Your WordPress Site Got Hacked: What to Do Now

Discovering that your WordPress site has been hacked is simultaneously alarming and somehow not surprising. If you've been running WordPress long enough, it probably felt like a matter of when, not if.

Here's what to do immediately, how to understand what happened, and how to think about what comes next.

Immediate Steps

Step 1: Don't panic — but act today.

A hacked WordPress site may be serving malware to your visitors, being used to send spam email, or silently redirecting visitors to scam sites. None of these things improve with waiting.

Step 2: Take the site offline.

If you can put the site into maintenance mode through your hosting panel, do it now. Keeping a compromised site online while you figure out next steps means you may be actively harming your visitors. Google blacklists sites that serve malware, and getting off that blacklist takes time.

Step 3: Change all passwords immediately.

Change your WordPress admin password, your hosting panel password, and your database password. If you use the same password anywhere else, change those too. Lock out the attackers before you start cleaning up.

Step 4: Contact your host.

Good managed WordPress hosts have malware scanning and remediation as part of their offering. Contact support immediately. Some will help with cleanup. All of them need to know.

Step 5: Hire a professional for cleanup.

Properly remediating a hacked WordPress site requires finding every compromised file, every backdoor left behind, and every malicious redirect. Missing anything gives attackers a way back in. Services like Sucuri and Wordfence offer professional cleanup starting around $199–$500 per incident.¹

Why WordPress Gets Hacked So Much

Sucuri's 2021 Hacked Website Trend Report found that WordPress accounted for 95.6% of all CMS infections in their remediation dataset.² The reason is structural.

Patchstack's 2024 security report found that 96.77% of all newly disclosed WordPress vulnerabilities originated in plugins — not WordPress core.³ Each plugin is a separate codebase with its own update cycle, security practices, and potentially no future updates at all if the developer abandons it.

WordPress powers roughly 43% of the internet.⁴ That makes it an extremely attractive target for automated attacks — bots continuously scanning millions of sites for known vulnerable plugin versions.

Patchstack found that developers failed to provide a timely fix for 46% of disclosed vulnerabilities in 2024.³ Even diligent site owners who update immediately are left exposed on nearly half of known vulnerabilities, because no patch exists yet.

After Cleanup: Hardening What You Have

If you're staying on WordPress, these steps reduce (but do not eliminate) future risk:

• Enable two-factor authentication on the WordPress admin login
• Change the default login URL from /wp-admin to something non-standard
• Implement a Web Application Firewall (Cloudflare or Sucuri)
• Update WordPress core, themes, and all plugins immediately after every release
• Remove any plugins you're not actively using
• Run regular malware scans with a reputable security plugin
• Keep tested backups stored off-site

The Question Worth Asking

Being hacked is also an occasion to ask a harder question: is this the right platform for your business?

If you're a small business whose website exists to tell people who you are, what you do, and how to contact you — if you don't need e-commerce, a membership system, or a complex content workflow — you may not need WordPress at all.

A site built in plain HTML and CSS has an attack surface close to zero. There's no database to breach, no plugin vulnerabilities to exploit, no admin login to brute-force. The files that make up the site are just files, served directly by Cloudflare's global network. There is nothing for an attacker to get into.