What to Do When Your WordPress Site is Hacked

Did you know that your WordPress site could be hacked without your knowledge? In this article, we will discuss the signs of malware activities on your WordPress website and how to deal with a hacked website.

Having your WordPress website hacked is one of the worst nightmares. It takes a lot of time, money, and effort to design and develop your perfect business or personal website. One day you log in to your website and find that it isn’t functioning properly or you cannot access your website at all. This is truly a horrible situation for any web developer or a business owner.

Because of the popularity of WordPress, hackers target these websites more. However, this doesn’t mean that WordPress isn’t safe and insecure. Developers and WordPress security experts are working round the clock to upgrade and secure the core files of WordPress.

Keeping your core WordPress updated along with all the plugins and themes is a way to keep your website secure. You can also use various plugins and services to make sure that your website doesn’t fall victim to malicious attacks.

In this article, we will discuss why your WordPress website gets hacked, what are signs that your website is hacked, and what are the security measures you can take to ensure your website’s safety.

Is WordPress security weak?

Even though a large number of WordPress websites get hacked each year, it doesn’t mean that WordPress security is weak. In 2019, it was reported that over 56% of all CMS applications such as WordPress, Joomla, Wix, etc. were outdated when they were hacked (Source: Securi).

Again, in the same report, it was said that 47% of all hacked websites contain at least one backdoor. A backdoor is a vulnerability that enables a hacker to gain unauthorized access to a website. Most of these hacks happen due to issues with the WordPress CMS or other website building applications. These issues are mostly outdated CMS or plugins.

Get Latest Post Notifications!

Subscribe to our newsletter

As said earlier, WordPress is the most popular CMS for building and maintaining websites. Because of this reason, the WordPress website became a center of attraction among hackers.

Generally, hackers don’t target YOUR website specifically. Most of the time a website gets hacked because it is vulnerable and it was easy to do. Every day, hackers are honing their skills and your website might just be a practice run for them.

On rare occasions, hackers target big corporations like Toyota, UnitedHealth Group, Costco, etc. The sole purpose of hacking might be to gain inside sensitive information, extract money, blackmail, etc.

There is a large number of hackers scouring the internet looking to exploit a website’s security. They might have nefarious reasons to do so or they are just looking to test their skills. It is understandable that no matter how small your business is if your website has weak security it will be a target for hackers online.

How would you know that your WordPress site is hacked?

Sometimes, when your website is hacked, it might seem that nothing is wrong. You won’t see a difference but actually, a hacker might already have compromised your website’s security. This means that the hacker is waiting and collecting information. When they have the sensitive information they want, then they proceed to harm you and your business.

This is a truly scary situation for any website owner and for this reason, it’s important to know the signs of a website being hacked. The following are the most common signs that your WordPress website might be hacked.

1. Unable to log into WordPress

Hackers sometimes remove users or change passwords to deny access to that site. For this reason, if you can’t log in to your WordPress site, then this might be a sign that your site has been hacked. 

However, this could also happen if you have simply entered the wrong password or forgotten your password. So, try to reset your password and if you can’t then this could mean that your site has been hacked.

Sudden change in the design

2. Sudden change in the design

Another sign of your website being hacked is the sudden change in the design or the theme of the website. This change could be big or small. You might notice a subtle change in the content or unusual links, unusual font size, etc. These are the signs that your website might have been hacked.

Before jumping to a conclusion, check with the other administrators of the website if you have multiple admins (if they made any change by accident).

Usually, if you are using a theme from an unreliable company, this could happen.

3. Reduced or unusual traffic

This could happen because of a bad DDoS (Distributed Denial of Service) attack on your web server or a large file transfer to sites in countries that you don’t do business with. These unusual traffic surges indicate signs of foul play on your website.

If you experience this unusual traffic on your network then it would probably be best to contact the service provider. You can also shut down your network for the time being and start an IR investigation.

4. Your site is redirecting to another

Another thing the hackers tend to do is add a script on your site that redirects your visitors to another website.

