HelpWithWebGet Help Now
← Back to Blog
Security6 min read

My WordPress Site Was Hacked — What to Do Right Now

If your WordPress site is redirecting to spam, showing strange content, or flagged by Google, here's your step-by-step recovery plan.

ByDino Bartolome

Discovering your website has been hacked is stressful. Maybe it's redirecting to a spam site, showing pharmacy ads, or Google is warning visitors that your site is dangerous. Here's what to do.

Step 1: Don't Panic (But Act Fast)

The longer a hack stays active, the more damage it does — to your reputation, your SEO rankings, and potentially your customers' data. But panicking leads to mistakes. Follow these steps methodically.

Step 2: Take Your Site Offline

Put up a maintenance page immediately. This prevents visitors from being exposed to malware and stops Google from crawling compromised pages.

Step 3: Change All Passwords

  • Change these immediately:
  • WordPress admin password
  • Database password
  • FTP/SFTP password
  • Hosting control panel password
  • Any connected email accounts

Use strong, unique passwords for each one.

Step 4: Identify the Hack

Common signs and what they mean:

  • Redirects to spam sites: Malicious code injected into your theme or .htaccess file
  • Strange admin users: Attacker created backdoor accounts
  • Spam pages indexed in Google: Attacker added hidden pages for SEO spam
  • "This site may be hacked" warning: Google detected the compromise

Step 5: Clean the Infection

  1. Scan with a security plugin like Wordfence or Sucuri
  2. Compare core files against clean WordPress files
  3. Check your theme and plugin files for unfamiliar code
  4. Review your database for injected content
  5. Check .htaccess for redirect rules you didn't add

Step 6: Harden Your Security

  • After cleanup:
  • Update WordPress, all plugins, and themes
  • Remove unused plugins and themes
  • Install a security plugin (Wordfence recommended)
  • Enable two-factor authentication
  • Limit login attempts
  • Use a web application firewall

Step 7: Request Google Review

If Google flagged your site, submit a review request through Google Search Console once you've cleaned everything up. This usually takes 1-3 days.

How Did This Happen?

  • The most common entry points:
  • Outdated plugins (the #1 cause)
  • Weak passwords
  • Nulled/pirated themes or plugins
  • Vulnerable hosting

Need Help?

Cleaning a hacked site is delicate work — miss one backdoor and the attacker comes right back in. I've cleaned dozens of hacked WordPress sites and know exactly where to look. I'll clean it, secure it, and set up monitoring so it doesn't happen again.

Need Help With Your Website?

I fix these problems every day. Send me a message and I'll take a look.

Get Help Now