My WordPress site was hacked: what to do in 15 minutes

Published June 13, 2025 · Category: Emergency · Reading time: 10 min

In 2024, more than 13,000 WordPress sites are attacked every day worldwide. If you're reading this article, there's a strong chance you're one of the victims. The good news: with the right steps, you can regain control of your site in 15 minutes.

This article is an emergency guide designed to walk you through, minute by minute, the recovery of your compromised WordPress site. Whether you're a non-technical site owner or an experienced administrator, these steps are essential.

1. Stay calm and assess the situation (Minutes 0-2)

The first reaction to a hack is often panic. Take a deep breath. Do not delete anything, do not modify anything before assessing the situation. If you're unsure whether you've been hacked, check our list of 12 signs your WordPress site is hacked to confirm your suspicions.

What to check immediately:

• Admin login: Can you still log in to /wp-admin?
• Site appearance: Is your site displaying unusual content, redirects, or defacement?
• Google warning: Type site:yoursite.com in Google. Does your site show "This site may be hacked"?
• Host email: Have you received a warning from your hosting provider about suspicious activity?

"The majority of hacked sites are not individually targeted. They are victims of automated attacks exploiting known vulnerabilities." — Wordfence Report 2024

2. Disconnect your site immediately (Minutes 2-4)

To prevent attackers from continuing to cause damage, you need to isolate your site quickly.

To prevent attackers from continuing to cause damage, you need to isolate your site quickly. According to security experts, attackers can install backdoors, steal data, and compromise dozens of files in just a few minutes. Speed is essential.

Option A: Maintenance mode via hosting

1. Log in to your hosting control panel (cPanel, Plesk, etc.)
2. Enable maintenance mode or the "Site Under Construction" page
3. If you don't know how, call your hosting support immediately

Option B: Rename the wp-admin folder

If you have FTP/SFTP access:

1. Connect via your FTP client
2. Navigate to your WordPress root directory
3. Rename the wp-admin folder to wp-admin-backup
4. This makes the admin interface inaccessible to attackers

Option C: Activate maintenance by file

Create a .maintenance file in your site root with the following content:

<?php $upgrading = time(); ?>

3. Create an emergency backup (Minutes 4-6)

Even though your site is compromised, back it up as-is. This copy is crucial for:

• Analyzing the attacker's intrusion methods
• Identifying modified or added files
• Preserving evidence in case of legal proceedings
• Comparing with a clean version of the site

How to backup via FTP:

1. Connect to your server via SFTP
2. Download the entire public_html folder (or your WordPress root directory)
3. Also export your database via phpMyAdmin or command line
4. Store this backup on your local computer, not on the server

Common mistakes to avoid at this stage:

• Don't delete files: Even if you see obvious malware, leave it for analysis
• Don't log out of wp-admin: The attacker may have changed your password
• Don't notify the attacker: Avoid sending emails from the compromised server
• Don't use the compromised site to research solutions: Use a different device or browser

4. Run a complete scan (Minutes 6-10)

Now that your site is isolated and backed up, you need to identify what has been compromised. For details on analysis tools and methods, read our guide on how to detect malware on your WordPress site.

Manual scan of critical files:

Check these files and folders first:

Use a scanning tool:

• Wordfence Security: Free plugin with complete file scanning
• Sucuri SiteCheck: Free online scanner
• WPScan: Command-line tool for thorough scanning

For a professional and comprehensive analysis, contact the WpDefender team. Our experts have advanced tools to identify even the most hidden backdoors.

5. Change all passwords (Minutes 10-13)

Assuming the attacker may have accessed your credentials, you need to reset everything.

Complete list of passwords to change:

1. WordPress admin account — Via the Profile page in wp-admin
2. MySQL database — Via your hosting control panel
3. FTP/SFTP account — Via the hosting control panel
4. Hosting account — The cPanel/Plesk panel password
5. All WordPress admin accounts — All users with the "Administrator" role
6. WordPress security keys — In wp-config.php, generate new keys via api.wordpress.org/security/keys
7. Associated email accounts — Especially if attackers could have accessed them

Golden rule: Use a password manager and generate 20+ character passwords for each service. No password should be reused.

6. Contact a security expert (Minutes 13-15)

At this point, you've done everything you could in an emergency. Now it's time to bring in professionals.

Why an expert is essential:

• Hidden backdoors: Attackers often plant backdoors invisible to basic scans
• Subtly modified files: A single line of malicious code can compromise the entire site
• Database: SQL injections can be deeply buried
• Root cause: Without understanding how the intrusion occurred, the hack will happen again

7. Complete recovery steps

After the emergency intervention, here are the steps to fully recover your site:

Step 1: File restoration

• Reinstall WordPress core from wordpress.org
• Restore your themes and plugins from reliable sources (not the compromised backup)
• Compare file by file with the original version to detect modifications

Step 2: Database cleanup

• Remove unauthorized users
• Check wp_options tables for injected code
• Clean malicious redirects in WordPress options
• Examine posts and pages for injected content

Step 3: Post-recovery verification

1. Check your site on Google Search Console
2. Test all site functionality
3. Monitor server logs for 48 hours
4. Verify the site is no longer on Google's blacklist

8. Prevention for the future

A hack is an expensive lesson. Here are the essential measures to never experience this situation again. For a comprehensive approach, go through our 25-point WordPress security checklist.

Basic security:

• Updates: Keep WordPress, themes, and plugins up to date at all times
• Passwords: Use unique and complex passwords (20+ characters)
• Two-factor authentication: Enable 2FA on all administrator accounts
• Login attempt limiting: Block IPs after 3 failed attempts

Advanced security:

• Web application firewall: Install a firewall plugin like Wordfence or Sucuri
• Automatic backups: Configure automatic daily backups stored off-server
• Regular scanning: Perform weekly security scans
• Monitoring: Enable notifications for file modifications
• Security headers: Implement HTTP security headers (CSP, X-Frame-Options, etc.)
• File permissions: Set proper file permissions (644 for files, 755 for directories)

Why prevention is cheaper than recovery:

The average cost of recovering from a WordPress hack ranges from €500 to €5,000 for small businesses, not counting lost revenue during downtime. In contrast, a comprehensive security solution like WpDefender costs a fraction of that amount while providing continuous protection. Prevention is always more cost-effective than emergency response.

The best investment:

The best way to protect your site is to trust professionals. WpDefender's security services include 24/7 monitoring, automatic scans, and guaranteed emergency response in under 30 minutes.

Related articles

• Hacked WordPress site: 12 signs you must not ignore
• How to know if your WordPress site is infected with malware
• Google blacklist: how to get off the blacklist in 24h
• Redirects to malicious sites: why and how to stop them