Do you need a quick way (seconds!) to set up a test WordPress site? Check out qSandbox today.

Discovering that your WordPress site has been hacked is stressful. Menus disappear, accounts are tampered with, sometimes your site starts redirecting to porn or pharma sites, and in some cases you even lose admin access completely. And on top of that Chrome may start showing a big red screen warning your site visitors that the site is infected. That would definitely scare your potential customers.

The goal isn’t just to restore your site — it’s to recover safely without carrying the infection forward.

This step-by-step guide will help you bring your site back online securely.

Step 1: Stay Calm

We know you’re busy and have a lot on your plate. It’s going to be fine.

Some bad people prefer the easy way to make money or gain rankings instead of doing valuable work — and that often means hacking or exploiting sites like yours. It sucks, but this shall pass too.

If you follow the right steps, you’ll get through this, and you’ll come out of it a smarter and stronger WordPress site owner.

Step 2: Export and Save Your Content

Before blocking the site access, secure your data.

The most reliable way is through your hosting control panel (cPanel, Plesk, or similar):

  • Export a copy of your database
  • Compress and download the entire site directory (usually public_html, www or httpsdocs)

If you can’t use the control panel:

  • Use a backup plugin such as UpdraftPlus or All-in-One WP Migration
  • Or use WordPress’s Tools > Export option to at least save your posts and pages

If you haven’t done this before, it’s worth hiring a reputable WordPress professional. We can help as well. Just drop us a quick email.

Backing up incorrectly can either lose content or copy malware into your new install so make sure you use 2-3 different ways to backup your WordPress site.

Important: If you have multiple sites in the same hosting account, assume they may also be infected. Export and review each one individually.

Step 3: Block Access to the Hacked Site

Once your data is backed up, lock down the site so no more processes run. This prevents both attackers and automated WordPress tasks from executing.

Two layers of protection:

  1. Block all external access with .htaccess

Add this as the very first line of .htaccess:

deny from all

This blocks all requests from the outside.

  1. Stop WordPress from running internally with wp-config.php

Open wp-config.php and right after <?php add:

if (php_sapi_name() !== 'cli' && !(defined('WP_CLI') && WP_CLI)) {

    header("HTTP/1.1 503 Service Temporarily Unavailable");

    header("Retry-After: 3600");

    die("Down for maintenance, please check back in an hour.");

}

This way:

  • Web requests get a proper 503 + Retry-After message and search engines would know that the site is down for maintenance.
  • CLI sessions (WP-CLI, PHP CLI) bypass the shutdown so you or hosting support reps can still run WP-CLI commands safely.

Why both?

  • .htaccess stops incoming traffic, but background tasks like wp-cron might still trigger.
  • die() ensures WordPress itself halts execution immediately, even if something slips past.

Together, these measures fully freeze your hacked site until you’re ready to rebuild.

Step 4: Rebuild From a Clean Install

Do not reinstall WordPress inside the same infected hosting account right away. If the hosting account still has backdoors, your clean install could be hacked again almost instantly.

You may also be tempted to rebuild on your own computer, but we don’t recommend this. If any malicious files are copied over, you risk spreading the infection to your local system and causing even more damage.

Instead, rebuild in a safe environment, such as:

From there:

  1. Install a fresh copy of WordPress from wordpress.org
  2. Reinstall your theme and plugins only from their original sources: wordpress.org plugin directory, the developer’s official website, or verified marketplaces such as ThemeForest or Elegant Themes
  3. Do not reuse plugin or theme folders from the hacked site. Get them from the source!
  4. Import your posts and pages into the clean install
  5. Manually review your content for hidden spam links or strange code. Redirects to porn, pharma, or casino sites are a common hack tactic — make sure no suspicious scripts or links remain

Once the new site is tested and stable, you can migrate it back to your main hosting or to a new provider.

Step 5: Secure the New Site

Before going live again, harden your WordPress installation.

  • Update WordPress, themes, and plugins immediately
  • Reset all user passwords and update security salts in wp-config.php
  • Reset your hosting panel and FTP account passwords in case they were used to inject malware
  • Enable two-factor authentication (2FA) for admin accounts
  • Install a security plugin such as Wordfence or Sucuri
  • Run a full scan with Wordfence (or your chosen security tool) to check for leftover malware, infected files, or suspicious code
  • Restrict wp-login.php access (limit by IP if possible)
  • Disable XML-RPC unless specifically needed

Layered Security

For best protection, your security should be layered. That means you don’t rely on just one tool or defense — you set up multiple shields at different levels so if one fails, the others still protect you.

In simple terms, this can include:

  • DNS-level protection (for example, Cloudflare blocks bad traffic before it even reaches your server)
  • Hosting firewall (many good hosts automatically filter suspicious traffic)
  • Server firewall (prevents unauthorized access at the server level)
  • Web application firewall (Wordfence, Sucuri, or similar inside WordPress itself)

Think of it like having a lock on your front door, a security system inside the house, and a guard at the gate. Each one adds an extra layer of defense.

Keep Everything Updated and Backed Up

Most hacks come from outdated software. Make it a habit to:

  • Keep WordPress core, themes, and plugins always updated
  • Remove plugins and themes you no longer use
  • Set up regular automated backups stored with an external provider such as Google Drive, Dropbox, or Amazon S3

This way, even if something goes wrong, you can roll back to a clean version quickly.

Step 6: Hosting and Security Responsibility

Unless you’re on a misconfigured server where sites aren’t isolated, your host is rarely the direct cause of hacks. The real sources are usually:

  • Outdated or abandoned plugins/themes
  • Plugins or themes from unverified sources
  • Weak passwords or exposed admin accounts

That said, a good host can make recovery easier with daily backups, staging environments, and responsive support.

Step 7: Relaunch and Monitor

Once your site is clean and secured:

  • Point your domain to the new install
  • Set up daily or weekly offsite backups with at least 30 days of retention. See Hetzner Storage box.
  • Regularly check for suspicious accounts or file changes
  • Keep everything updated consistently

Final Thoughts

Recovering from a hack can feel like a disaster, but it doesn’t have to be the end of your site. By staying calm, exporting your data, blocking the compromised site, rebuilding in a safe environment, and tightening security, you can bring your site back stronger than before.

If this feels overwhelming, don’t go through it alone. Contact us and we’ll do our best to clean up your site from the infection and help you secure it for the future.

Do you need a quick way (seconds!) to set up a test WordPress site? Check out qSandbox today.

Disclaimer: The content in this post is for educational purposes only. Always remember to take a backup before doing any of the suggested steps just to be on the safe side.
Referral Note: When you purchase through a referral link (if any) on this page, we may earn a commission.
If you're feeling thankful, you can buy me a coffee or a beer