WordPress Hacked: 10-Step Emergency Response Guide (2025)

At 7:30 AM, while drinking my coffee, my phone rang. It was the owner of an e-commerce site I'd been managing for 8 years. "Miraç, when I visit the site, Russian betting ads are showing up, what happened?" he said. That's when you know—your WordPress site has been hacked. The first 2 hours are critical because Google can blacklist your site during this time or your hosting company can suspend your account. In this article, I'll share the 10-step protocol I've applied while recovering dozens of hacked sites since 2019. Even if your technical knowledge is limited, by following these steps you can clean and secure your site within 24 hours.

WordPress powers 43% of all websites worldwide. This popularity also makes it the number one target for hackers. Last month, while building a system that automatically publishes 50+ job listings daily for the kamupersonelhaber.com project, I also had to design security layers. Because high-traffic sites are like magnets for bots and malicious users.

Why Does WordPress Get Hacked So Often?

WordPress itself is actually quite secure. The problem usually emerges at three points: outdated themes and plugins, weak passwords, and non-updated core files. At FUTIA, when providing website and automation services from the Netherlands to Turkish brands, the first thing I do is a security audit.

In our 2023 work for diolivo.com.tr, after the site experienced 340% traffic growth within 6 months, DDoS attacks began. We blocked these attacks with Cloudflare integration and rate limiting, but if we hadn't taken basic security measures beforehand, the site would have crashed long ago.

90% of hacks stem from these reasons:

• Non-updated plugins (especially popular ones like Contact Form 7, Yoast SEO)
• Nulled (pirated) themes and plugins
• Weak admin passwords (admin, 123456, your site's name)
• Old PHP versions (7.4 and below)
• Lack of firewall and 2FA

There are also brute force attacks. Bots try to access the wp-admin panel by attempting hundreds of different password combinations per minute. If your password is something like "admin123," they're in within 10 minutes.

Signs of Being Hacked: Is Your Site in Danger?

Sometimes hacks are done so stealthily that you don't notice for months. A crypto mining script might be running in the background, or your site might be used in phishing campaigns. Here are the signals you should watch for:

Visual Signs

• Unfamiliar ads, pop-ups on the homepage
• "This site may be hacked" warning when your site is searched on Google
• Automatic redirects between pages (especially to betting or pharmaceutical sites)
• Foreign user accounts in the admin panel

Technical Signs

• Abnormal CPU and RAM usage in the hosting panel
• .php extension files in the wp-content/uploads folder
• Abnormal code in .htaccess or wp-config.php files
• "Email sent from your site" notifications arriving in your inbox

While producing 618 automated recipes for italyanmutfagi.com, I noticed the system slowing down one morning. When I checked the log files, I saw 40 requests per second coming to wp-login.php. After setting up Fail2ban and blocking these IPs, the system returned to normal.

Step 1: Don't Panic, Put the Site in Maintenance Mode

Your first reflex might be to delete all files. Don't. First, close the site to visitors so that neither Google nor users see the malicious content.

The fastest method is to add these codes to the .htaccess file:

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000$
RewriteRule ^(.*)$ - [R=503,L]

(Replace 123.456.789.000 with your own IP, so only you can access the site)

Alternatively, you can use a plugin like WP Maintenance Mode, but I prefer the file-based solution because plugins might also be hacked.

Step 2: Change Hosting and Database Passwords

Right now, immediately. Change your cPanel, FTP, MySQL passwords. Because if the hacker still has access, they can upload files again while you're cleaning.

Use 1Password or Bitwarden to create strong passwords. At least 16 characters, mixed upper-lowercase letters, numbers, and symbols. Passwords like "Miraç2024!" aren't sufficient.

Also update the database password in the wp-config.php file:

define('DB_PASSWORD', 'new_strong_password');

Don't skip this step. Last year, a client cleaned their site but didn't change passwords. 3 days later, the same hacker got in again.

Step 3: Take a Full Backup (Even If It's Dirty)

Yes, the site is hacked, but still take a backup. Because if something goes wrong during cleaning, at least you can return to this point.

In cPanel's "Backup" section, select "Full Backup." Download files and database separately. I usually take files in .tar.gz format and the database in .sql.gz format.

This backup is also important for forensic analysis. You can compare these files to understand which files were modified and when you were hacked.

