Website security is an important aspect of online presence that many website owners tend to overlook. A hacked website can lead to data loss, reputation, and customers.

With the increasing prevalence of online threats such as malware, phishing attacks, and hacking incidents, website owners must prioritize their site's security. One of the most popular website platforms in the world today is WordPress.

WordPress powers over 40% of all websites on the internet today. While this makes it a highly convenient platform for building websites, it is also an attractive target for hackers.

WordPress sites are often targeted by cybercriminals who exploit vulnerabilities in plugins, themes, or outdated software versions. In recent years there has been a sharp increase in the number of WordPress site hacks globally.

In fact, according to Sucuri's Website Hacked Trend Report 2022, over 90% of all Content Management System (CMS) compromises were attributed to WordPress sites alone. This emphasizes just how important it is for WordPress site owners to take necessary steps towards securing their sites from malicious activity and ensuring that they are prepared in case their site gets hacked.

Signs that your WordPress site has been hacked

WordPress is one of the world's most widely used content management systems. It is an excellent platform for building websites of any kind, from small blogs to large e-commerce sites.

However, WordPress sites are vulnerable to hacking attempts like any other website. Hackers can gain access to your website and use it for their own purposes without your knowledge.

Therefore, it's important to know the signs indicating your WordPress site has been hacked. One common sign that indicates a hacked website is slow loading time.

If you notice that your website takes longer than usual to load or if it doesn't load at all, there could be malicious code running in the background of your site. This malicious code can cause a heavy load on your server resources, leading to slower page speeds.

Another sign that alerts you of a hacked site is unusual pop-ups. Sometimes hackers insert pop-ups on websites as part of their strategy to spread malware or collect user data surreptitiously.

These pop-ups may look like they are part of the website design but often contain phishing links or other harmful content. A third sign of a hacked WordPress site is strange redirects.

If you click on a link on your website and it takes you to an unrelated page or an unsecured shopping cart page, this could indicate that someone has hijacked these links and sent them elsewhere for unknown purposes. If you notice slow loading time, unusual pop-ups, or strange redirects on your WordPress site, it's important not to ignore these issues as they might be signs of hacking attempts by malicious actors who are trying to compromise and take over control over your website assets and data.

Stay calm and assess the situation

If you find that your WordPress website has been hacked, it's important to remain calm and not panic. Reacting hastily could lead to further damage to your website.

Instead, take a deep breath and assess the situation. Check if your website displays any unexpected pop-ups, redirects, or slow loading times.

Look for any suspicious activity on user accounts or unusual modifications made to web pages. Next, assess the extent of the damage caused by the hack.

Determine if private information such as credit card details or personal data has been compromised. Analyze whether any changes have been made to crucial functionalities like login screens or backup files.

Free eBook: 5 Biggest WordPress Mistakes and How to Avoid them. Graphic includes the cover of the ebook on an iPad and a button to download your free copy

Backup your website immediately

Backing up your WordPress website should be done regularly, as it helps when you need to restore lost data in a hacker attack. When you notice that your site has been hacked, back up all of its files immediately before taking any further steps toward recovery. To back up your WordPress site, navigate to Dashboard > Tools > Export from within the WordPress admin area.

Select the “All content” option under Choose what to export section, then click the “Download Export File” button on the next page to download an XML file with all of your site's content. Remember that making backups frequently is essential for ensuring security measures against unauthorized access from hackers who can gain access through vulnerabilities in some plugins included on websites they target.

Change all passwords

After detecting a hack, one of the first things you should do is change all passwords associated with user accounts on your website, including admin accounts and email account(s) used for managing them. When updating passwords, make sure they are strong enough and do not use personal information easily guessed by hackers, such as DOB (date of birth), SSN (Social Security Number), pet names, etc. It’s recommended that users use password managers to generate and store passwords for them securely.

By changing all passwords, you can restrict unauthorized access to valuable information on your website. Additionally, if any data has been compromised through the hack, changing passwords will prevent hackers from accessing it in the future.

