You just discovered your WordPress site is hacked. Maybe your hosting company sent a suspension notice. Maybe Google is showing a “This site may be hacked” warning to your visitors. Maybe customers are complaining about being redirected to spam pages. Whatever tipped you off, the next 24 hours are critical. The actions you take right now determine whether this becomes a contained incident or a prolonged crisis.
This is your hour-by-hour playbook. Follow the steps in order. Skip nothing. Every task here has a specific purpose in containing the breach, preserving evidence, and getting your site back online.
Do Not Panic and Do Not Delete Anything
The single most common mistake after discovering a hack is immediately deleting suspicious files. That instinct makes sense. You see malware, you want it gone. But deleting files destroys forensic evidence you need to understand how the attacker got in and what else they may have done.
The malicious files contain information about the attack. The code itself reveals the attacker’s techniques, the vulnerability they exploited, and what data they accessed. Without this evidence, you clean the visible infection but cannot determine whether the attacker also stole customer data, installed additional backdoors, or created persistent access methods that survive file deletion.
Before modifying anything, take a complete backup of the infected state. This is not your recovery backup. This is your forensic snapshot.
tar -czf /tmp/forensic-snapshot-$(date +%Y%m%d).tar.gz /path/to/wordpress/
wp db export /tmp/forensic-db-snapshot.sql --allow-root
Download both files to your local machine or a separate storage location. Once you have this snapshot preserved, you can proceed with cleanup knowing you can always return to this state for analysis.
Hour 1-2: Secure Your Access
Attackers who compromise a WordPress site almost always establish multiple access paths. Changing one password while leaving others unchanged gives you a false sense of security. Rotate every credential in a systematic sweep.
Change your WordPress admin password. Do this through the database rather than the WordPress admin panel. If the attacker has a backdoor, they can intercept password changes made through the admin interface.
wp user update 1 --user_pass="new-strong-password-here" --allow-root
Use a password with at least 20 characters combining uppercase, lowercase, numbers, and symbols. Generate one with a password manager, not from memory.
Check for rogue admin accounts. List every administrator on your site:
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered --allow-root
Any account you do not recognize needs to be deleted immediately. Attackers create admin accounts with names designed to look legitimate: “wordpress_manager,” “support_admin,” or names similar to existing team members. Check registration dates. An admin account created on the same day as the suspected compromise is the attacker’s account.
wp user delete ROGUE_USER_ID --reassign=1 --allow-root
Change your database password. Update it through your hosting control panel (cPanel, Plesk, or your provider’s dashboard), then update the DB_PASSWORD value in wp-config.php to match. This cuts off any attacker who obtained your database credentials.
Change FTP/SFTP passwords. If the attacker gained FTP access, changing only the WordPress password does nothing. They can still upload files directly. Update FTP passwords through your hosting panel.
Regenerate WordPress authentication keys and salts. These keys encrypt your login cookies. If the attacker has a copy of your current keys, they can forge valid admin cookies without knowing your password. Generate fresh keys at api.wordpress.org/secret-key/1.1/salt/ and replace all eight constants in wp-config.php. This immediately invalidates every existing login session, including any the attacker may have.
Enable two-factor authentication. Install WP 2FA or enable 2FA through Wordfence. Do this now, not later. 2FA prevents the attacker from logging back in even if they manage to obtain your new password through a keylogger or backdoor.
Revoke application passwords and API keys. Check Users > Your Profile for any application passwords. Check for REST API authentication plugins. Revoke everything and recreate only what you need after cleanup.
Hour 2-4: Assess the Damage
Understanding the scope of the compromise determines your cleanup strategy. A single defaced page requires a different response than a deep infection with backdoors across multiple directories.
Check Google Search Console. Log into Search Console and navigate to Security and Manual Actions, then Security Issues. Google may have already identified the type of malware: phishing, malware distribution, hacked content, or social engineering. The specific category tells you what the attacker is using your site for. Check the Coverage report for any unexpected indexed pages. The Japanese keyword hack can create thousands of spam pages indexed under your domain.
Run Sucuri SiteCheck. Visit sitecheck.sucuri.net and scan your domain. The free scan checks for visible malware, blacklist status, outdated software, and suspicious redirects. Document the results. Screenshot everything. You need this for your incident report and for any blacklist removal requests later. For a deeper scan, install the Wordfence plugin and run a server-side scan. Our comparison of WordPress security plugins covers the strengths of each scanning tool.
