Discovering that your WordPress website has been hacked can be a stressful experience. It can lead to various issues such as data theft, loss of reputation, and even financial losses. However, it’s important to stay calm and take immediate action to mitigate the damage and secure your website. Here’s a comprehensive guide on what to do if your WordPress website is hacked.

1. Identify the Hack

The first step is to identify that your website has indeed been hacked. Common signs include strange pop-ups, unusual redirects, changes in website content, or a sudden drop in search engine rankings. You can also use security plugins like Wordfence or Sucuri to scan your website for malware and vulnerabilities.

2. Take Your Website Offline

If you confirm that your website has been hacked, it’s crucial to take it offline temporarily to prevent further damage. You can do this by putting up a maintenance page or redirecting visitors to a temporary landing page.

3. Change Your Passwords

Immediately change the passwords for your WordPress admin account, hosting account, FTP/SFTP, and any other relevant accounts. Use strong, unique passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.

4. Update WordPress Core, Themes, and Plugins

Ensure that your WordPress core, themes, and plugins are updated to the latest versions. Hackers often exploit vulnerabilities in outdated software, so keeping everything up to date is crucial for security.

5. Scan for Malware

Run a thorough malware scan on your website using security plugins or online scanning tools. Remove any malicious files or code that are identified during the scan.

6. Restore from Backup

If you have a recent backup of your website, consider restoring it to a clean state before the hack occurred. Make sure to scan the backup files for malware before restoring them.

7. Review User Accounts

Check all user accounts on your WordPress website, including admin, editor, and contributor accounts. Remove any suspicious or unauthorized accounts and change the passwords for legitimate accounts.

8. Check File Permissions

Review the file permissions on your server to ensure that only necessary files and directories have write permissions. Set strict permissions to prevent unauthorized access and modifications.

9. Implement Security Measures

Enhance the security of your WordPress website by implementing additional security measures. This includes using security plugins, enabling two-factor authentication, restricting access to sensitive files, and regularly auditing your website for vulnerabilities.

10. Monitor and Maintain

After securing your website, continue to monitor it regularly for any signs of suspicious activity. Maintain a backup schedule and update your WordPress core, themes, and plugins as soon as new versions are released.

11. Communicate with Users

If the hack has affected user data or functionality, communicate transparently with your users about the situation and any steps they need to take, such as changing their passwords.

12. Consider Professional Help

If you’re unsure about how to handle the hack or if it’s a complex security breach, consider seeking professional help from cybersecurity experts or WordPress security services.


Dealing with a hacked WordPress website requires swift and decisive action. By following these steps and prioritizing website security, you can recover from a hack and prevent future security incidents. Remember to stay vigilant and proactive in maintaining the security of your WordPress website.