Gbefunwa Logo

What to do when your WordPress Website Gets Hacked?

Discovering that your WordPress website has been hacked can be a nightmare for any website owner. Hackers can steal your personal information, damage your website, and ruin your reputation. The first steps you take after discovering a hack can be critical to minimizing the damage and getting your website back to normal. Here are the first steps to take when your WordPress website gets hacked.

Identify the Hack

The first step is to identify that there was/is in fact, a hack. Signs that your website has been hacked include:

  • Malicious code injected into your website
  • Strange URLs appearing on your website
  • Unusual activity on your website
  • Unusual traffic spikes

If you’re not absolutely sure, but you suspect that your website has been hacked, use a malware scanner like Sucuri or Wordfence to scan your website for any malicious code or files.

Take Your Website Offline

Once you have identified the hack, take your website offline. This will prevent visitors from accessing your website and potentially infecting their devices. That way, you can keep your reputation in check.  You can take your website offline by temporarily disabling your hosting account or using a plugin like WP Maintenance Mode.

Change Your Passwords

The next step is to change all your passwords. This includes your WordPress admin password, hosting account password, and any other passwords associated with your website. Use a strong, unique password that is not used on any other accounts. If possible, enable two-factor authentication for extra security.

Restore a Backup

If you have a backup of your website, you can restore it to a previous version before the hack occurred. This will erase all the malicious code and files that the hacker injected into your website. If you don’t have a backup, you will need to manually remove the malicious code and files. 

To do that, open them in a text editor and look for any suspicious code. The malicious code can be in the form of scripts, iframes, or redirects. Delete the malicious code and save the file. If you are not sure about the code, it’s best to consult a professional as deleting the wrong code can cause more harm to your website.

Scan Your Website

After restoring a backup or removing the malicious code, scan your website again using a malware scanner to make sure that all the malicious files have been removed. You should also check your website’s files and directories for any suspicious files that were not removed by the scanner.

Update Your Website

Outdated plugins, themes, and WordPress versions are a common entry point for hackers. Make sure that all your plugins, themes, and WordPress are updated to the latest version. This will fix any security vulnerabilities and reduce the risk of future hacks.

Strengthen Your Security

Finally, strengthen your website’s security to prevent future hacks. This includes:

  • Using a security plugin like Wordfence or Sucuri
  • Installing an SSL certificate to encrypt your website’s traffic
  • Using strong passwords and two-factor authentication
  • Limiting the number of login attempts
  • Regularly backing up your website
  • Monitoring your website for unusual activity


Discovering that your WordPress website has been hacked can be a stressful experience, but taking the right steps can help you minimize the damage and get your website back to normal. Remember to identify the hack, take your website offline, change your passwords, restore a backup, scan your website, update your website, and strengthen your security. With these steps, you can secure your website and protect it from future hacks. And if they all fail, you can always contact your hosting service provider for assistance.

Share this article

Facebook Twitter

© 2024 All rights reserved.