Check server access logs. Your web server logs contain a record of every request, including the attacker’s activity. Look at /var/log/apache2/access.log or /var/log/nginx/access.log. Search for POST requests to PHP files in wp-content/uploads/ (web shells), requests to files with suspicious names, and unusually high request volumes from single IP addresses.
Try to identify when the initial breach occurred. Look for the earliest suspicious activity. This timestamp tells you which backup to restore from (if you go that route) and how long the attacker had access.
Check for data exposure. If your site handles customer data, contact forms, or e-commerce transactions, determine whether the attacker accessed or exfiltrated that data. Check for unfamiliar outbound connections in your server logs. If customer data was exposed, you may have legal notification obligations depending on your jurisdiction.
Hour 4-8: Communicate With Your Hosting Provider
Your hosting company is a critical ally during incident response. Most providers have dealt with thousands of WordPress compromises and can provide valuable assistance.
If your account was suspended: Contact support immediately. Ask them specifically what malware they detected, which files were flagged, and when the suspicious activity started. Many hosts provide a list of infected files, which significantly accelerates your cleanup. Ask whether they can provide server-level access logs going back further than your own log rotation period.
Request access logs. Some hosting providers maintain more detailed logs than what is available in your standard log directory. Ask for raw access logs covering the 30 days before the infection was detected. These logs may reveal the initial attack vector, whether it was a brute force attack, a plugin vulnerability exploit, or compromised credentials.
Ask about their scanning results. Hosts like SiteGround, WP Engine, Cloudways, and Kinsta run their own malware scanning. Their scan results may identify infections that your own scanning missed, particularly at the server level outside your WordPress directory.
Understand their reinstatement process. If your account is suspended, ask what they need from you to reinstate it. Most providers require confirmation that the malware has been removed and the vulnerability patched. Some providers will scan your account after cleanup and confirm it is clean before reactivating. Know the process before you start cleaning so you do not have to clean twice.
Do not wait until cleanup is complete to contact your host. Reach out during this window so that any information they provide can guide your cleanup process in the next phase.
Hour 8-16: Clean the Infection
With access secured, damage assessed, and hosting provider engaged, you are ready to actually remove the malware. You have two paths forward, and your choice depends on the infection complexity and your technical skills.
Path 1: DIY cleanup. Our step-by-step WordPress malware removal guide walks through the complete process: verifying core files with wp core verify-checksums, scanning plugins and themes for eval(base64_decode()) patterns, cleaning the database, checking .htaccess and wp-config.php, replacing compromised files with clean versions, and hardening the installation. The guide covers each step with specific commands and file paths. Budget 4 to 8 hours for a thorough cleanup following that guide.
Path 2: Professional cleanup. If your business depends on the site, if the infection is complex (multiple backdoors, database-level injection, server-level compromise), or if you do not have time to investigate thoroughly, professional help gets you back online faster. Our WordPress malware removal service starts triage within 4 hours and most single-site cleanups are completed within 24 hours.
If you are dealing specifically with redirect malware (visitors being sent to spam sites), our redirect malware removal guide covers that specific infection type in detail, including the five locations where redirect code hides and why it keeps coming back.
Whichever path you choose, the cleanup must be thorough. A partial cleanup that misses a single backdoor means the attacker returns within days or weeks. Thoroughness matters more than speed here.
Hour 16-24: Harden and Request Review
Cleanup without hardening is a temporary fix. The vulnerability that allowed the initial compromise must be identified and closed, or the same attack succeeds again.
Update everything. Update WordPress core, every plugin, and every theme to the latest version. The vulnerability that the attacker exploited is likely in an outdated plugin. 52% of WordPress compromises trace back to vulnerable plugins according to WPScan data.
wp core update --allow-root
wp plugin update --all --allow-root
wp theme update --all --allow-root
Remove unnecessary plugins and themes. Delete every inactive plugin and every theme you are not using. Each one is attack surface that provides no value to your site.
wp plugin list --status=inactive --field=name --allow-root | xargs -I {} wp plugin delete {} --allow-root
Set file permissions correctly. Files should be 644, directories should be 755, and wp-config.php should be 400 or 440. Incorrect permissions allow attackers to modify files that should be read-only.
