My Website Was Hacked: What to Do Right Now and How to Recover

· A de Villiers

Padlock on a keyboard representing hacked website recovery and security hardening

Your website is showing content you did not put there. Or it is redirecting visitors to a casino site. Or Google is showing a "This site may be hacked" warning. Or your hosting provider sent you an email saying they detected malware.

You are not sure what happened, how bad it is, or whether your customer data has been compromised.

This is a panic moment. Take a breath. I have recovered hacked WordPress sites, cleaned malware infections, and rebuilt compromised sites multiple times. Here is what to do, step by step.

Step 1: Confirm You Have Actually Been Hacked

Before you tear everything down, confirm what you are seeing.

Signs your site has been hacked:

  • Pages you did not create, especially pharmaceutical or gambling content
  • Redirects to unknown sites (sometimes only on mobile or only from Google search results)
  • Google Search Console warnings about spam, malware, or phishing
  • Your hosting provider flagged malware in your files
  • New admin users you did not create
  • Modified files (index.php, wp-config.php, .htaccess have been changed)
  • Spam emails being sent from your server
  • Sudden drop in search traffic with no other explanation

Signs that look like hacking but are not:

  • A plugin update broke your site (this is a crash, not a hack)
  • Your domain expired and the registrar is showing a parking page
  • Your hosting was suspended for non-payment
  • A caching issue is showing old or wrong content

If you have confirmed signs of a hack, continue.

Step 2: Do Not Panic-Delete Everything

The worst thing you can do right now is delete files randomly, reinstall WordPress, or restore an old backup without understanding the breach. Why?

If you do not find how they got in, they will get back in. A restored backup with the same vulnerability will be hacked again, often within days.

If you delete evidence, you cannot determine whether customer data was accessed. This matters legally (POPIA requires you to report breaches involving personal data).

Step 3: Take the Site Offline (Carefully)

If your site is actively redirecting visitors or serving malware, you need to stop it from harming your visitors and your reputation. But do it in a way that preserves evidence.

Option A: Maintenance mode. Put up a maintenance page that prevents visitors from seeing the compromised content. This preserves all files and database for investigation.

Option B: Password protect the site. Use .htaccess to password-protect the entire site. Only you can access it.

Do not: Delete the site. Wipe the database. Reinstall everything. Not yet.

Step 4: Change All Passwords

Right now. Every single one.

  • WordPress admin passwords (all admin users)
  • Hosting control panel (cPanel, Plesk, etc.)
  • FTP/SFTP credentials
  • Database passwords (in cPanel and in wp-config.php)
  • Email passwords (if email runs through the same hosting)
  • Any third-party service credentials stored in the site (payment gateways, API keys)

If the attacker has your passwords, changing them is the first line of defense.

Step 5: Scan and Identify the Infection

Now you need to find what was changed and how they got in.

Check recently modified files. Use your hosting file manager or FTP to sort files by modification date. Files modified at unusual times (3 AM, dates you were not working) are suspicious.

Check for unknown files. Look for PHP files in directories that should only contain images (wp-content/uploads/ is a common hiding place). Look for files with random-character names.

Check .htaccess. This file controls how your server handles requests. Hackers frequently add redirect rules here. Open it and look for lines you do not recognize, especially lines containing "RewriteRule" pointing to external domains.

Check wp-config.php. Look for code that should not be there. Especially look for require, include, or eval statements that reference unfamiliar files.

Check your database. Look at the wp_users table for admin accounts you did not create. Check the wp_options table for suspicious values in siteurl or home (these control where your site points).

Use a malware scanner. Wordfence (free plugin) can scan your WordPress files and identify known malware signatures. Sucuri SiteCheck (free online scanner) can check your site from the outside.

Step 6: Clean the Infection

Once you have identified the compromised files:

Replace WordPress core files. Download a fresh copy of WordPress from wordpress.org and replace all core files (everything except wp-content/ and wp-config.php). This ensures any modified core files are clean.

Remove unknown files. Delete any files you identified that should not be there. Be careful not to delete legitimate plugin or theme files.

Clean modified files. For files that were modified (not replaced), compare them against the original versions. Remove the injected code.

Remove unauthorized users. Delete any WordPress admin accounts you did not create.

Review and clean the database. Remove any injected content from posts, pages, or options.

Step 7: Find the Entry Point

This is the most important step and the one most people skip. If you clean the hack but do not close the vulnerability, you will be hacked again.

Common entry points:

Outdated plugins or themes. This is the cause of most WordPress hacks. A plugin with a known vulnerability that was not updated. Check every plugin and theme version against known vulnerability databases (WPScan Vulnerability Database).

Weak passwords. Brute-force attacks against wp-login.php with common passwords. If any admin had a password like "admin123" or "password," this is likely the cause.

Compromised hosting. If another site on your shared hosting server was hacked, the attacker may have pivoted to your site. This is a hosting-level problem.

Nulled themes or plugins. If you installed a "free" version of a premium theme or plugin from an unofficial source, it likely came with a backdoor built in.

Step 8: Harden the Site

After cleaning and finding the entry point:

  • Update every plugin, theme, and WordPress core to the latest version
  • Delete unused plugins and themes (do not just deactivate; delete them)
  • Enforce strong passwords for all users
  • Install a security plugin (Wordfence or Sucuri) with file integrity monitoring
  • Limit login attempts
  • Disable file editing from the WordPress admin (add define('DISALLOW_FILE_EDIT', true); to wp-config.php)
  • Set correct file permissions (directories at 755, files at 644)
  • Consider changing your database table prefix if you used the default wp_

Step 9: Check Your Legal Obligations

If your website stores personal data (customer names, email addresses, physical addresses, payment information), you may have a legal obligation to report the breach.

Under POPIA (Protection of Personal Information Act), if there are reasonable grounds to believe personal information has been accessed by an unauthorized person, you must notify the Information Regulator and the affected data subjects. This is not optional.

If you are unsure whether personal data was accessed, err on the side of transparency. "We detected a security incident and are taking precautions" is better than silence followed by a larger breach becoming public.

When to Call a Professional

Call a professional when:

  • You cannot find the entry point
  • The infection keeps coming back after cleaning
  • Your site was hacked through the server (not through WordPress)
  • Customer data may have been compromised and you need a proper forensic assessment
  • The hack involved your payment processing
  • You do not have the technical skills to do the cleanup yourself (there is no shame in this; it is specialist work)

I recovered and secured a WordPress site for iLearn after a compromise that required both malware cleanup and security hardening. You can see the project at /projects/ilearn-wordpress-site-recovery-security.

The Short Version

Your site was hacked. Confirm it first. Do not panic-delete. Take the site offline safely. Change all passwords. Scan and identify the infection. Clean it. Find and close the entry point. Harden the site. Check your POPIA obligations.

The most common cause is outdated plugins with known vulnerabilities. The most common mistake is cleaning the hack without finding how they got in.

If your site has been hacked and you need someone who has done this recovery work before, get in touch.

← Back to blog

Have a project in mind?

Let's discuss how I can help.