Help! My WordPress site has been hacked!

Team Acadia

Step one: Breathe. Remembering to stay calm is the most important step to take when you suspect a hack! The reality of owning a website is that you invariably open yourself up on a daily basis to the possibility of a hacker, thief, or other garden variety day-ruiner breaking in and running amok.

Here are some tips for helping you protect your site and remaining calm in the event you have to deal with a hacked WordPress site.

An Ounce of Prevention

Before jumping in, let’s go over an important note on preparedness and prevention. You have car insurance, don’t you? Your site needs the same kind of protection. We recommend regularly backing up your website files and database and storing the zip files somewhere other than your server (Dropbox, external hard drive, etc). You can set this up to run automatically using either of the following options.

First option (recommended): select a hosting provider that includes managed backups as part of your service agreement. We are partial to WP Engine.

Second option (for the diy contingency): use a plugin such as BackWPup and set up the automated backup schedule yourself. Remember to make sure the resulting zip files are stored somewhere other than your server. In the event of a website hack, any files on your server are at great risk of being compromised. This includes backup zip files. You also need to periodically check to make sure the automated process is running without issue (remember, diy = do it yourself). Add some quarterly reminders to your calendar, then rest easy knowing you have a plan in place should your website ever come under attack. 

Pro tip: use the Sucuri plugin to automatically scan for malware. The notifications can be a little complex to setup at first. But the end result of having an arsenal of anti-malware tools including an automatic email in the event of brute force attack or admin password change is well worth the effort.

Hindsight is 20/20

If you are reading this, it might be too late (hope you’re remembering to breathe). Hopefully, you had some sort of backup strategy already in place. In this case, restore from your backup, change your password, and then you are ready to rock n roll! 

If not, keep breathing and act as quickly as you can. First, immediately change your WordPress password and make sure no new WordPress user accounts have been created. 

Use Sucuri or other similar (free) plugins to scan for the hacks. These will tell you your site’s status as well as identify where the hack is hiding. An additional quick tip is to scan for any WordPress themes or plugins that are currently inactive, most likely hackers will use these to gain backdoor access to your website. See if you can delete these as a first step toward minimizing the severity of the hack. 

Next, run through this helpful checklist (source:

  • Can you login to your WordPress admin panel?
  • Is your WordPress site redirecting to another website?
  • Does your WordPress site contain illegitimate links?
  • Is Google marking your website as insecure?

Afterward, check in with your hosting company and share what you were able to find out with them. Many have very helpful help tools to guide you through the tough waters. They may even help you get your site get up and running again (sans infected files).

If they can’t (or won’t) help you, then consider reaching out to your ‘web person.’ There’s no guarantee they’ll be able to restore the site, especially if you don’t have backups on hand. However, if you nor your hosting company can fix the hack, the next step is to call in the big guns.

Pro Tip: delete any themes or plugins not in use. Update plugins and themes as soon as an update is available (after backing up the site first). Failure to keep your plugin roster in proper check leads to the backdoor access points referenced above.

Pro Tip: when shopping for a hosting plan, do some research and don’t automatically go for the lowest priced option. It’s way better to find out a company won’t help you in the event your site is hacked upfront than in that horrible moment you realize your site has been compromised. In keeping with the theme of this post, an ounce of prevention is worth a pound of care.

Related Posts

A New Beginning. Launch Day!

Jared Belsky Leadership

Today is a big day. Today, August 17th, 2021, we launch Acadia as an elite digital marketing platform that helps mid-market companies scale. Acadia has proudly brought together three incredible companies, founders, and teams via acquisition, including Techwood Digital, Nicely Built, and Imagine Media. It launches with 65 employees, servicing challenger-oriented growth clients such as […]

Read More

How To Leverage Facebook Groups For Your Brand

Team Acadia Social Media

If you have a Facebook account, it’s more than likely that you are already a Facebook group member, and if not, you know someone who is. Research has shown that 1.8 billion people use Facebook Groups every month (via Search Engine Journal). Considering how many people use this feature, it might be in your best […]

Read More

How To Grow Your YouTube Audience

Team Acadia Social Media

Is there a better way to learn how to take advantage of a platform than right from the source’s mouth? YouTube recently released a video featuring Rachel Alves that gives five tips on how to grow your YouTube audience as a small channel. Rachel Alves is currently a Product Manager for Recommendations at YouTube, which […]

Read More