In the doktorbul.com project, while creating 79,000 doctor profiles with programmatic SEO, I set up a system to take automatic daily backups. Because in such a large database, an error can turn into a recovery operation lasting days.

Step 4: Detect and Clean Malicious Files

This is the hardest step. A hacked WordPress site can have hundreds, even thousands of files. Which is clean, which is malicious?

Manual Check Points

1. wp-content/uploads folder: Only media files like images, PDFs should be here. If you see files with .php, .js, .html extensions, it's most likely a backdoor.

2. .htaccess file: Are there redirect codes you don't recognize at the end of the file? Delete them.

3. wp-config.php: If there are base64 encoded codes at the very top or bottom of the file, they're malicious.

4. Theme files: If there are functions like eval(), base64_decode(), gzinflate() at the end of header.php, footer.php, functions.php files, they're suspicious.

I download files via FTP with FileZilla and search for these terms in Visual Studio Code using the "Search in Files" feature:

• eval(
• base64_decode(
• gzinflate(
• preg_replace(.*\/e
• assert(

These functions aren't always malicious, but you see these functions in 80% of hacked sites.

Automated Scanning Tools

Install the Wordfence Security plugin and press the "Scan" button. The plugin compares WordPress core files with the originals and shows modified files.

Alternatively, there are online tools like Sucuri SiteCheck. But be careful, these tools only do surface scanning. Manual checking is essential for deep cleaning.

In the memuratamalari.com project, while pulling 50+ daily listings from the ilan.gov.tr API, one day Wordfence gave us a "wp-content/themes/twentytwenty/functions.php has been modified" warning. When we opened the file, there was 200 lines of obfuscated code added at the bottom. We deleted it, the site returned to normal.

Step 5: Reinstall WordPress Core, Theme, and Plugins

The most guaranteed method is to upload WordPress core files from scratch. But be careful, don't delete wp-content and wp-config.php files.

Reinstalling Core Files

1. Download the latest WordPress version from wordpress.org/download 2. Extract the .zip file 3. Upload all files except wp-content and wp-config.php to the server via FTP (overwrite)

This process cleans all malicious code in the wp-admin and wp-includes folders.

Updating Theme and Plugins

Deactivate all plugins, then activate and test them one by one. Whichever plugin causes problems, delete it and install an alternative.

If you're using a nulled (pirated) theme or plugin, delete it immediately. These files usually come with backdoors. Pay for it or find a free alternative.

In FUTIA projects, I only use GPL-licensed, actively developed plugins. For example, while setting up cart recovery automation with CartBounty on diolivo.com.tr, I made sure the plugin had been updated within the last 6 months. Result: 340% traffic increase and zero security issues.

Step 6: Clean the Database

Hackers usually inject malicious code into the database as well. Especially into the wp_options, wp_posts, and wp_users tables.

Checking with phpMyAdmin

Enter phpMyAdmin from cPanel, select your database, and run this SQL query:

SELECT * FROM wp_options WHERE option_value LIKE '%base64%' OR option_value LIKE '%eval%';

This query searches for suspicious code in the wp_options table. Delete the rows you find or restore them from an old backup.

Also check if there are foreign admin accounts in the wp_users table:

SELECT * FROM wp_users WHERE user_login NOT IN ('your_known_usernames');

While creating 618 recipes on italyanmutfagi.com, we were saving Schema.org Recipe markups to the database. One day we noticed there were meta_key values in the wp_postmeta table that we didn't recognize. It was an SQL injection attack. We cleaned the table and started using prepared statements.

Step 7: Install and Configure a Security Plugin

After cleaning the site, add security layers to prevent getting hacked again.

Wordfence vs Sucuri vs iThemes Security

I usually use Wordfence because even its free version is powerful. Activate these features:

• Firewall: Run in "Extended Protection" mode
• Login Security: Block IP for 1 hour after 3 failed attempts
• Two-Factor Authentication: Make it mandatory for admin accounts
• Scheduled Scans: Daily automatic scanning

Sucuri is better for CDN and DDoS protection. If you have a high-traffic site (10,000+ daily visitors), you can consider Sucuri's paid plan.

iThemes Security is more user-friendly. If your technical knowledge is limited, you can prefer this because it's easy to set up.

On kamupersonelhaber.com, while publishing 50+ daily listings, thanks to Wordfence we caught a bot sending 200 requests per minute. We blacklisted the IP, server load dropped 60%.

