My WordPress Website is Hacked. What should I do?

We are in a digital era, and in this era, everything is done online. Whatever you seek, it can be done online, be it for entertainment, information or business. This means that anyone with something to provide has a website and needs website builders. Did you know that over 43% of global websites are built through WordPress? Considering that there are over 1.93 billion websites worldwide, this is over eight hundred million. This is a huge number of websites built through WordPress, and the number is still on the rise. 


Considering the sheer quality, it is natural to assume that many websites built through WordPress have been hacked. This is not an unbiased assumption either. Hackers search for any websites that can be hacked, and some of the affected ones are bound to be WordPress Websites. 


What if you are among these people. What should you do? 


First of all, Check for Signs of websites being hacked! 

Before you panic, you should check for the signs of websites being hacked. The good news is that it is fairly easy to check if your website is hacked or not. All you need to have is a good eye for detail and a bit of technical knowledge. That said, sometimes, you simply have an issue within the website without it being hacked. So always do a second check before you jump to conclusions. 


Following are some of the most common signs of your WordPress website being hacked.

You cannot log in 

Unable to log in is not necessarily a sign of your WordPress website being hacked. Sometimes you may simply forget your password. Another non-hacked reason you may fail to log into your site is if your browser has deleted your saved access password. So always ensure that you have entered the proper user ID and password before jumping to conclusions. 


However, if you are 100% sure that your ID and password are correct and still cannot log in, it’s a sign that your WordPress website has been hacked. 


Your website has changes you never made

Regardless of the updates, your website will not change unless you change it. Even if there is an update in the version of tools you are using within the website, they will not make changes to your website unless you allow them to. 


So if you access your website and see changes that you did not make, then there is a good possibility of your website being hacked.


Your website is redirecting.

Unlike the previous two, it is hacked if you try to view your website and redirect to some other pages.


These are signs of someone hacking your WordPress site that is directly observable. However, you can also see indirect signs. If you google for your WordPress website and it shows a malware warning, or if your browser warns you of malware when you try to access your website, then there is a good chance that your WordPress Website is hacked.


What should you do when your WordPress website is hacked?

After confirming that your WordPress website was hacked, it was not just some error on your side; you can proceed to the recovery process. The gist of the recovery process is rather simple. You remove all the unnecessary data and re-install the needed ones. Since you are the website owner, you should have the necessary tools and resources. 


Let’s talk about the steps to recover your WordPress website.

Step 1: Calm down

This is the most important step you must follow to recover your WordPress website. Just because it has been hacked doesn’t mean it is a complete loss of your website. If it is detected early enough, there will not be much damage. 


While we understand that you will be anxious, you can only follow the necessary steps by staying calm. If not, you can make the problem worse by panicking. 


Step 2: Put your website into maintenance mode and reset your password

This should be somewhat of an obvious point, but you do not want visitors when your website is compromised. Therefore, if you can access your website, you should put your website into maintenance mode and prevent the users from accessing your website.


You can do this through various plugins and configure the Maintenance mode page as you wish. 


Once you are done with this, reset your password immediately. This is not just about resetting your WordPress password. You should reset your SFTP password, Database password and your password with your hosting service provider. Along with this, you should also reset the passwords of all your website admins. 


This should not be an issue if you can still access your website, which you will be able to in most cases of being hacked. Hackers prefer your website to be operational so they can use your visitors. 

Step 3: Remove Users and Unwanted Files

Before proceeding with this step, ensure you know who the authorized users are. Have a chat with them and ensure they have not changed their login credentials and account details. If you find an odd user, remove them from your website. For this, you should

  • go to the user’s screen.
  • Click the administrator link above the users.
  • Click on the check box next to the fake user and select delete in bulk actions from the drop-down menu. 


After removing the unwanted user, you should check your WordPress installation file. For this, you should install a security plugin that allows you to scan your website. If your WordPress website is hacked, then there will be unwanted files that you can delete. 


Step 4: Clean out your sitemap and resubmit. 

Technically this is an “if” situation, and you can skip this step if you know what you are doing. 


Sometimes the hackers only target a specific part of your website and hack the sitemap.xml file. Other times they target the entity of your website, which includes the sitemap.xml file. Regardless, search engines will red-flag your WordPress website if this file is hacked. Clean out this file. 


Once you are done, you need to tell google that our site has been cleared and generate a sitemap using a SEP plugin. After this, add your site to google console and submit the sitemap for google to crawl. 


You need to be patient here since this process can take up to two weeks. 


Step 5: Re-install the necessary files

By this point, you should have removed all threats to your WordPress website. So it’s now time to install all the necessary files, including the WordPress plugin and themes. 


Ensure that you are installing plugins from a trusted vendor. 


You will need to re-install the WordPress core if nothing else works. This is not a common case since hackers usually do not infect all of your WordPress core files. However, if it doesn’t happen, update a clean set of WordPress files to your site through SFTP while overwriting old files. 



When we hear about a website hacked, we often think about the entire site changing or being fed some random screens. However, the reality is often disappointing compared to movies and much more dangerous. Hackers only infect a small part of a website and usually go unnoticed unless you are extremely cautious. For the hackers, your website is a free money-making machine and a treasure of information. 


The longer they go unnoticed, the better it is for them. This is also where you can take direct action. Since you will be able to access your WordPress, you can take action before things get worse. 


So we recommend you to use secure wordpress hosting for your wordpress site from one of the best and cheap hosting provider in Nepal.