← Back to blog

Published: February 23, 2026

Your WordPress Site Got Hacked. Here's What to Do in the Next 24 Hours.

You just found out your WordPress site is hacked. Maybe Google is showing a red “Deceptive site ahead” warning. Maybe your homepage is redirecting to some spam site selling knockoff sunglasses. Maybe you spotted admin accounts you didn’t create.

Whatever the symptom — take a breath. This is serious, but it’s fixable. I’ve cleaned up hundreds of hacked WordPress sites over 15 years. The situation feels worse than it is, as long as you act quickly and don’t make it worse first.

This guide is written for you — the business owner — not for a developer. No jargon. No “connect via SFTP and replace wp-config.php.” Just clear steps in plain English.

First: What NOT to Do

Before anything else, avoid these mistakes. I see them every week.

Don’t delete your site and start over. Your content, your SEO rankings, your customer data — all of that matters. A cleanup preserves what you’ve built. Starting from scratch throws it away.

Don’t change every password in a panic. Yes, passwords need changing — but not yet. If there’s a backdoor on your site (there probably is), changing passwords does nothing. The hacker gets right back in. Passwords come after the cleanup.

Don’t install five security plugins at once. More plugins won’t help. The site is already compromised. Piling on plugins can actually make the cleanup harder and slow your site down further.

Don’t pay the first person who DMs you offering to fix it for $50. Cheap cleanups miss backdoors. You’ll be hacked again in 2-3 weeks. I’ve cleaned sites that were “already cleaned” three times by different people.

The First 30 Minutes

Here’s what to do right now, in order.

1. Document what you see

Take screenshots of everything unusual. The redirect URL. The Google warning. Any weird admin accounts. Any suspicious emails you received. This matters for your hosting provider, for any professional you hire, and potentially for legal reasons.

2. Contact your hosting provider

Call or live-chat your host. Tell them your site has been hacked. Ask them to:

  • Check if they have a clean backup from before the hack
  • Tell you when the hack likely started (they can often see this in server logs)
  • Temporarily restrict access to the site if the hack is actively spreading

Most decent hosts have a security team that deals with this daily. They won’t judge you. This is routine for them.

3. Don’t take the site down (usually)

Your first instinct might be to pull the site offline. In most cases, don’t. A site that’s down loses you more than a site that’s compromised — especially if Google hasn’t flagged it yet. The exception: if the hack is actively stealing customer payment data (like a credit card skimmer on a WooCommerce checkout), take it down immediately.

4. Check if Google has flagged you

Go to Google Search Console. If you haven’t set this up — that’s a problem for later, but right now, just Google your business name. If you see “This site may be hacked” or “Deceptive site ahead” in the results, Google knows. This means your organic traffic has effectively dropped to zero until it’s resolved.

5. Decide: DIY or hire someone

Be honest with yourself here.

Handle it yourself if:

  • You’re comfortable navigating your WordPress dashboard
  • The hack is minor (a single spam page, no redirects, no Google warning)
  • You have a recent backup you can restore from
  • You have time to spend 3-5 hours on this today

Hire a professional if:

  • You don’t know what “wp-admin” means
  • Your site is redirecting, Google has flagged it, or you see unknown admin accounts
  • You have a WooCommerce store or collect any customer data
  • The hack has been live for more than a few days
  • You already tried to fix it and it came back
  • Your developer disappeared and you have no idea how the site works

There’s no shame in hiring someone. You wouldn’t fix your own plumbing if your basement was flooding.

What This Hack Is Actually Costing You

Most business owners think “I’ll get to it next week.” Here’s why that’s expensive.

Traffic: When Google adds a “Deceptive site ahead” warning, your organic traffic drops by 60-90% overnight. Every day you wait is a day your potential customers see a red warning page instead of your business.

SEO recovery: Even after the hack is cleaned, it takes 2-8 weeks for Google to fully restore your rankings. The longer the hack stays active, the longer the recovery. Sites that sit hacked for months sometimes never fully recover their previous rankings.

Customer trust: If a customer visits your site and gets redirected to spam, they’re not coming back. They’re going to your competitor. And they’re telling their friends.

