WordPress Hacked: 10-Step Emergency Response Guide (2025)

When you wake up in the morning and visit your site only to see a completely different page, what do you do? When you search "site:yourdomain.com" on Google and thousands of spam pages appear? When you receive an email from your hosting company saying "malware detected"? When my first client's site was hacked in 2019, I experienced the same panic. That night, I cleaned 18,000 files in 4 hours, but what I really learned was this: if you act in the right order, you can recover from most hack cases without data loss. Over the past 6 years, I've resolved over 200 WordPress hack cases. Some were resolved in 10 minutes, others took 3 days. But they all had one thing in common: those who took the right steps in the first 24 hours both recovered their data and didn't fall victim to the same attack again. In this article, I'll explain step by step what you need to do without panicking.

Step 1: Stay Calm and Assess the Situation

The first reflex is usually to delete everything immediately. Don't. In 2021, one of our e-commerce clients panicked and deleted all files, then realized the backup was from 3 months ago. ₺140,000 worth of order data was lost.

First, do this: visit your site, both from the front end and wp-admin. Take screenshots. Search "site:yourdomain.com" on Google, see how many pages are indexed. Log into your hosting panel, check the traffic graph for the last 48 hours. Is there an abnormal increase?

This 10-minute examination will show you the type of attack:

• If the homepage has changed: defacement (visible hack)
• If there are spam pages: SEO spam
• If you can't access the admin panel: backdoor installed
• If the site has slowed down but there are no visible changes: botnet or mining script

When there was an attack attempt on diolivo.com.tr in 2023, the client noticed immediately because 400 new pages started getting indexed in Google Search Console. Thanks to early detection, we cleaned it up in 2 hours.

Is your site still accessible right now? If yes, take a full backup immediately. If no, you'll need to rely on your hosting company's automatic backups.

Step 2: Put the Site in Maintenance Mode (But Don't Shut It Down)

Here's a critical decision: should you completely shut down the site, or keep it in maintenance mode?

My recommendation: maintenance mode. Because if you completely shut down the site, you can't detect the backdoors the attacker has installed. If you keep it active and monitor it, you can see which files they're accessing.

For maintenance mode, you can use the WP Maintenance Mode plugin, but I usually do it via.htaccess:

• Access the.htaccess file
• Add these codes at the top (whitelist your own IP)
• This way only you can see the site, visitors see a "under maintenance" message

At this stage, inform your customers. A message like "We're doing technical maintenance, will return to normal within 24 hours" doesn't create panic. In 2022, one of our clients didn't do this, and customer service received 300+ tickets.

Notify Your Hosting Company

Most people skip this. Yet the hosting company can help you:

• Provides access to server logs
• Can temporarily increase your resource limits
• Can isolate if other sites on the same server are also at risk

Working with hosting companies in Turkey, I've seen this: large companies like Natro and Hostinger usually do automatic malware scanning and notify you. Smaller companies may charge for manual intervention.

Step 3: Change All Passwords (In the Right Order)

Order is very important here. If you change passwords in the wrong order, the attacker can capture your new passwords too.

Correct order:

1. Hosting panel password (cPanel, Plesk, etc.) 2. FTP password 3. Database password 4. WordPress admin password (all users) 5. Email passwords (especially addresses like admin@, info@)

When changing passwords, pay attention to these:

• Minimum 16 characters
• Mixed uppercase/lowercase, numbers, symbols
• Passwords you don't use anywhere else
• Use a password manager like 1Password or Bitwarden

In 2020, a client only changed the WordPress admin password. The attacker got back in via FTP and installed a backdoor. We had to clean it 3 times.

Also do this: change the security keys in the wp-config.php file. You can use WordPress.org's automatic generator. This terminates all active sessions.

Step 4: Run Malware Scans (With Three Different Tools)

Don't trust a single tool. Attackers use techniques to bypass popular security plugins.

The combination I use:

1. Wordfence (free): most comprehensive WordPress scanner, recognizes 44,000+ malicious signatures 2. Sucuri SiteCheck (online): server-side scanning, blacklist check 3. MalCare (premium): AI-based anomaly detection

When you install Wordfence, activate the "Deep Scan" option. Normal scanning takes 5 minutes, deep scan takes 45 minutes but finds 90% more things.

