Your WordPress Site Got Hacked. Here's What to Do (Right Now)

July 7, 2026

WordPress website security AI websites

Your website is redirecting visitors to a sketchy pharmacy site. Google slapped a "This site may be hacked" warning on your search listing. Or you just tried to log in and your admin password doesn't work anymore.

Take a breath. A hacked WordPress site is fixable, but the next few hours matter. Here's exactly what to do, in order.

Step 1: Take the site offline (the right way)

Don't start deleting files. You could destroy the evidence you need to figure out how they got in, and you might not even remove the actual backdoor.

  • Put the site into maintenance mode through your hosting panel, or point visitors to a simple "we'll be right back" page
  • If your host offers it, isolate the site so it can't infect anything else on the account
  • Tell your team not to log in until you've finished the next step

Taking the site down protects your visitors and stops the damage from spreading to your reputation.

Step 2: Change every password, not just the WordPress one

Attackers rarely stop at your WP admin. Reset all of these, from a device you trust:

  • Your hosting account password
  • WordPress admin passwords (every admin, not just yours)
  • FTP / SFTP credentials
  • The database password (in your hosting panel, then update wp-config.php)
  • Your email password, if it's tied to the hosting account

Turn on two-factor authentication anywhere it's offered. If a password was reused on other sites, change it there too.

Step 3: Call your hosting company

Most hosts have dealt with this thousands of times. Ask them:

  • When the compromise likely happened (they can often see it in server logs)
  • Whether other sites on your account are affected
  • Whether they have a clean backup from before the hack

That last one is your best friend. A restore from a clean backup plus fresh updates is usually faster and more reliable than trying to hand-clean infected files.

Step 4: Find out what they touched

Before you restore, do a quick damage assessment:

  • Check your user list. Look for admin accounts you didn't create and delete them.
  • Run a malware scan. Tools like Wordfence or Sucuri's scanner will flag modified core files and known backdoors.
  • Check Google Search Console. The Security Issues section tells you what Google found, and it's how you'll request a review later.
  • Look at recently modified files. Backdoors love to hide in wp-content/uploads, theme files, and fake "plugin" folders.

Step 5: Clean or restore

If you have a clean backup: restore it, then immediately update WordPress core, every theme, and every plugin before the site goes public again. The same hole that let them in the first time is still there in your backup.

If you don't have a clean backup: reinstall WordPress core fresh, reinstall your theme and plugins from their original sources (never from your infected copy), and go through the database for injected spam links and rogue users. If that sounds beyond your comfort level, it's worth paying a professional cleanup service. A half-cleaned site gets re-hacked within weeks.

Step 6: Get off Google's blocklist

Once the site is verifiably clean, go to Google Search Console, open Security Issues, and Request a Review. Be honest about what happened and what you fixed. Reviews usually clear in a few days, and the warning disappears from your search results.

Step 7: Ask the harder question

Here's the part most tutorials skip: why did this happen, and will it happen again?

WordPress powers a huge share of the web, which makes it the biggest target on the internet. And the way it works guarantees the treadmill never stops: dozens of third-party plugins, each one a potential unlocked door, sit on top of a database and PHP code that must be patched constantly. Miss one plugin update and you're back where you started. Most hacked WordPress sites weren't attacked by a genius. They were attacked by a bot that scans millions of sites a day for one outdated plugin.

You can keep running on that treadmill. Or you can step off it.

There's a better way to have a website in 2026

At Oxsome, we've moved way beyond WordPress. We build AI-powered websites on a modern stack, and the difference isn't subtle:

  • Dramatically more secure. No plugin stack to exploit, no database bolted to your public pages, no monthly patch roulette. The attack surface that got you hacked simply doesn't exist.
  • Faster. Modern sites load in a fraction of the time of a typical plugin-heavy WordPress build, and speed directly affects your Google rankings and your conversion rate.
  • More efficient. AI does the heavy lifting on content, SEO, and updates, so you're not paying a developer every time you need a change, and you're not babysitting a dashboard full of update warnings.

If you're reading this because your WordPress site just got hacked, get it cleaned up using the steps above. That part matters. But when you're ready to make sure this never happens again, talk to us. We'll show you what your site looks like rebuilt on a platform that's better, faster, and doesn't need rescuing.

Contact Oxsome →