Real money: If you’re an e-commerce store doing €5,000/month through your site, every week of downtime or reduced traffic costs you €1,000+. The cost of a professional cleanup (typically €200-500) pays for itself in a day.

The GDPR Question Nobody Talks About

If your business serves EU customers — and if you’re reading this in Europe, it does — a hacked website might be a data breach under GDPR.

Article 33 says: If personal data was potentially exposed (names, emails, addresses, payment info), you must notify your data protection authority within 72 hours of becoming aware.

Does your WordPress site have:

  • A contact form? Those submissions contain names and emails.
  • A newsletter signup? That’s personal data.
  • A WooCommerce store? Names, addresses, payment history.
  • User accounts? Email addresses and passwords.

If any of these were compromised, you may have a legal obligation to report it. The fines for failing to notify are up to €10 million or 2% of your global annual turnover.

I’m not a lawyer. But I am someone who’s seen business owners get caught off-guard by this. If there’s any chance customer data was exposed, talk to a legal professional. Don’t just quietly clean it up and hope nobody notices.

Why “Cleaned” Sites Get Hacked Again

This is the most common complaint I hear: “I paid someone to clean my site and it got hacked again three weeks later.”

Here’s why that happens.

When a hacker gets into your WordPress site, the first thing they do is create backdoors. These are hidden files or code snippets scattered across your site that let them get back in — even after you change every password and update every plugin.

A backdoor can be:

  • A tiny file buried in /wp-content/uploads/2024/03/ that looks like an image but is actually executable code
  • A single line of obfuscated code injected into your theme’s functions.php
  • A fake plugin that looks legitimate but contains a remote access tool
  • A modified core WordPress file that passes basic integrity checks

Cheap or surface-level cleanups miss these. They remove the visible symptoms — the spam pages, the redirects — but leave the backdoors in place. The hacker waits a few weeks, uses the backdoor to get back in, and you’re right back where you started.

A proper cleanup means scanning every file on the site, comparing against known-clean versions, checking the database for injected code, and removing every single backdoor. It’s methodical work. It takes time. But it’s the difference between fixing the problem once and fixing it every month.

What to Tell Your Customers

If you run an online store or collect customer data, you’re probably wondering: do I need to tell my customers?

If payment data was compromised: Yes. Immediately. Contact your payment processor too — they have their own notification procedures.

If personal data (emails, addresses) was potentially exposed: Under GDPR, likely yes. A short, honest email works better than silence. Something like:

“We recently discovered unauthorized access to our website. We’ve secured the site and are working with a security professional to ensure it doesn’t happen again. As a precaution, we recommend you change your password if you have an account with us. We take your privacy seriously and apologize for any concern this may cause.”

If no customer data was involved (a brochure site with no forms, no accounts): You don’t need to notify anyone. Just get it cleaned and secured.

Honesty works better than silence. Customers respect transparency. They don’t respect finding out later that you knew and didn’t tell them.

How to Make Sure It Doesn’t Happen Again

Once your site is clean, the question is: how do you stop this from happening next time?

The answer is boring but effective: regular maintenance.

Keep WordPress, themes, and plugins updated. The vast majority of hacks exploit known vulnerabilities in outdated software. An update that takes 5 minutes can prevent a hack that costs you days.

Remove plugins and themes you’re not using. Even deactivated plugins can be exploited. If you’re not using it, delete it.

Use strong, unique passwords. And don’t share your admin login with five different people. Each person gets their own account with appropriate permissions.

Set up automated backups. Daily backups stored off-site. If the worst happens, you can restore to a clean version within hours instead of days.

Monitor your site. Security monitoring catches problems early — before Google does, before your customers do, before the damage compounds.

This is exactly what a maintenance plan covers. I run care plans starting at €79/month that handle all of this — updates, backups, security monitoring, and quick response if anything goes wrong. It’s cheaper than a single cleanup, and it means you never have to deal with this again.

If your site was recently hacked and you want someone to properly clean it and set up ongoing protection, drop me an email at jakub.babiuch@pm.me or book a 15-minute call. I’ll tell you exactly what happened, what needs to happen, and what it’ll cost. No pressure, no upsell — just a straight answer.