What Should You Do If Your WordPress Site Is Hacked? (Emergency Playbook)

If your WordPress site is hacked right now and you’re searching for WordPress hacked how to recover, take a breath before you do anything. Most WordPress compromises are fully recoverable, but the next two hours are critical — both for getting your site back and for handling the GDPR breach notification clock that started the moment personal data was exposed. This guide walks you through the emergency playbook in priority order.

Written for German GmbH founders, marketing leads, and Mittelstand operators who don’t have a dedicated DevSecOps team and need a clear, calm sequence of actions.

How do you know if your WordPress site is actually hacked?

Common signs of a real compromise:

• The site shows defacement, foreign-language ads, or pharma spam
• Google Search Console reports a “Security Issues” warning
• Browsers show a red “deceptive site” warning
• Site redirects visitors to spam or scam domains
• Unfamiliar admin users appear in /wp-admin/users.php
• Server logs show outbound spam emails you didn’t send
• Hosting provider sends an abuse notice
• New PHP files appear in /wp-content/uploads/ or theme folders

If one or more of these is true, treat it as a confirmed compromise and follow the steps below. Don’t try to “look around” the live site — every minute it stays online compounds risk.

What is the first thing to do when WordPress is hacked?

Take the site offline immediately. This stops further damage and limits GDPR exposure.

The fastest way to do that in 2026:

• Put up a “we’ll be back soon” maintenance page via your hosting panel
• Or temporarily disable the site in Cloudflare/DNS
• Or, if you can SSH in, rename index.php so the site returns a blank page

Do not “clean while serving traffic” — visitors will keep being attacked and your hosting provider may suspend your account.

How do you preserve evidence before cleaning a hacked WordPress site?

Before you delete anything, capture the current compromised state. You need this for forensics and GDPR documentation.

• Take a full snapshot of the server (most hosts offer this in their panel)
• Download the database as-is — even if compromised, it contains evidence
• Download /wp-content/uploads/ and any user-generated content
• Save a copy of all access logs (/var/log/nginx/access.log or hosting equivalent)
• Document the exact symptoms with timestamps and screenshots

This snapshot is your safety net if a cleanup introduces new problems, and your evidence base if you later need to report under GDPR Article 33.

The 12-step WordPress hack recovery playbook

Work through these in order. Don’t skip steps.

Step 1: Reset all passwords

Change passwords for: WordPress admin, hosting control panel, FTP/SFTP, MySQL database, email accounts, any connected services (Stripe, Mailchimp). Use a password manager and 16+ character passwords.

Step 2: Identify the entry vector

The most common WordPress compromise vectors:

• Outdated plugin with a known vulnerability
• Outdated theme (especially nulled or pirated themes)
• Weak admin password (brute-forced)
• Compromised hosting account on shared hosting
• Stolen admin credentials via phishing or malware

Check the dates of your last plugin/theme/core updates. The vector is usually whatever hasn’t been updated in 60+ days.

Step 3: Run a malware scan

Three reliable WordPress security scanners in 2026:

• Wordfence — free + paid, the most popular
• Sucuri SiteCheck — quick external scan
• MalCare — paid, good for managed cleanup

Run the scan and note every file flagged as suspicious. Don’t auto-delete yet — you want a clean inventory first.

Step 4: Compare against a clean WordPress install

Download a fresh copy of WordPress core matching your version. Compare your installation against the clean copy. Any core files that have been modified are suspect.

For themes and plugins, redownload them from the original sources (WordPress.org repo, or paid plugin vendor). Compare hashes.

Step 5: Remove the malware

Delete or replace every compromised file. Common locations for injected malware:

• /wp-content/uploads/ (often PHP files disguised as .jpg.php)
• /wp-content/themes/<theme>/ (modified functions.php, header.php)
• /wp-content/plugins/ (entire plugins added that you don’t recognise)
• Root directory (wp-config.php injections, modified index.php)
• Database (injected scripts in wp_options.siteurl or post content)

Step 6: Restore from a clean backup if possible

If you have a backup from before the compromise, restoring is faster and safer than cleaning when dealing with WordPress hacked how to recover. Check backup dates and verify the backup is from before the symptoms appeared.

Be careful: if the malware has been dormant for weeks, your “clean” backup may also be infected. Always scan the restored version too.

Step 7: Reinstall WordPress core and all plugins/themes

The safest cleanup: reinstall WordPress core, then reinstall every plugin and theme from their original sources when following WordPress hacked how to recover. This guarantees no injected files survive.

Caveat: only do this if your theme isn’t heavily customised. For custom themes, you’ll need to manually compare and clean.

Step 8: Audit user accounts

Check /wp-admin/users.php for:

• Admin accounts you don’t recognise
• Recent changes to existing admin accounts
• Suspicious email addresses on admin users
• Accounts created during the compromise window

Delete every account that’s not legitimate. Force password resets for all remaining users.

