Blog
How to Secure WordPress After a Hack
A hacked WordPress site is not “fixed” just because the homepage looks normal again.
Attackers often leave behind extra admin users, hidden files, spam pages, backdoors, redirects, or stolen credentials so they can get back in later. The real goal is not just to clean the visible mess — it is to close the door they used, remove anything they left behind, and watch the site carefully afterward.
This guide walks through what to do after a WordPress hack, in the order we usually recommend for small business websites in Canada.
First: take a breath and do not start randomly deleting files
When you see spam redirects, strange popups, a Google warning, or a broken homepage, it is tempting to log in and start deleting anything that looks suspicious.
That can make things worse.
You might delete evidence that helps identify the entry point. You might also break the site before you have a clean backup or a list of what changed.
Start with a simple containment plan:
- Put the site into maintenance mode if it is serving malware or scams.
- Take a full backup of the current hacked state for investigation.
- Do not restore an old backup yet unless you know it is clean.
- Do not reuse old passwords.
- Do not assume the problem is only one bad plugin.
Tip: If your site processes orders, bookings, quote requests, or confidential form submissions, treat the incident as more than a website problem. You may need to review whether personal information was exposed.
Step 1: confirm what kind of hack you are dealing with
Different hacks need different responses. A spam SEO injection is not the same as a credit card skimmer, and a stolen admin password is not the same as a server-level compromise.
Look for signs such as:
- Unknown WordPress admin users
- New plugins or themes you did not install
- Unexpected redirects to gambling, adult, crypto, or fake support sites
- Spam pages indexed in Google
- Modified theme files
- Strange files in upload folders
- Security warnings from browsers or Google Search Console
- Unusual outbound email activity
- Checkout pages behaving differently than expected
If you are still unsure whether the site is hacked, review our guide on How to Tell If Your WordPress Site Is Hacked.
Do not rely only on what you can see in the browser. Many infections are hidden from logged-in users or only appear to visitors coming from Google, Facebook, or mobile devices.
Step 2: preserve evidence before cleanup
This sounds dramatic, but it matters.
Before deleting files or restoring a backup, save enough information to understand what happened. That can help you prevent the same hack from returning a few days later.
At minimum, record:
- The date and time you noticed the issue
- Screenshots of warnings, redirects, spam pages, or suspicious admin screens
- A list of recently updated plugins, themes, and WordPress core changes
- Unknown user accounts
- Recent hosting account logins if available
- Recent file changes if your hosting panel shows them
If you host with Ambrite, our cloud hosting stack includes tools such as Imunify360, which can help detect malware and suspicious behaviour at the hosting level. That does not replace WordPress cleanup, but it gives another layer of visibility.
Step 3: take a full backup of the hacked site
Yes, back up the hacked version.
This is not the backup you want to restore for public use. It is your investigation copy.
You want a snapshot of:
- WordPress files
- The database
- Uploads
- Configuration files
- Plugin and theme folders
Why keep it? Because once you start cleaning, you may lose clues about how the attacker got in.
This is especially useful if the infection returns. Comparing the hacked copy with a clean copy can reveal the recurring file, plugin, user account, or vulnerable entry point.
Step 4: decide whether to clean or restore
There are two common ways to recover from a hacked WordPress site:
- Clean the infected site manually or with professional tools.
- Restore from a clean backup and patch the vulnerability immediately.
Restoring from backup is often faster, but only if the backup is truly clean. If the backup already contains the backdoor, you will simply restore the infection.
Cleaning the site can be better when:
- You do not have a reliable backup
- You are unsure when the hack started
- The site has recent WooCommerce orders or form submissions you cannot lose
- The infection may have been present for a while
Restoring may be better when:
- You know the exact time the hack happened
- You have tested backups from before that time
- The site is not highly transactional
- You can patch the vulnerable plugin, theme, or password immediately after restoring
If you are leaning toward a restore, read How to Restore a Hacked WordPress Site from Backup before replacing anything.
When not to restore: Do not restore an old backup just because it “looks clean.” If the attacker had access weeks before the visible symptoms appeared, the backup may still contain the original backdoor.
Step 5: change every relevant password
This is one of the most skipped steps after a hack.
Changing only the WordPress admin password is not enough. If the attacker has hosting, FTP, database, or email access, they can come back without touching WordPress login at all.
Change passwords for:
- All WordPress admin accounts
- Hosting control panel
- FTP, SFTP, or SSH accounts
- Database users, if appropriate
- Email accounts tied to WordPress admin users
- Cloudflare or DNS accounts, if used
- Payment gateway accounts, if your site takes payments
Use unique passwords for every account. A password manager is much safer than trying to remember variations of the same password.
If former staff, contractors, agencies, or freelancers had access, remove accounts they no longer need. Many small business hacks come through old access that nobody remembered existed.
Step 6: remove unknown users and check permissions
Go through your WordPress user list carefully.
Look for admin users you do not recognize, strange email addresses, or accounts with names that look almost legitimate. Attackers often create a boring-looking admin user so it does not stand out.
For each account, ask:
- Does this person still work with us?
- Do they need administrator access?
