My WordPress site got hacked. What do I do?
I logged into my WordPress admin today and my homepage had been changed to some random casino site. I'm panicking. I have a small business site and customers are probably seeing this. How do I fix this and make sure it doesn't happen again?
1 Answer(s)
Okay, deep breath. This is fixable. Do this in order: 1) Take the site offline immediately — most hosting panels have a maintenance mode toggle, or add ?maintenance_mode=1 to your URL. 2) Change ALL passwords — WordPress admin, hosting panel, FTP, database. Use strong unique passwords. 3) Scan your entire site with Wordfence or Sucuri to find the malicious files. Delete any files you didn't create, especially in wp-content/uploads and wp-includes. 4) Update WordPress core, all themes, and all plugins to the latest versions. 5) Install Wordfence if you don't have it, enable the firewall, and turn on login throttling. 6) Remove any admin users you don't recognize. 7) Check your .htaccess file for weird redirects. Once clean, remove maintenance mode. Going forward: use two-factor authentication, limit login attempts, never use "admin" as your username, and keep everything updated. Also get daily backups — UpdraftPlus works great.