WordPress Hacked: 10-Step Emergency Response Guide (2025)

7:30 AM, message from a client: "Site won't open, pages are redirecting to Russian betting ads." It was the 4th hack case I'd encountered that month before finishing my coffee. 90% of WordPress sites get hacked due to basic security mistakes, and most site owners make wrong decisions in the first 2 hours. I'm Miraç, I've been working in social media marketing for 6 years and in AI automation for 2 years. While serving Turkish brands from the Netherlands at FUTIA, I've dealt with dozens of hack cases. In this article, I'll explain how to recover without panicking, without losing data, and while protecting your SEO rankings. Because one wrong move can destroy 3 months of organic traffic in 2 hours.

WordPress is hackers' #1 target because it has a 43% market share. But here's the real problem: Most site owners realize they've been hacked 3-7 days later. By then, they may have been blacklisted by Google, their customer database stolen, and their server resources used for crypto mining. Taking the right steps within the first 24 hours both prevents data loss and minimizes SEO damage. Let's go step by step.

Step 1: Put the Site in Maintenance Mode Immediately (First 10 Minutes)

Don't panic and start deleting plugins. The first thing you need to do is protect visitors and Google bots. I always follow this sequence:

1. Temporarily shut down the site from the hosting panel (maintenance mode) 2. Log into Google Search Console, check the "Security Issues" section 3. If there's a "This site may be hacked" warning, don't create a "Review Request" immediately (it's too early) 4. If you're using Cloudflare, activate "I'm Under Attack" mode

A client of mine (e-commerce site, 15,000 monthly visitors) kept the site open for the first 2 hours when hacked. Google issued "deceptive site" warnings for 47 pages. Even after cleaning, organic traffic dropped 60% for 3 months. If they had put it in maintenance mode, Google would have only seen 1 day of inaccessibility.

For maintenance mode, you can use the WP Maintenance Mode plugin, but you can also do it via FTP through .htaccess:

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000
RewriteCond %{REQUEST_URI} !^/maintenance\.html$
RewriteRule ^(.*)$ /maintenance.html [R=307,L]

Whitelist your own IP so you can work. Use 307 redirect because it indicates it's temporary.

Step 2: Change All Passwords and Access Credentials

Hackers usually leave backdoors. Even if you clean the malware, they can get back in 2 weeks later. You must change these access credentials:

• WordPress admin passwords (all users)
• FTP/SFTP passwords
• cPanel/hosting panel password
• Database password (in wp-config.php)
• Passwords for integrated services like Cloudflare, Google Analytics

While doing a security audit for kamupersonelhaber.com, I saw this: 3 former employees still had active admin access. One had left 2 years ago. User management means a 30% security vulnerability.

When changing passwords, pay attention to these:

• Minimum 16 characters, mixed upper/lowercase, numbers, symbols
• Use a password manager like 1Password or Bitwarden
• Change default usernames like "admin", "editor"
• Add these lines to wp-config.php:

define('FORCE_SSL_ADMIN', true);
define('DISALLOW_FILE_EDIT', true);

The second line disables theme/plugin editing from the admin panel. Hackers usually inject code through there.

Step 3: Restore from a Clean Backup (If Available)

The fastest solution: Restore to a clean backup from before the hack. But be careful, if you don't have a backup strategy, this step won't work.

I set up this backup system for clients at FUTIA:

1. Daily automatic backup (UpdraftPlus Premium) 2. Backups sent to Google Drive + Dropbox (dual location) 3. Database and files backed up separately 4. Slack notification after each backup (success/failure)

During the period when we achieved 340% traffic growth for diolivo.com.tr, there was a hack attempt. Cloudflare firewall stopped it but we still experienced 2 hours of data loss. Fortunately, we were backing up every 6 hours, so we restored to a backup from 4 hours earlier.

When restoring from backup:

• Restore not just files, but also the database
• Check the wp-content/uploads folder separately (backdoors can be hidden here)
• After restoration, update all plugins and theme
• Save permalink settings (critical for SEO)

If you don't have a backup or the backup is also infected, proceed to Step 4.

Step 4: Detect and Clean Malicious Code

This is the most tedious part. Manually scanning thousands of files is impossible. I use these tools:

Wordfence Security (Free)

The deep scan feature compares all files with official WordPress repositories. It shows modified core files and suspicious plugin code. Scanning takes 15-45 minutes (depending on site size).

Sucuri SiteCheck (Free Online)

Scans from the outside, checks Google blacklist status and known malware signatures. But it's only surface-level scanning, can't access server files.

MalCare (Paid, $99/year)

Has automatic cleaning feature. I've used it in 3 cases, 80% success rate. But you may need to manually clean complex backdoors.

For manual scanning, check these folders via FTP:

• /wp-content/uploads/ (should not contain PHP files)
• /wp-includes/ (core files, may be modified)
• /wp-content/themes/[active-theme]/ (functions.php is riskiest)
• /wp-content/plugins/ (unknown plugins)

Suspicious code examples:

eval(base64_decode(...)); // Executing encrypted code
@include("/tmp/..."); // Including hidden files
preg_replace("/.*/e", ...); // Code injection

In one client case (not the site where we produced 618 recipes for italyanmutfagi.com, a different project), we found a backdoor named wp-content/uploads/2019/03/favicon.ico.php. It contained 4,500 lines of base64 encoded code. When decoded, it turned out to be a Russian forum script.

Step 5: Reinstall WordPress Core, Theme, and Plugins

Cleaning isn't enough. Hackers can even modify WordPress core files. The safest method:

1. Download clean core files from WordPress.org (same version) 2. Delete /wp-admin/ and /wp-includes/ folders via FTP 3. Upload the newly downloaded files 4. Do the same for wp-content/themes/ and wp-content/plugins/ (for active ones)

Caution: Don't delete wp-content/uploads/ and wp-config.php. Uploads contains your media files, wp-config has your database connection.

For plugins:

• Delete all plugins you're not using (not deactivate, completely delete)
• If there are nulled (pirated) plugins, definitely remove them
• For each plugin, upload the clean version from WordPress.org

While doing programmatic SEO for 79,000 doctor profiles on doktorbul.com, I was using 23 plugins. During a security audit, I found 8 of them unnecessary and deleted them. Each plugin means a potential security vulnerability.

Step 6: Clean the Database

Malware can hide not just in files, but also in the database. Especially wp_options and wp_posts tables get injected.

Run these SQL queries through phpMyAdmin:

-- Find suspicious admin users
SELECT * FROM wp_users WHERE user_login NOT IN ('known_admin1', 'known_admin2');

-- Base64 encoded values in wp_options table
SELECT * FROM wp_options WHERE option_value LIKE '%base64%';

-- Spam comments
DELETE FROM wp_comments WHERE comment_approved = 'spam';

-- Old post revisions (for performance)
DELETE FROM wp_posts WHERE post_type = 'revision';

In one case, the "siteurl" value in the wp_options table had been changed. The site was redirecting to a Russian betting site. We restored the correct URL from phpMyAdmin.

Also:

• Search for