- Could they use editor, shop manager, or another lower role instead?
- Is the email address correct?
Use the least access needed. Your blog writer does not need full admin rights. Your SEO consultant probably does not need access to plugin installation. Your designer may not need permanent access after a project ends.
This is not about mistrusting people. It is about reducing the damage if one password gets stolen.
Step 7: update WordPress, plugins, and themes carefully
Outdated plugins and themes are one of the most common ways WordPress sites get hacked.
But after a hack, do not blindly click “update all” on a live business website without a plan. Updates can break layouts, forms, checkout pages, booking tools, or custom functionality.
A safer approach:
- Make a backup first.
- Update WordPress core.
- Update active plugins.
- Update the active theme.
- Remove unused themes and plugins.
- Test key pages and forms.
Pay special attention to plugins that handle:
- Forms
- Payments
- File uploads
- Memberships
- Bookings
- SEO redirects
- Page building
If a plugin has not been maintained by its developer, consider replacing it. A plugin may still “work” while being a security risk.
Step 8: remove unused plugins and themes
Deactivated plugins can still be a problem if the files remain on the server.
If you are not using a plugin, delete it. If you are not using a theme, delete it, keeping only what WordPress requires and your active theme setup.
This reduces the number of possible entry points.
Be careful with plugins that look unused but support hidden functionality. For example, a form plugin, custom field plugin, or redirect plugin may power parts of the site that are not obvious from the homepage.
If you are unsure, test on a staging copy first.
Step 9: scan and clean the file system
Malware can hide in places that look normal at first glance.
Common hiding spots include:
- Theme files
- Plugin folders
- Upload directories
- Configuration files
- Fake plugin folders
- Random PHP files with innocent-looking names
Security scanners can help, but they are not perfect. Some catch known malware signatures well but miss custom backdoors. Others flag suspicious code that may actually belong to a legitimate plugin.
Good cleanup usually combines automated scanning with manual review.
For WordPress core files, a common approach is to replace them with fresh copies from the official WordPress source, while preserving the site’s actual content and configuration. For plugins and themes, downloading clean copies from the official developer source is safer than trying to patch infected files line by line.
Do not download “nulled” premium plugins or themes from unofficial websites. They are a common source of malware.
Step 10: check the database for injected content
Not all malware lives in files.
Some hacks inject spam links, hidden scripts, fake admin settings, rogue redirects, or malicious options into the WordPress database. That is why replacing files alone may not fix the problem.
Areas to review include:
- Posts and pages
- Widgets
- Menus
- Theme settings
- Plugin settings
- Redirect rules
- Admin users and roles
If you are not comfortable working with databases, do not experiment on the live site. One wrong edit can break the site or delete real content.
For WooCommerce sites, be extra careful. Orders, customers, product data, subscriptions, and payment-related settings may be stored in the database. Cleaning needs to protect real business records while removing malicious entries.
Step 11: rotate security keys and sessions
After a hack, assume active sessions may be compromised.
WordPress uses security keys and salts to help protect logged-in sessions and cookies. Rotating them forces users to log in again and helps invalidate existing sessions.
This is a normal post-hack hardening step, but it should be done carefully. If you are not familiar with the configuration file involved, ask your hosting provider or WordPress maintenance team to handle it.
Also log out all users if your security plugin or user management tool supports that feature.
Step 12: add two-factor authentication
Two-factor authentication is one of the simplest ways to stop repeat compromises caused by stolen passwords.
Even if an attacker gets an admin password, they still need the second factor. That extra step makes a big difference.
Start with:
- Administrator accounts
- Shop manager accounts
- Editor accounts with publishing access
- Any account used by contractors or agencies
Use an authenticator app where possible instead of SMS. SMS is better than nothing, but app-based codes are generally stronger.
For setup guidance, see How to Set Up Two-Factor Authentication for WordPress Admin Access.
Step 13: harden the WordPress login area
After cleanup, reduce the chances of another login-based attack.
Useful login hardening steps include:
- Limit repeated failed login attempts
- Require strong passwords
- Disable unused accounts
- Use two-factor authentication
- Review login logs if your security tool provides them
Changing the login URL can reduce noise from basic bots, but do not treat it as serious security by itself. It is more like moving your front door around the corner. Helpful sometimes, but not a lock.
Also avoid installing five different security plugins that all try to control login protection. They can conflict with each other, slow the site down, or lock out legitimate users.
Step 14: review file permissions and write access
File permissions control who can read, write, and execute files on your hosting account.
If permissions are too loose, attackers may be able to modify files more easily. If they are too strict, WordPress updates, uploads, or caching may stop working.
This is one of those areas where “more restrictive” is not always better. The right settings depend on your hosting environment.
Ask your host to check that permissions are appropriate for WordPress and that no unnecessary write access is available. If you are on Ambrite cloud hosting, our environment is built for WordPress with LiteSpeed, NVMe SSD storage, and Imunify360 protection to help reduce common hosting-level risks.
Ambrite’s cloud web hosting starts at $7.99/month CAD and is designed for Canadian small business sites that need speed and security without managing server details themselves.
