor uptime, search console messages, and blacklisting status. Create an incident response runbook that outlines steps, contacts, and timelines. Schedule weekly checks for new plugins, theme changes, and user accounts. Review logs regularly and investigate anomalies promptly. Use a dashboard to visualize trends and performance metrics. Ensure backups run daily and test restores quarterly. Continuous monitoring shortens detection time and reduces damage.

Establish a backup and recovery plan

Automate daily offsite backups with immutability or version retention. Use incremental backups to reduce storage and speed up recovery. Store backups in multiple locations, such as cloud storage and a local secure drive. Test restores on a staging site to validate integrity and procedures. Document step-by-step recovery workflows and assign responsibilities. Keep an up-to-date inventory of plugins, themes, and custom code. Label backups clearly and maintain a recovery time objective (RTO) and recovery point objective (RPO). Schedule periodic restore drills to ensure your team can execute under pressure. Record lessons learned after each drill or incident and update your plan. A solid backup strategy is your last line of defense against data loss.

Final checklist

Change all passwords and enable 2FA. Verify clean malware scans. Restore from a clean backup if available. Update WordPress core, plugins, and themes. Harden file permissions and server settings. Protect wp-config.php and .htaccess. Enable security headers such as CSP and HSTS. Monitor logs, uptime, and search console warnings. Automate daily backups and test restores quarterly. Review user roles monthly and remove dormant accounts. Limit admin access by IP where feasible. Use a reputable security plugin for ongoing protection. Keep a documented incident response runbook. Audit hosting configuration for outdated software. Train editors on safe browsing and phishing awareness. If you need expert assistance, contact Amine Aziz.