What do you do if your WordPress site has been hacked?

Ideally, you have a daily backup of your website (essential if your website is business-critical).

Ask your web developer or hosting provider to restore you a safe version from a recent backup, and then upgrade your plugins and WordPress version to the latest version.

If you don’t have a backup (I’ll deal with that one in a moment!), you can use the Sucuri service to do a hack cleanup and set up their website firewall to prevent further attacks. It’s a very cost-effective service, and will usually be the cheapest and best way to get your website cleaned up.

Then I suggest that you get your backups sorted as quickly as possible (read more on backups in the FAQ here).

A worthy note about hacked WordPress websites…

Typically when a website has been hacked, it will be targeted for 1-2 years afterwards, as your website details will be shared by the ‘hackers’ letting them know it’s a soft target. What this means is you often get a surge in more attacks once your website has been compromised.

When you use the Sucuri website firewall, it actually helps to block 95%+ of these attacks without any effort from you or your developer. Usually, after 1-2 years, the attacks subside.