WordPress Hacked? Here’s Exactly What to Do Right Now (2025 Emergency Guide)

Your heart just sank. Your WordPress website is showing strange behavior—maybe you can’t log in, there’s weird content you didn’t add, or Google just slapped a big red “This site may be hacked” warning on your search results.

Take a breath. You’re not alone, and this IS fixable.

Every day, over 30,000 websites get hacked. WordPress sites are the #1 target because they power 43% of the entire internet. The good news? We’ve helped clean thousands of hacked WordPress sites, and we’re going to show you exactly what to do—step by step.

In this emergency guide, you’ll learn:

• How to confirm your WordPress site has actually been hacked
• The 7 critical steps to take IMMEDIATELY (in order)
• How to remove malware and clean your site completely
• How to prevent this nightmare from happening again
• When to call in professional help (and why it might save you money)

How to Know If Your WordPress Site Is Actually Hacked

Before you panic, let’s confirm you’re actually dealing with a hack and not just a technical glitch. Here are the telltale signs of a hacked WordPress site:

🚨 Obvious Red Flags

• You can’t log in — Your password doesn’t work, or you’re redirected away from wp-admin
• Strange content appeared — Spammy links, pharmaceutical ads, casino content, or foreign language text you didn’t add
• Your site redirects to another website — Visitors get sent to sketchy sites selling pills, gambling, or adult content
• Google shows a warning — “This site may harm your computer” or “This site may be hacked” in search results
• Your hosting provider suspended your site — They detected malware and took your site offline

🔍 Subtle Warning Signs

• Unknown admin users — New administrator accounts you didn’t create
• Sudden traffic drop — Google has de-indexed your site due to malware
• Site running extremely slow — Malicious scripts consuming server resources
• Weird files in your directories — Files with random names like xkj47.php
• Your email is sending spam — Hackers using your server to blast out spam
• Japanese/Chinese characters in Google results — The infamous “Japanese Keyword Hack”

Recognize any of these? You’ve likely been hacked. Don’t wait—every minute gives hackers more time to dig deeper. Let’s fix this NOW.

WordPress Hacked: 7 Emergency Steps to Take RIGHT NOW

Time is critical. Follow these steps in order to contain the damage and start recovery:

Step 1: Don’t Panic — But Act Fast

Yes, this is stressful. Yes, it feels like your business is falling apart. But panicking leads to mistakes. Take 30 seconds to breathe, then move through these steps methodically.

Important: Do NOT start randomly deleting files or reinstalling WordPress yet. You could destroy evidence or break your site permanently.

Step 2: Put Your Site in Maintenance Mode

Your first priority is protecting your visitors. A hacked site can infect visitors with malware, steal their credentials, and redirect them to phishing sites.

If you CAN access your dashboard: Install a maintenance mode plugin and activate it immediately.

If you CAN’T access your dashboard: Contact your hosting provider to take your site offline temporarily.

Step 3: Change ALL Your Passwords

Assume every password is compromised. Change them ALL:

1. WordPress admin password — For EVERY admin user
2. Hosting account password — cPanel, Plesk, or your provider’s portal
3. FTP/SFTP passwords — Delete existing accounts and create new ones
4. Database password — Update in wp-config.php after changing
5. Email accounts — Associated with your domain

Step 4: Force Logout All Users

Hackers may still be logged in. Force everyone out by updating your WordPress security keys in wp-config.php. Visit the WordPress Secret Key Generator and replace all keys.

Step 5: Create a Full Backup

Before cleaning, backup your current (infected) state. You may need it for analysis, and if cleanup goes wrong, you can restore and try again. Label it “INFECTED – DO NOT RESTORE.”

Step 6: Scan for Malware

Option A: Use a Security Plugin

• Wordfence — Free scanner, identifies infected files
• Sucuri SiteCheck — Free online scanner
• MalCare — Deep scanning with one-click cleanup

Option B: Hire Professionals (Recommended)

Automated scanners catch only 40-60% of malware. Sophisticated hacks hide in database entries and plant multiple backdoors. Professional cleanup ensures nothing gets missed.

Step 7: Remove the Malware

Replace WordPress Core Files: Download a fresh copy from wordpress.org and replace all core files.

Reinstall Plugins & Themes: Delete all and reinstall from official sources. Don’t just update.

Clean Your Database: Check wp_options, wp_posts for suspicious entries, base64-encoded strings, and eval() functions.

Remove Unknown Users: Delete any admin accounts you don’t recognize.

Check .htaccess: Hackers add malicious redirects here. Regenerate through Settings > Permalinks.

After the Cleanup: Critical Next Steps

Update Everything

• WordPress core to the latest version
• All plugins—delete any you’re not using
• All themes—keep only what you need
• PHP version (check with your host)

Request Google Review

If Google flagged your site, go to Google Search Console > Security Issues. After cleanup, click “Request Review.” Warnings typically clear within 24-72 hours.

Implement Security Hardening

A clean site without hardening will get hacked again:

• Web Application Firewall (WAF)
• Two-Factor Authentication (2FA)
• Login attempt limiting
• File permission hardening
• Disable XML-RPC
• Regular automated backups

When to Call in WordPress Security Professionals

DIY cleanup can work for simple hacks, but consider professional help if:

• Your site keeps getting reinfected — You’re missing hidden backdoors
• You run an e-commerce site — Customer data may be at risk
• Your business depends on the site — Every hour offline costs money
• The hack involves database injection — Extremely difficult to clean
• You want guaranteed results — Professionals offer cleanup guarantees

The cost of professional cleanup ($199-$500) is almost always less than: lost revenue, lost customers, lost SEO rankings, and hours of your own time.

How to Prevent Future WordPress Hacks

1. Keep Everything Updated — Outdated plugins are the #1 entry point
2. Use Strong Passwords — 16+ characters, unique for each account
3. Limit Login Attempts — Block brute force attacks
4. Use a Web Application Firewall — Cloudflare or Sucuri WAF
5. Install SSL Certificate — Encrypt all data transfer
6. Regular Off-Site Backups — Daily, stored remotely
7. Quality Hosting — Invest in managed WordPress hosting

Frequently Asked Questions

How did my WordPress site get hacked?

Most common causes: outdated plugins/themes with known vulnerabilities, weak passwords, insecure hosting, nulled (pirated) themes/plugins, and compromised FTP credentials.

How long does WordPress malware removal take?

DIY cleanup: 4-8 hours for simple hacks, days for complex infections. Professional services: typically 4-24 hours.

Will I lose my content?

Usually not. Most hacks inject code but don’t delete content. However, without backups and proper cleanup, data loss is possible.

How much does professional malware removal cost?

Typically $199-$500, including security hardening. Monthly monitoring plans range $10-$50/month.

Can a hacked site hurt my SEO?

Absolutely. Google will blacklist your site and remove it from search results. Fast cleanup minimizes SEO damage.

Take Action Now — Your Site Won’t Fix Itself

Every minute your WordPress site stays hacked, the damage gets worse:

• Google is indexing your spam pages
• Visitors are seeing security warnings
• Hackers are digging deeper
• Your brand reputation is suffering

You have two options:

1. DIY: Follow the steps in this guide and hope you catch everything
2. Get Expert Help: Let professionals handle it with a guarantee