Step 15: check forms, payments, and customer data
If your site collects personal information, do not skip this step.
Contact forms, intake forms, booking forms, quote request forms, newsletter signups, and WooCommerce checkout pages can all collect personal information. If a hacker accessed that data or modified those forms, you may have privacy obligations.
For Canadian businesses, PIPEDA may apply depending on the type of information collected and how your organization operates. You may need to assess what information was involved, who may have accessed it, and whether notification is required.
This is especially important for:
- Law firms
- Healthcare practices
- Financial services
- Real estate businesses
- WooCommerce stores
- Membership websites
If payment pages were affected, contact your payment provider and follow their current incident guidance. Do not guess. Payment providers update their security procedures, and the official documentation should be treated as the source of truth.
Step 16: request malware review from Google and security vendors
If browsers or search results show warnings, cleanup is only part of the job.
You may need to request a review through Google Search Console after the site is clean. Other security vendors or browser warning systems may have their own review process.
Before requesting review, make sure:
- The malware is removed
- Spam pages are deleted or corrected
- Redirects are gone
- Vulnerable plugins are patched or removed
- Passwords have been changed
- Admin users have been reviewed
Requesting review too early can waste time. If the site still contains malware, the warning may remain and future reviews may take longer.
Step 17: monitor closely for reinfection
The week after cleanup matters.
Many hacked sites get reinfected because the original entry point was never fixed. The visible malware was removed, but the backdoor, password, vulnerable plugin, or rogue admin account remained.
Monitor for:
- New unknown files
- New admin users
- Unexpected plugin changes
- Redirects returning
- Spam pages being re-indexed
- Unusual email sending
- Security scanner alerts
- Traffic spikes from strange sources
Set reminders to recheck the site after a few days, then again after a couple of weeks.
If the infection comes back, do not repeat the same cleanup and hope for a different result. At that point, you need a deeper investigation.
Step 18: build a prevention plan
Once the site is clean, set up a realistic maintenance routine.
For most small business WordPress sites, that means:
- Regular WordPress core updates
- Plugin and theme updates
- Daily or frequent backups
- Backup testing
- Security monitoring
- Uptime monitoring
- Form testing
- Strong password policies
- Two-factor authentication
- Removal of unused plugins and users
The best plan is the one someone will actually follow. A complicated checklist that nobody touches is not security.
If you do not have someone on staff who can handle this consistently, a maintenance plan is usually cheaper than repeated emergency cleanup. Ambrite’s WordPress maintenance and security plans start at $49/month CAD and are built for Canadian businesses that want updates, monitoring, and help when something looks off.
When to call a professional
You can handle some small hacks yourself if you are technical, have backups, and understand WordPress files and databases.
But there are times when DIY cleanup is risky.
Get professional help if:
- Your site handles payments
- Your site stores client, patient, or customer information
- The hack keeps coming back
- You do not know when the infection started
- Your host suspended the account
- Google is showing security warnings
- You found unknown admin users
- You are not comfortable editing files or databases
Also call for help if the site is business-critical. A restaurant with online ordering, a law firm with intake forms, or a clinic with appointment requests cannot afford days of trial-and-error cleanup.
If you want Ambrite to review a hacked WordPress site, you can reach us through our contact page. We will tell you honestly whether cleanup, restore, hosting migration, or a deeper rebuild makes the most sense.
What not to do after a WordPress hack
A few common “fixes” cause more trouble than they solve.
- Do not only change your password. That helps, but it does not remove malware or patch the entry point.
- Do not install random security plugins on top of an active infection. They may miss the issue or conflict with each other.
- Do not restore an untested backup. It may be infected or incomplete.
- Do not ignore Google warnings. They can scare away customers even after the site appears fixed.
- Do not keep unused plugins “just in case.” Every extra plugin is another thing to maintain.
- Do not assume your host will clean WordPress automatically. Hosting security and application cleanup are related, but they are not the same job.
A practical post-hack checklist
Here is the short version you can use while dealing with the incident:
- Put the site in maintenance mode if it is harming visitors.
- Back up the hacked site for investigation.
- Check users, files, plugins, themes, and database content.
- Decide whether to clean or restore from a known-clean backup.
- Replace compromised files with clean official copies where appropriate.
- Remove unused plugins, themes, and users.
- Update WordPress core, plugins, and themes carefully.
- Change all related passwords.
- Rotate sessions and security keys.
- Enable two-factor authentication.
- Check forms, payments, and personal data exposure.
- Request Google or browser warning reviews if needed.
- Monitor for reinfection.
- Set up ongoing maintenance and backups.
A hacked WordPress site can usually be recovered, but the cleanup has to go deeper than appearances. Fix the cause, not just the symptom.
This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.
Was this article useful?
Related Articles
Your website collects personal information from visitors — even just their IP address counts....
Two-factor authentication (2FA) is like adding a deadbolt to your WordPress admin door — and in...
That outdated WooCommerce shipping plugin you've been meaning to update? It's probably already...
Your website just got hacked. The sinking feeling in your stomach is real — and it should be. A...
Your law firm's website handles sensitive client data every single day. One security breach...
