Read this before you delete anything

WordPress hacked: what to do in the first 60 minutes

Your WordPress site is showing spam, redirecting visitors, or flagged by Google. What you do in the next hour decides whether this is a 4 hour cleanup or a 4 week recovery. This is the first response protocol a senior engineer runs, written by someone who has cleaned over 150 hacked WordPress sites.

Last updated ยท Reviewed by Ali Yasin Jatoi

Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer

Key takeaways

  • Do not delete files, do not reinstall WordPress, and do not run a scanner cleanup before you snapshot. Deleting evidence lets the attacker back in.
  • Isolate first, snapshot second, rotate credentials third. In that order.
  • Reinfection almost always means a backdoor a scanner missed, usually a rogue admin user, a mu-plugin loader, or a scheduled cron.
  • If Google flagged the site as deceptive, the reconsideration request matters as much as the cleanup itself.

The 60 minute first response protocol

  1. 0 to 5 min

    Confirm it is actually a hack, not a plugin bug

    Open the site in a private window and from a phone on mobile data. If you see spam pages, redirects to unrelated domains, or a Google Safe Browsing warning, treat it as a hack. If the site just throws a 500 error and the admin is broken, it is far more likely a bad update, not a hack, and the response is different.

  2. 5 to 15 min

    Isolate, do not delete anything

    Put the site in maintenance mode or password protect it at the host level. Do not delete files, do not reinstall WordPress, and do not run a scanner cleanup yet. Deleting evidence is the single most common mistake, because it destroys the trail we need to find how they got in and lets the attacker come back through the same door.

  3. 15 to 30 min

    Take a forensic snapshot

    Full server backup: files plus the database plus the access logs. Store it off-server. This is what a real WordPress malware removal engineer will need. Without it you are guessing.

  4. 30 to 45 min

    Rotate every credential

    Change the WordPress admin password for every user, rotate the database user password, rotate hosting and SFTP credentials, and generate new WordPress salts in wp-config.php. This kicks any active session out of the site.

  5. 45 to 60 min

    Decide: DIY or engineer

    If you can read PHP, know how to grep for base64_decode and eval, and can audit wp_users plus cron jobs, keep going. If not, hand it to an engineer. Every hour a hack stays live costs traffic, trust, and often triggers a hosting suspension.

How to identify what kind of WordPress hack it is

Match the symptom to the infection. Every family has a different fix path and a different reinfection risk.

SymptomMost likely causeSeverity
Google shows Japanese pages under your domainJapanese SEO hack: a doorway script generating spam pagesHigh, ranking damage
Site redirects visitors to counterfeit pharmacy or affiliate sites302 redirect / pharma hack in .htaccess, functions.php, or mu-pluginsCritical, immediate traffic loss
Google Search Console shows a Deceptive Site warningGoogle Safe Browsing flagged malware, phishing, or unwanted softwareCritical, 95% CTR loss on click through
An admin user you did not create appears in wp_usersAttacker planted a persistent admin account for reinfectionCritical, still compromised
The checkout exfiltrates card details silentlyMagecart style skimmer injected into checkout JavaScriptCritical, PCI incident
Hidden outbound links to gambling or replica goods in your footerSEO spam injection targeting your outbound link equityMedium, ranking drag

DIY or engineer: an honest decision tree

Not every WordPress hack needs an engineer. Some absolutely do. Read the row that matches your situation.

  • If: You can read PHP and grep for base64_decode, eval, str_rot13

    Then: You can attempt a DIY cleanup, but plan for 4 to 8 hours and expect at least one reinfection cycle.

  • If: The site is on shared hosting with no SSH access

    Then: Hand it to an engineer. Cleaning a shared host WordPress hack through cPanel alone is slow and unreliable.

  • If: WooCommerce, LMS, or membership site with active revenue

    Then: Hand it to an engineer immediately. Every hour of downtime here is quantifiable revenue loss.

  • If: Google flagged the site as deceptive

    Then: Cleanup is only half of it. You also need the reconsideration request submitted correctly, which is where most DIY attempts stall.

  • If: You already cleaned once and the hack came back

    Then: Definitely engineer. Reinfection almost always means a backdoor or a rogue cron the scanner missed.

When to escalate to a WordPress malware removal service

If any of the following is true, the cheapest path is to hand it over. Every hour a live hack stays visible costs traffic, trust, and often triggers a hosting suspension you then have to fight to reverse.

  • Google Safe Browsing already flagged the site as deceptive.
  • The infection came back after a previous cleanup.
  • WooCommerce, LMS, or membership site with active revenue.
  • Multisite network with more than one infected site.
  • Your host suspended the site and is asking for proof of cleanup.

WordPress hacked FAQ

How do I know if my WordPress site is actually hacked?+

Open the site in a private window and on mobile data. If you see spam pages, redirects to unrelated domains, unknown outbound links in the footer, a Google Safe Browsing warning, or unknown admin users in wp_users, it is a hack. A 500 error alone is usually a bad plugin update, not a hack.

What is the first thing I should do if my WordPress site is hacked?+

Isolate the site, do not delete anything, take a forensic snapshot (files, database, access logs), and rotate every credential. Do not run a scanner cleanup before the snapshot, because you will destroy the evidence needed to find how they got in.

Can I fix a hacked WordPress site myself?+

Yes if you can read PHP, grep for encoded strings like base64_decode, and audit wp_users, cron jobs, and mu-plugins. Plan for 4 to 8 hours and expect at least one reinfection cycle. If you cannot, hand it to a senior engineer, because reinfection almost always means a backdoor a scanner missed.

How much does it cost to clean a hacked WordPress site professionally?+

Flat $249 for a standard hacked WordPress cleanup by a senior engineer, with a 30 day reinfection guarantee. Complex reinfections, multisite networks, and WooCommerce stores are quoted after a free 15 minute triage.

Will I lose my Google rankings after a WordPress hack?+

Only if the infection stays visible. In most cases rankings recover within days once the malware is removed, the reconsideration request is submitted, and Google recrawls clean pages. The pages that were replaced by spam usually come back, though a large Japanese SEO hack can leave a 2 to 4 week recovery tail.

How long does WordPress hack recovery take?+

A senior engineer clean is a median of 4 hours from access. DIY cleanup on a single site is typically 4 to 8 hours plus a reinfection cycle. Google Safe Browsing reconsideration takes another 24 to 72 hours after the site is clean.

How do I stop my WordPress site from getting hacked again?+

The vast majority of WordPress hacks come through outdated plugins, weak or reused admin passwords, and abandoned themes. After cleanup, keep every plugin and theme current, force strong passwords with 2FA, remove any plugin you do not actively use, and put the site on ongoing maintenance. Reinfection almost always traces back to one of those three.

Call Book a call