Step 8: Activate SSL and Security Headers

HTTPS is no longer optional, it's mandatory. Google marks sites without SSL as "Not Secure" and penalizes them in ranking.

Free SSL with Let's Encrypt

Most hosting companies (Hostinger, SiteGround, Natro) offer one-click Let's Encrypt SSL installation in cPanel. If your server doesn't support this feature, you can use Cloudflare's free SSL.

After installing SSL, add this line to the wp-config.php file:

define('FORCE_SSL_ADMIN', true);

This forces access to the admin panel only via HTTPS.

Security Headers

Add these headers to the .htaccess file:

Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"

These headers prevent attacks like clickjacking, XSS, and MIME type sniffing.

In FUTIA projects, we install Cloudflare + SSL + security headers by default on all sites. For example, while producing 2,000+ videos in 3 months for futia.net, we experienced no downtime thanks to DDoS protection.

Step 9: Set Up a Regular Backup System

Against the possibility of getting hacked again, an automatic backup system is essential. Because you'll forget to take manual backups.

Automatic Backup with UpdraftPlus

UpdraftPlus is the most popular backup plugin. Even its free version automatically backs up to cloud storage like Google Drive, Dropbox, OneDrive.

Setup:

1. Install and activate UpdraftPlus 2. Go to Settings > UpdraftPlus Backups 3. In the "Schedule Backups" section: - Files: Weekly - Database: Daily 4. Select Google Drive as "Remote Storage" 5. Test with "Save Changes" and "Backup Now"

I recommend my clients keep backups in at least 3 different places: hosting server, cloud storage (Google Drive), and local computer.

On doktorbul.com, the database exceeds 2 GB because there are 79,000 profiles. Backing up such a large site daily strains server resources. That's why we use incremental backup (backing up only changed files).

Step 10: Submit a Reconsideration Request to Google

If your site has been marked as "hacked" by Google, you must submit a reconsideration request after cleaning.

Via Google Search Console

1. Go to search.google.com/search-console 2. Select your site 3. Click "Security Issues" from the left menu 4. Press the "Request Review" button 5. Explain in detail what you did (in English)

Google usually rescans the site within 3-7 days and removes the warning if the problem is resolved.

Blacklist Check

To check if your site is on other blacklists, use mxtoolbox.com/blacklists.aspx. If you're listed, you need to submit removal requests separately for each list.

On memuratamalari.com, once the IP address was listed on Spamhaus because another site on the server was hacked. Even though we were clean, we were affected because we shared the same IP. We requested a dedicated IP from the hosting company, problem solved.

Long-Term Strategies to Prevent Hacking

After cleaning the site, continuous maintenance is essential to avoid the same situation again.

Monthly Security Checklist

• Update WordPress core, themes, and plugins
• Delete unused plugins (deactivating isn't enough)
• Review security logs (Wordfence Activity Log)
• Check that backups are being taken properly
• Change passwords (especially admin accounts)

At FUTIA, while providing monthly maintenance service to clients, I automated these checks. I built a system that analyzes security logs with Claude Haiku API and sends WhatsApp notifications if there's abnormal activity. For example, on memuratamalari.com with 40,400 monthly organic search traffic, thanks to this automation we experienced no downtime.

PHP and Server Updates

If your hosting company is using an old PHP version (7.4 or below), definitely upgrade to 8.1 or 8.2. Old versions have known security vulnerabilities.

You can update from the "Select PHP Version" section in cPanel. But be careful, some old themes may be incompatible with PHP 8. Definitely take a backup before updating.

Two-Factor Authentication (2FA)

No matter how strong the password is, it's not enough alone. If you add 2FA, even if the hacker knows your password, they can't log in.

You can set up 2FA with Wordfence or Google Authenticator plugin. I use Google Authenticator because even if you change phones, you can rescan the QR code and continue.

At this point, if your technical knowledge is limited or you don't have time, I recommend getting professional support. As FUTIA, I provide website, automation, and monthly maintenance services from the Netherlands to Turkish brands. I have 6 years of social media and 2 years of AI automation experience in areas like recovering hacked sites, security audits, and continuous monitoring. If your site is currently hacked and needs emergency intervention, you can reach me via WhatsApp at +90 532 491 17 05 or at info@futia.net. The initial analysis is usually completed within 1 hour.