Disable PHP execution in uploads. Add deny rules to wp-content/uploads/.htaccess to prevent PHP files in the media directory from executing. This neutralizes web shells even if an attacker manages to upload one through a vulnerability.
Install a security monitoring plugin. Wordfence or Sucuri provide ongoing file integrity monitoring and malware scanning. Configure email alerts for any file changes so you are notified immediately if something is modified. Our security plugin comparison helps you choose the right one for your situation.
Request Google review. If Google flagged your site, submit a review request through Search Console under Security and Manual Actions. Be specific about what you found and fixed. Include file paths, malware types, and hardening steps taken. Google reviews typically complete within 24 to 72 hours.
Check other blacklists. Scan your domain on VirusTotal against 70+ security vendors. Check Norton Safe Web and McAfee SiteAdvisor. Each blacklist has its own delisting process and timeline.
Set up a 30-day monitoring schedule. Reinfection most commonly occurs within the first two weeks. Run Sucuri SiteCheck scans every 2 to 3 days for the first month. Review Wordfence scan results weekly. Check Google Search Console for new security issues weekly. Any anomaly during this window warrants immediate investigation.
What NOT to Do When Your WordPress Site Is Hacked
Certain common reactions actively make the situation worse. Avoid every single one of these.
Do not restore from backup without patching the vulnerability. A backup from last week is clean but contains the same vulnerable plugin that the attacker exploited. Restoring it without updating that plugin means the attacker gets back in within hours. They already know your site is vulnerable. They have likely automated the exploit. Always update the vulnerable component immediately after restoring a backup.
Do not reinstall WordPress without cleaning the database. Running wp core download --force replaces core files but does not touch the database. If the attacker injected malicious JavaScript into your wp_posts table or created rogue admin accounts in wp_users, a core reinstall does not remove any of that. The infection continues through the database even with a fresh set of PHP files.
Do not ignore the hack and hope it resolves itself. Malware does not go away on its own. It escalates. An initial infection that redirects visitors evolves into one that steals credentials, distributes malware to your visitors, or gets your domain permanently blacklisted across multiple security services. Every day you wait increases the damage and the recovery effort.
Do not rely solely on a plugin scan. No single scanning tool catches every malware variant. Automated scanners miss obfuscated code, database-level infections, and backdoors in non-standard locations. A plugin scan is one component of a thorough cleanup, not the entire cleanup. Manual file inspection and database review are essential complements.
Do not change only your WordPress password. As covered in Hour 1-2, attackers establish multiple access paths. Changing your WordPress password while leaving your FTP, database, and hosting panel passwords unchanged is like changing the front door lock while leaving the back door wide open.
Do not delete your access logs. Server access logs are your forensic evidence. They record how the attacker got in, what they accessed, and when. Some site owners delete logs to “clean up” after a hack, destroying the very data they need to prevent the next attack.
Should You Fix It Yourself or Hire Help?
Both approaches work. The right choice depends on your specific situation, technical skills, and the stakes involved.
DIY cleanup works well when:
- The infection is a known type (redirect malware, pharma hack, or wp-vcd) with documented cleanup procedures
- You are comfortable working with PHP files, SQL queries, and command-line tools
- The infection affects a single site, not multiple sites on the same server
- You have 4 to 8 hours available for focused, methodical work
- The site is not your primary revenue source, so extended downtime is tolerable
Our step-by-step WordPress malware removal guide provides everything you need for a successful DIY cleanup. It covers file scanning, database inspection, core replacement, and hardening with specific commands for every step.
Professional help makes sense when:
- Your business loses significant revenue for every hour the site is down or compromised
- The infection is complex, involving multiple backdoors, database-level injections, or server-level access
- You have attempted cleanup and the malware returned, indicating a missed backdoor
- You do not have PHP or database experience and risk breaking the site during cleanup
- You need a documented incident report for compliance, insurance, or client communication
- Multiple sites on the same server are affected
Our WordPress malware removal service starts triage within 4 hours and most single-site cleanups are completed within 24 hours. Every engagement includes a detailed incident report documenting the attack vector, all compromised files, the complete cleanup process, and specific hardening recommendations. The service includes a reinfection guarantee: if the same vulnerability is exploited again within the guarantee period, we clean it again at no additional cost.
Whatever you decide, act today. Every hour of delay gives the attacker more time to deepen their access, steal data, damage your search rankings, and harm your visitors. The 24-hour window matters. Use it.