My WordPress site got hacked: what to do in the next hour
Quick answer
If your WordPress site has been hacked, do these seven things in order. Take the site to maintenance mode. Take a full backup of files and database before changing anything. Change every password including hosting, SFTP, database, and admin users. Rotate the salts in wp-config.php to kick out every session. Scan with two security tools to map the damage. Replace core, plugins, and theme with clean copies. Harden the site and add monitoring before bringing it back online. Most sites are safely back in under a day when an experienced engineer drives the recovery.
Hour one: stop the bleeding
Put the site in maintenance mode so visitors stop getting infected and search engines do not crawl the bad pages.
Take a backup of files and database before you change anything. Even infected, that backup may save you if recovery goes wrong.
Tell your host you have been hacked. Many hosts have an incident team that can isolate the account.
Hour two: regain control
Change every password connected to the site: WordPress admin, hosting control panel, SFTP, database, premium plugin licenses, and the email accounts those services reset to.
Rotate the secret keys and salts in wp-config.php so every existing login session is invalidated.
Audit admin users in wp-admin. Delete any user you did not create.
Hours three to six: clean and verify
Replace WordPress core, every plugin, and the active theme with fresh copies from wordpress.org or the original vendor. Do not trust the files on the server.
Scan the uploads folder for PHP files (it should contain only media).
Scan the database for injected admin users, suspicious options rows, and obvious base64 blobs.
Run a second scanner to catch what the first one missed.
Before going back online
Update WordPress, PHP, and the database to current versions.
Install a security plugin with a firewall and brute force protection.
Turn on two factor authentication for every admin.
Add file change monitoring so any new infection is caught in minutes.
Request a review from Google Search Console if the site was flagged.
After: avoid the rerun
Move to a managed WordPress host that isolates sites from each other.
Keep a managed maintenance plan with malware monitoring and unlimited cleanup.
Audit and remove plugins and themes you do not actively use.
Train every admin on phishing and password hygiene.
Common questions
Will I lose my data if my WordPress site is hacked?+
Almost never. Hackers mostly add files and inject pages, they do not delete your content. A clean recovery preserves posts, pages, users, and orders.
How long should WordPress hack recovery take?+
Most sites are safely back in 4 to 12 hours of focused engineer time. Complex infections take longer. Anything more than 24 hours suggests the cleanup is incomplete.
Do I need to tell my visitors the site was hacked?+
If customer data was exposed, yes, and the law in many regions requires it. If only files and pages were affected, a status update is courteous but not required.
Can you recover a site Google has flagged as deceptive?+
Yes. After a clean recovery and hardening we request a review through Google Search Console. The flag usually clears within 72 hours.
Want help with this?
The pages below go deeper, by service and by city.
Want this handled for you?
Book a call and we will review your site before recommending anything.