Step 01

Don’t Panic — Take Your Site Offline First

Put your website in maintenance mode immediately to prevent visitors from being exposed to malware. Contact your hosting provider — many have a one-click ‘suspend site’ option. This buys you time to clean it properly.

Step 02

Change All Passwords Immediately

Change your WordPress admin password, hosting control panel password, FTP password, and database password. Use strong, unique passwords for each. Enable two-factor authentication where possible.

Step 03

Scan Your Site with a Security Plugin

Install Wordfence or Sucuri Security and run a full scan. These plugins identify infected files, modified core files, and suspicious code injections. Note every file flagged.

Step 04

Restore From a Clean Backup

If you have a recent backup from before the hack, restore it. Most hosting providers (cPanel, Hostinger, SiteGround) offer automatic daily backups. This is the fastest clean solution.

Step 05

Manually Remove Malware if No Backup Exists

If no backup is available: reinstall WordPress core files, delete and reinstall all plugins from official sources, delete and reinstall your theme. Check wp-config.php, .htaccess, and index.php for injected code.

Step 06

Remove Your Site from Google’s Blocklist

If Google flagged your site, go to Google Search Console → Security Issues. After cleaning, request a review. Google typically clears the warning within 24–72 hours of a successful review.

Step 07

Harden Your WordPress Security

After cleaning: keep WordPress, themes, and plugins updated always. Remove unused plugins and themes. Limit login attempts. Use a security plugin. Move your login URL from /wp-admin to a custom URL.

Step 08

Set Up Ongoing Monitoring

Install uptime monitoring and security scanning so future attacks are detected immediately — not weeks later. Wordfence and Sucuri both offer real-time monitoring.

How did my WordPress site get hacked?

The most common causes are outdated plugins or themes, weak admin passwords, nulled (pirated) themes or plugins, and shared hosting compromised by another website.

Will Google remove my site from search results if it’s hacked?

Google may show a ‘Site may be hacked’ warning and reduce your rankings. Once you clean the site and request a review via Search Console, rankings typically recover within a few weeks.

How long does it take to clean a hacked WordPress site?

With a backup, 2–4 hours. Without a backup, manual cleaning can take 1–2 days depending on the extent of the infection.

Should I hire a professional to fix my hacked site?

If you are not technically confident, yes. A professional can clean it faster and ensure no backdoors are left behind. Leaving even one infected file means the site will be re-hacked.

How do I prevent my WordPress site from being hacked again?

Keep everything updated, use strong unique passwords, install a security plugin, use a reputable hosting provider, and take weekly backups.