Step 9: Update everything

Update WordPress core, every plugin, every theme to latest versions. If a plugin hasn’t been updated by its developer in 12+ months, replace it with an actively maintained alternative.

Step 10: Harden security

Apply baseline WordPress security hardening:

• Install Wordfence or Solid Security (formerly iThemes Security)
• Enable two-factor authentication for all admin accounts
• Limit login attempts and block obvious brute-force attempts
• Disable file editing via wp-admin (define('DISALLOW_FILE_EDIT', true); in wp-config.php)
• Move /wp-admin/ to a custom URL if your security plugin supports it
• Enable HTTPS everywhere and HSTS
• Set strong file permissions (644 for files, 755 for directories)

Step 11: Submit clean site to Google for review

If Google flagged your site:

• Open Google Search Console → Security Issues
• After cleanup, click “Request Review”
• Provide details of what you did
• Wait 24–72 hours for Google to recrawl and remove the warning

Step 12: Monitor for re-infection

Compromised sites are sometimes re-infected within days if the entry vector wasn’t fully closed. For the first 30 days:

• Run Wordfence scans weekly
• Monitor server logs for suspicious activity
• Watch for unfamiliar files appearing
• Check user accounts weekly

Do you need to notify under GDPR after a WordPress hack?

Yes, if personal data may have been accessed. Under GDPR Article 33, you have 72 hours from awareness of the breach to notify the relevant German Landesdatenschutzbeauftragte (state DPA).

What counts as personal data on a typical WordPress site:

• Customer email addresses (newsletter list, contact forms, e-commerce orders)
• Customer names and addresses
• Comments with author email
• Membership accounts with profile data
• E-commerce billing and shipping info
• Any user content stored in the WordPress database

If any of these data types could have been accessed during the compromise, the notification clock applies.

Steps to comply:

• Document the breach: what happened, when, what data, how many people
• Notify your Datenschutzbeauftragter (data protection officer) if you have one
• File a notification with the relevant German state DPA within 72 hours
• Notify affected individuals if the risk is high (Article 34)
• Keep a written record of the breach and your response

Failure to notify is itself a GDPR violation with separate fines. Treat the 72-hour clock as a hard deadline.

How long does it take to recover a hacked WordPress site?

Realistic timelines:

• Simple defacement, recent backup available: 2–6 hours
• Malware injected into theme/plugin files: 4–12 hours
• Compromised admin accounts plus database injection: 8–24 hours
• Long-running compromise with no clean backup: 1–3 days
• Critical e-commerce shop with paying customers actively affected: requires professional rapid response, typically 24–48 hours for safe restore

Most German SMEs underestimate the second category — finding and removing every injected file takes patience and care.

Should you hire a professional for WordPress hack recovery?

DIY is possible if you’re comfortable in SSH, WordPress admin, and basic security tooling. Hire a specialist when:

• You can’t identify the entry vector after a thorough check
• The site processes personal data and you need defensible GDPR documentation
• You’ve already attempted cleanup and the site got re-infected
• The site is revenue-critical and every hour costs more than the help

Professional WordPress hack recovery in Germany typically costs €1,500–€10,000 depending on complexity and time spent.

For broader emergency response, see our How to Recover a Website After Server Crash playbook — similar incident-response logic applies.

How do you prevent the next WordPress hack?

Once recovered, build the defences that should have been there:

• Automated daily offsite backups (UpdraftPlus → Hetzner Storage Box)
• Wordfence or Solid Security active and configured
• Two-factor authentication for every admin
• Monthly plugin/theme/core update cycle
• Monthly malware scan
• Quarterly password rotation
• Annual security audit by a third party

Most successful long-running WordPress sites in Germany run all seven. The total cost is under €500/year, vastly cheaper than another compromise.

What hosting setup reduces hack risk?

Hosting matters more than people think:

• Managed WordPress hosts (Raidboxes, Mittwald, Kinsta) include WAFs, malware scanning, and isolation by default
• Hetzner Cloud + your own managed setup: highly customisable but you’re responsible for hardening
• Cheap shared hosting: maximum risk — one compromised neighbour can affect everyone on the box
• VPS with managed control panel (Plesk, cPanel): middle ground, good for SMEs

For DACH SMEs, the managed WordPress route usually has the best risk-to-cost ratio.

For broader hosting selection, our How Do You Fix a Slow WordPress Website in Germany? post covers German hosting providers in more detail.

Frequently Asked Questions About WordPress Hack Recovery

Final thoughts on recovering a hacked WordPress site

WordPress hacks feel like emergencies, but they’re recoverable for almost every German SME if you act methodically. Take the site offline first, preserve evidence, work the 12 steps in order, and don’t forget the GDPR notification clock. Most recoveries are complete within 24 hours with a calm process; rushed recoveries cause re-infections and missed compliance steps.

If your site is hacked right now and you need urgent help — including GDPR breach documentation — you can book a meeting with our team. We offer emergency response and ongoing maintenance retainers for German WordPress sites. Or browse our website development services page for the broader hardening and maintenance offer.