Scan your computer for malware

Malware is any malicious software designed to disrupt the functionality of a computer system. It’s important that you scan your device for malware, as hackers can spread it from a hacked website to other connected devices, such as computers that are used to manage the site.

Download and run anti-malware software like Malwarebytes or Norton Security on your device to do this. Once installed, launch the program and select the “Full Scan” option.

This will scan all files and folders on your computer for any traces of malware. If any malware is detected, follow the instructions provided by the anti-malware tool to remove it completely from all affected files.

Contact your web host provider

Web hosts play an essential role in maintaining security on WordPress sites. If you've detected a hack on your site, contact your web hosting provider immediately, as they can provide valuable assistance in recovering hacked sites. When contacting web host support, note down any suspicious activity or changes you’ve identified related to this incident.

Having this information at hand helps support staff understand what could have led up to an attack so they may better assist in preventing future attacks; otherwise, providing detail about specific symptoms observed by users will also prove useful before repairs are attempted. They might also offer tips for hardening security measures, improving backup procedures, or updating software vulnerabilities associated with plugins included with WordPress websites hosted through their servers.

Remove malicious code from your website

Hackers inject malicious code into websites intending to steal valuable data or take over control of systems running those pages. To avoid further damage, it's crucial to identify and remove malicious code from your website once detected. To remove malicious code, you can use tools like WordPress security plugins such as Sucuri or iThemes Security Pro, which have malware scanners that will detect and help you remove any known malware on your website.

Alternatively, knowledgeable users can manually review the source code of their website pages to find and delete malware. Be cautious here, though. If you are unsure what you’re doing, it’s recommended that professional expertise be sought to prevent further damage during this process.

Update plugins, themes, and core files

Hackers often exploit vulnerabilities within outdated software versions, including WordPress core files and third-party plugins. To prevent these types of hacks from occurring in the future, it's important to keep your site up-to-date with the latest version of its software.

Check for any available updates for plugins used on your site through the WordPress dashboard > Plugins page, which lists all installed plugins currently active. Click the “update” button next to each listed item to update a plugin.

Do the same for available theme updates by navigating to Appearance > Themes, then click the “update now” button next to any listed theme name(s). WordPress core files also require periodic updating as new features are added while security vulnerabilities are patched over time.

Check for updates via the Dashboard > Updates screen periodically (Weekly or monthly, depending on the frequency of releases). Click “Update Now” when available below WordPress heading.

Harden security measures

After a hack attempt is detected, it's important that users take steps toward hardening their security measures against further attacks in the future. One way of doing this is through implementing two-factor authentication (2FA), which adds an extra layer of protection by requiring users attempting to access accounts to provide a second form of identification besides the username/password combo used earlier. Other ways include using stronger passwords beyond ten characters and well-known security plugins such as iThemes Security, Jetpack, or Sucuri that help prevent attacks by limiting access to sensitive areas (e.g., login page) by blocking IP addresses after repeated failed attempts.


While having your WordPress site hacked is a frustrating experience, it's important to remain calm and take action as soon as possible. By following the basic steps outlined above, you can minimize damage to your website and prevent further harm from occurring.

To recap, if you suspect your WordPress site has been hacked, the first step is to back up your website immediately. This ensures that data loss is minimized during the recovery process.

Next, change all passwords associated with the website and scan your computer for malware to prevent further hacking attempts. It's also important to contact your web host provider for assistance in recovering a hacked site.

They can provide valuable insights and support during this challenging time. Additionally, be sure to remove any malicious code from your website and update plugins, themes, and core files.

Take steps to harden security measures on your WordPress site so that it doesn't get hacked again in the future. Implementing two-factor authentication and regularly updating files are just a few ways to protect yourself against cyberattacks.

Although getting hacked can be unsettling, following these basic steps will help you recover quickly and strengthen security measures moving forward. Don't let a hacking attempt discourage you from running a successful WordPress site – take action today!

Free eBook: 5 Biggest WordPress Mistakes and How to Avoid them. Graphic includes the cover of the ebook on an iPad and a button to download your free copy

Website HQ is a boutique agency in Jacksonville, FL, that restores hacked WordPress websites and offers custom WordPress designs for businesses around the globe.