My WordPress Site Got Hacked. Here's What I Did.

Getting hacked feels like a violation. One day the site is fine; the next day there's a pharma spam page ranking for your brand name, or your host has suspended your account for sending spam emails.

I've cleaned dozens of compromised WordPress sites. Here's the process I follow every time.

Step 1: Don't Panic — Don't Delete Everything

The instinct is to wipe the server and start fresh. Resist it. A clean restore only works if you know the source of the compromise. Otherwise you'll be reinfected within 48 hours.

Step 2: Identify the Infection

I use Wordfence or MalCare to scan the site and flag suspicious files. Most infections fall into a few categories: backdoor files, injected malware in core files, or rogue admin users.

Step 3: Clean and Harden

Remove infected files, restore clean versions of core WordPress files, delete unknown admin users, and regenerate all security keys. Then change every password — hosting, WordPress, FTP, database.

Preventing It Next Time

Keep everything updated. Use strong, unique passwords. Limit login attempts. Remove themes and plugins you're not using. And set up automated daily backups to an offsite location.