It’s a horrible feeling—logging into your WordPress site only to find strange content (potentially on the… rude side), broken pages, or even worse, that you can’t access it at all. A hacked website can feel like a digital nightmare, but take a deep breath. You’re not the first person this has happened to, and you won’t be the last.
Here’s a simple, step-by-step guide to help you take control and recover your site.
Don’t Panic (But Act Quickly)
The sooner you act, the better. Hackers can do a lot of damage in a short amount of time, from injecting malware to redirecting your traffic. Stay calm, but move fast. Get in touch with your developer, or your web host if you don’t have a developer available (hello!) and let them know that you’ve been hacked. They should prioritise the issue for you and get things moving to get the site back to how it was asap.
💡 Tip: If your site is redirecting, take it offline temporarily by putting it in maintenance mode or asking your host to disable it. If you don’t you could end up with issues being blocked by Facebook or Google.
Change All Your Passwords
Start by changing your WordPress admin password, then move on to your hosting account, emails and any accounts you might have with domain companies. You should already be using a password manager, but if you’re not then now would be a good time to start! They’re very affordable and can suggest strong random passwords for every website you need to access.
💡 Tip: Check to see if your email and password has been compromised previously by putting your email into Have I Been Pwned
Restore from a Clean Backup Or Run a Malware Scan
If you don’t update the site very often, then the simplest thing to do would be to restore from the earliest backup you have access to. This works well for brochure sites or sites which only have new posts added to them every few weeks. You might find that you can roll back to an earlier version of the site which wasn’t hacked to fix the problem entirely. Just remember that if you do this your password will need to be changed again.
If restoring a backup isn’t an option and you can still access the site, then use a security plugin like Wordfence, Sucuri, or iThemes Security to scan your website. These tools can help identify malicious files, suspicious code, and unusual login attempts and will usually attempt to remove them – but be warned they can occasionally break the site even more so do beware before using them.
💡 Tip: Store backups offsite (not just on your server), most decent hosting providers will do this for you.
Final Thoughts on WordPress Site Hacks
Getting hacked is frustrating—but it’s also fixable. By acting quickly, cleaning thoroughly, and putting stronger security in place, you can get your site back on track and make sure it’s better protected moving forward. Think of it as a wake-up call, not a disaster.
Once you’ve gotten things back on track, try some of these options to help make sure it doesn’t happen again
- Install a security plugin to limit login attempts, change the location of the wp-login screen and put up a firewall to stop potential hackers
- User Two Factor Authentication on your login to stop anyone who does get your password from getting into the site – and change your password to something secure and unique
- Make sure to keep your site, plugins and themes up to date, once a month should be enough to update everything through the WordPress admin panel
Remember, you’re not alone—many site owners go through this. You’ve got this 💪