This could be an extreme discredit for your business as people who want to visit your site will be redirected to another site that you don’t want them to. You should immediately inspect your core WordPress files and check where this script is placed. You can also take the help of an online security service to scan WordPress sites for malware and remove them.

This could also happen if you are using an untrusted hosting service provider. So, always be sure to pick a trustworthy provider.

5. Warning message from your browser

malware warning message from browser

A direct message from the browser is the biggest sign that your website has been compromised or hacked. You can understand how much it will hurt your brand if this happens. 

Browsers have the ability to detect some malware and foul play on a website. If your browser detects such things, it will warn the users to avoid entering the site. This could also happen from a compromised plugin, theme, or a problem with your SSL certification. You should remove those themes or plugins and make sure your SSL certificate is perfect.

6. Warning from search engines

To provide users with better online experience search engines are always kept up to date. It is said that Google changes its search algorithm 500-600 times a year. This makes search engines smarter and capable of detecting malicious activities on a website. To ensure that users have a safe online experience, search engines give a similar warning message shown below:

malware warning message from search engine

Search engines show this warning message if your sitemap is hacked and the crawler bot cannot crawl the website. This might also indicate that there are serious errors with your website.

Warning from hosting provider

Your hosting provider holds various information about your domain including the incoming and outgoing traffic. If your hosting provider detects some unusual surge in the network, they will inform you.

This could be a sign that your site has been hacked and needs immediate attention.

What to do when you know your site is hacked?

We always recommend taking security measures before getting hacked. Actions such as keeping your WordPress core, plugins, and themes updated, creating backups now and then, using WordPress security plugins such as WordFence, MalCare, SecuPress, etc. But if you suspect that your website is hacked then don’t panic and follow the steps given below:

1. Calm yourself and don’t panic

The first thing that you might do after finding out that your WordPress website is hacked is start to panic. Having your website hacked is a nightmare we understand, but if you start to panic, it will distract you from dealing with the problem. So it is important to stay calm and focus on the task at hand.

There are several ways of recovering your website. If you have a backup of your website, then the task would be much easier. Even if you don’t have a backup, you can still fix the issues with your website. For this, you need to concentrate and NOT PANIC. But again, having a WordPress backup plugin makes things a lot easier.

2. Find what caused the hack

To solve the problem, you have to identify what caused the problem. There are several ways in which your website might get hacked. We have listed out the signs of a WordPress website being hacked above. You have to check all the points and find the exact cause of the hack. Use the following checks to identify the hack:

  • Can you log in to your WordPress admin panel?
  • Do you notice some changes in the design of your website?
  • Do you see unwanted links on your website?
  • Do you get redirected to another site when you enter your domain?
  • Have you noticed any abnormal surges in the traffic?
  • Has Google marked your website insecure?
  • Do search engines declare your website unsafe?

If you find one of these statements to be true, then you have probably identified the problem. The next step is to fix the problem.

3. Put your website on Maintenance Mode

If you have identified the issue with your website, the first thing is to put your website on Maintenance Mode so that your visitors don’t fall victim to foul play.

Check if the theme that you are using has a Maintenance page. If it does, use it, and if not then create a page yourself and make it the home page. Remember to nicely decorate the page and put an informative message so that visitors understand why they cannot enter the site currently.

website under maintenance message

This will prevent visitors from entering your website and will also inform them that the website is under maintenance so that they can come back later.

4. Update plugins, themes, and WordPress

Outdated plugins, themes, or CMS is the most common way you could get hacked. Updating your plugins, themes, and WordPress core files is the first thing that you have to do. Because if any of these things get outdated, it makes your website vulnerable to attacks. Proceeding with the next steps would be useless if your plugins, themes, and WordPress are outdated.

If you suspect some of your plugins have been hacked, you can also delete and re-install them to be on the safe side.

You can update your plugins, themes, and your core WordPress files from the dashboard. The dashboard directly shows you which of the components is outdated. There are various plugins and themes that have the auto-update function. These plugins update to the latest versions as soon as one update is released and inform you about it via email.