In the scan we did on italyanmutfagi.com in 2023, Wordfence found 18 infected files, while MalCare found 31. What was the difference? MalCare also detected PHP code encoded with base64.

Save the scan results. Which files are infected, what date they were modified, which IPs accessed them. This information will be useful in the next steps.

Places to Check Manually

Automatic scanners don't find everything. Definitely check these files manually:

• wp-config.php (strange codes added at the very beginning or end)

-.htaccess (redirect rules, base64 codes)

• functions.php (in the theme folder, especially the bottom lines)
• wp-includes/functions.php (rare but can happen)

In one client's case, a single line of code was added to the top of wp-config.php. Wordfence couldn't find it because it was hidden with invisible characters. We noticed when we inspected manually.

Step 5: Clean or Restore Infected Files

There are two options: clean or replace with clean copies. My recommendation is the latter, because you'll be 100% sure.

For WordPress core files: download the same version from WordPress.org, overwrite everything except wp-content. This operation completely cleans the wp-admin and wp-includes folders.

For plugins: delete and reinstall each one. "Update" is not enough, because some backdoors protect themselves during updates.

For theme: delete your active theme via FTP, reload it from WordPress.org or where you purchased it. If you're using a child theme, examine functions.php line by line.

The riskiest area is wp-content/uploads. There should only be media files like images and videos here. If you see a.php extension file, it's 99% malicious. Delete immediately.

In 2021, a client had a file called "image.php" in the uploads folder. Inside was 4,000 lines of obfuscated code. The attacker was using it to control the entire site.

Cleaning the Database

Malware can be stored not only in files but also in the database. Especially look at these tables:

• wp_options: are there changes in siteurl, home values?
• wp_posts: are there spam contents in draft status?
• wp_users: are there admin users you don't recognize?

List all users with "admin" role from phpMyAdmin. There should only be you. If there's someone else, delete immediately.

Also check this: look at the "active_plugins" row in the wp_options table. If there's a plugin that appears active but isn't installed, remove it from the database.

Step 6: Close Security Vulnerabilities

How did the attacker get in? If you clean without finding this out, the same thing will happen again in 1 week.

Most common entry points:

1. Outdated plugins (43%) 2. Weak passwords (31%) 3. Nulled (pirated) themes (18%) 4. Outdated WordPress core (8%)

When we did a security audit on doktorbul.com in 2022, we found a form plugin that hadn't been updated for 3 years. The plugin repository said "removed due to security vulnerability." We deleted it immediately and found an alternative.

Do these checks:

• Is the WordPress version up to date? (Check from Settings > General)
• Have all plugins been updated in the last 6 months?
• Are there inactive plugins? (If so, delete them, disabling is not enough)
• Is the theme licensed or nulled?

Also check file permissions. wp-config.php should be 644 or 600, never 777. wp-content/uploads folder should be 755.

Install a Firewall

Best firewall for WordPress: Cloudflare (free plan is enough) + Wordfence (free).

Cloudflare adds a layer in front of your site, blocks DDoS attacks, blocks bad IPs. Installation takes 10 minutes, requires nameserver change.

Wordfence works at the WordPress level. Blocks brute force attacks, reports suspicious file changes, adds 2FA (two-factor authentication).

When you use both together, the attacker's chance of reaching your site drops by 95%. The combination we installed on kamupersonelhaber.com in 2023 automatically blocks 12,000+ attack attempts per month.

Step 7: Set Up a Backup System (Automatic + Offsite)

The biggest regret after a hack: saying "I wish I had taken regular backups." Now is the time to set it up.

A good backup strategy should have 3 layers:

1. Daily automatic backup (UpdraftPlus, BackWPup) 2. Hosting company's automatic backups (usually weekly) 3. Manual monthly backup (download to Google Drive, Dropbox)

UpdraftPlus free version is sufficient. It automatically uploads to Google Drive, keeps the last 7 days. Premium version has incremental backup, only uploads changed files.

An example backup plan:

• Automatic full backup every night at 03:00
• Database every 6 hours
• Backups on Google Drive + Dropbox (double backup)
• 30-day history kept

We set up this system on memuratamalari.com. In 2024, there was a server crash, we restored it in 15 minutes. Zero data loss.

Test Your Backups

Taking backups is not enough, can you restore them? Test once a month.

