Skip to content
Go to the blog overview Go to the blog overview

What to Do If Your WordPress Site Gets Hacked


Hacking. We all dread it and do what we can to prevent it but occasionally even a highly secure website can be struck down thanks to a new or undiscovered vulnerability. As well as keeping your security up to date, having a disaster recovery plan is also extremely important so you can get things back up and running and soon as possible if your website ever does get hacked.

Luckily, hacked websites are becoming rarer thanks to improved security features but it’s always better to have a plan than to be caught out if the worst does happen. To help you get back on track in case of a hack, here are our top tips to add to your disaster recovery process:

Change All Passwords

First thing’s first, stay calm and change every password that’s connected to your website login. That goes for your hosting provider, your maintenance agency and any other services that use the same password. For advice on how to select a secure password, we shared a few tips to help you set strong passwords earlier this year.

Contact a Professional

Next up, get in touch with your website professional. Whether it’s your hosting provider, WordPress agency or on-site support, let them assess the damage and advise you of the next steps. Your hosting provider will likely have an established disaster recovery process so they may even be able to handle the recovery for you.

Limit Login Abilities

A five minute job but one that could make a big difference if you suspect the attack may have come from a user known to you. Log into your dashboard and restrict all logins aside from those accounts that have to have access. It’s also worth limiting login attempts and locking out users who fail to enter the correct login information. It never hurts to be cautious while you’re trying to get to the bottom of what happened.

Update All Plugins and Uninstall Anything Unused

Running out of date plugins is a deceptively simple way to leave yourself open to a harmful attack so it’s imperative that you make sure all plugins are fully up to date – better late than never! Now’s also a great time to uninstall any plugins that your website isn’t actively using.

Find the Source

Now you’ve contacted a professional and made some important security changes at your end to limit further attacks, it’s time to pinpoint the source. Your WordPress professional should already be on the case but it’s worth taking the time to take stock of the hack from your end. Did you discover any notable security weaknesses while updating your plugins? Have any illegitimate links been posted on your site or is it redirecting to another site? Have you been noticing an influx of failed login attempts? If so, these may help lead you to the source of the hack.

Restore Your Site

To get things back up and running as quickly as possible, now’s the point when you’ll want to restore your site from the most recent back up.

Boost Security

You’ve done what you can to limit the damage and disruption from this attack so now it’s time to look to the future. Take some time to think about what you can do to make your site more secure: maybe you can add a security package to your hosting services or you might want to set up additional monitoring and back ups, particularly if you were caught short here this time around.


We hope the information above helps you out if you’re ever in the position of needing to restore your site and boost security in the wake of a website hack. The most important thing is to stay calm, secure your data and contact a professional as soon as possible. If you think we’ve missed any tips please don’t hesitate to let you know and we’ll be sure to add them to the list.