5. Use a malware removal service, tool, or hire a professional

When your website gets hacked, the best thing to do is fix it as quickly as possible. As time goes on, the situation for your website will get worse. For this reason, it has to be dealt with quickly. If you don’t have the time to diagnose and fix your website, you can always hire a professional. That is the quickest and best way of solving the issue. This could however be expensive.

There are various tools and services that you can take help from.

6. Reset password(s)

If your website security was breached, the best idea would be to change your password. If you have multiple users, then change all of the passwords. Since you don’t know which account’s password was used to hack your site, changing all the passwords is the safest option.

Also, reset your SFTP password, database passwords, and your hosting passwords to be on the safe side.

7. Remove users

If you don’t recognize an admin account on your WordPress user section, then remove it. Before removing the account contact your admins and confirm if they have created another admin account themselves.

You can delete the admins from the Users section in the WordPress dashboard. Simply click on ‘Users’. Select the unidentified users and select the delete option.

8. Remove any unwanted files

Hackers could insert malicious files into your WordPress directory. They can also add notorious scripts to your core files. To identify these malicious signatures, you can use plugins like WordFence, Securi site checker, or any other malware scanning plugins.

Upon identifying these malicious files or codes, you should remove the files yourself or use plugins to do it.

9. Remove your sitemap (XML) file and re-create a fresh one

A sitemap is a file that contains a list of all the page URLs on a website. If you have an XML file, the sitemap protocol will inform search engines that there is an XML file available for the crawler. This is a good SEO practice as it helps Google to properly index your website. But if your sitemap file gets hacked, then Google or any other search engine might red-flag your website.
If you inspect a hacked XML file, you will find spurious links and gibberish characters. You have to remove those lines or remove the file completely and create another XML file. There are many free plugins you can use to create an XML file such as Simple Sitemap, WP Sitemap Page, Simple WP Sitemap, and many more.

10. Re-install WordPress and clear your databases

If the core WordPress files get deeply hacked, then you should replace the core files with a new WordPress installation. But before reinstalling WordPress, make sure to backup all your files just in case.

If you have used an auto-installer such as Softaculous, then don’t use it this time. Instead, use SFTP (e.g. Filezilla) to replace WordPress core files.
Use security plugins like WP-Optimize and Securi to scan your databases to check if those are safe. If the scan results show that your databases have been compromised, you need to clear your database. The WordPress security plugins that you are using can do this for you.


Having a website creates a powerful online presence for your brand. It increases your brand awareness and credibility. But having your website hacked could do exactly the opposite. It might harm your online presence and people will lose faith in your brand. Many website owners don’t think about web security until it’s too late. So, investing in security right from the start is the best way to protect your online presence. There are also several WordPress maintenance services you can take help from.

Although it is said that there is no system that is 100% secure and that might be true. There are thousands of hackers online researching and building ways to penetrate firewalls, create malware with unique signatures and create bots that are smart enough to breach online security checks. Even the most popular brands like Amazon, Toyota Motors, Exxon Mobile, and even Apple got their websites hacked.

But what does that mean for your website? Even though no website is unhackable, what you can do is make preparations and follow best security practices to ensure your WordPress website’s safety. You can follow the steps below to ensure that your WordPress website is safe and secure:

  • Use reputed and quality hosting service
  • Install SSL certification on your website
  • Ensure all of the passwords are safe and strong
  • Use plugins and themes from trusted vendors
  • Keep your WordPress, plugins and themes updated
  • Use security plugins and services

Also, make sure the security plugin or service you are using provides firewall support and malware scans. You should always scan your WordPress site for malware. Some of the plugins have an auto-scan feature that performs daily or scheduled scans to keep your website secure.

Always remember to take security measures to keep your online work safe. We hope that this guide was helpful and it solved your problem.

👉 Video: How to Set Up WordPress 2 Factor Authentication

Disclaimer: This post may contain affiliate links and we may receive a small commission if you purchase something by following them. However, we recommend services/products that we believe good to serve your purpose.

Staff Author

Staff Author

A team of WordPress enthusiasts led by Arafat Bin Sultan, a seasoned professional with over a decade of experience in tech blogging, content marketing, and video creation.

Articles: 242

Leave a Reply

Your email address will not be published. Required fields are marked *