Restore the backup to a local server (XAMPP, Local by Flywheel). Does the site open? Do all pages work? Do images load?

In 2020, a client had 6 months of backups but never tested them. When we tried to restore after the hack, the database file was corrupt. Unusable.

Step 8: Notify Google and Other Platforms

When your site is hacked, Google may mark it as "unsafe." To remove this, go to the "security issues" section in Google Search Console and say "request review."

Do the same on these platforms:

• Bing Webmaster Tools
• Yandex Webmaster
• Facebook (if link sharing is blocked)
• Antivirus companies' blacklist check pages (Norton, McAfee)

Google's review process takes 3-7 days. During this time, there should be no other security issues on your site, otherwise you'll get rejected.

After a spam attack on diolivo.com.tr in 2023, Google had marked 400 pages as "harmful content." We cleaned all pages, updated the sitemap, requested a review. It was removed after 4 days.

Repair SEO Damage

SEO is affected after a hack. Especially:

• If spam pages are indexed
• If harmful links are added to the sitemap
• If your backlink profile is filled with spam sites

Use the "URL Removal" tool in Google Search Console, remove spam pages from the index. Then resubmit your clean sitemap to Google.

To check your backlink profile, you can use Ahrefs or SEMrush (paid). If there are links from spam sites, reject them with Google Disavow Tool.

In 2022, we found 3,000+ spam backlinks on a client. We disavowed them all, their rankings returned to normal after 2 months.

Step 9: Inform Users (Be Transparent)

If you have user registrations on your site, you need to inform them. Especially:

• If email addresses were stolen
• If passwords (even if hashed) were compromised
• If payment information is at risk

In Turkey, according to KVKK (Personal Data Protection Law), you must report a data breach to the Personal Data Protection Authority within 72 hours. Otherwise, there's an administrative fine.

Your notification email should include this information:

• What happened? ("Some data may have been at risk when your site was hacked")
• What data was affected? ("Email addresses and usernames")
• What should they do? ("Change your password, if you use the same password on other sites, change it there too")
• What did you do? ("We've taken all security measures, we're working with an expert firm")

In 2021, one of our e-commerce clients sent emails to 8,000 users after a hack. Thanks to their transparent approach, only 3 people closed their accounts. The remaining users happily changed their passwords.

Reputation Management

There may be negative comments about your site on social media. Respond to them:

• Acknowledge the situation ("Yes, we experienced a security breach")
• Explain what you did ("We're working with an expert team, all measures have been taken")
• Guarantee for the future ("We now have a much more secure infrastructure")

Don't get defensive, don't respond aggressively. Users expect empathy and transparency.

Step 10: Create a Long-Term Security Plan

Post-hack cleanup is done, but the work isn't finished. You need a plan to prevent the same thing from happening again.

The plan we apply to our clients at FUTIA:

1. Weekly automatic security scan (Wordfence scheduled scan) 2. Monthly manual security audit (file changes, new users, suspicious activity) 3. Change all passwords every 3 months (WordPress, hosting, FTP, database) 4. Plugin cleanup every 6 months (delete unused ones, research alternatives)

Also create a "security checklist":

• Is WordPress up to date?
• Are plugins up to date?
• Is the theme up to date?
• Is the SSL certificate active?
• Is the firewall working?
• Are backups being taken?
• Is 2FA active?

Check this list every month. It takes 10 minutes, but saves you from ₺10,000 annual hack cleanup costs.

When Is Professional Help Needed?

In some cases, cleaning on your own is risky:

• If the database is larger than 10 GB
• If there are more than 100 plugins
• If you're using a custom-coded theme
• If you're an e-commerce site and payment information is at risk
• If you've been hacked 2+ times before and it's still not resolved

In these situations, working with a security expert makes more sense. As FUTIA, we intervene within 24 hours in such cases. First we analyze the situation, then we share the cleanup plan, we start with your approval.

In our intervention on italyanmutfagi.com in 2023, all 618 recipe pages were filled with spam links. Manual cleaning would have taken 40 hours, we wrote a script with Claude Haiku, cleaned it in 2 hours. The client experienced no downtime.

If your site is currently hacked and you need help, you can email info@futia.net. First analysis is free, we'll tell you clearly how long it will take and the cost. Or write your site's URL and the problem you're experiencing to info@futia.net, we'll get back to you within 24 hours.