Hacked WordPress site: what to do
What to do immediately, how to understand what they touched, how to prevent it happening again.
A hacked WordPress site is an emergency. There's no time for long tutorials. Here you'll find what to do in the first hours, how to tell if the site is really compromised, and who to call. Then, afterwards, the details to prevent it happening again.
First thing: don't touch anything
Seems obvious but it isn't. The first reaction is to open files, modify configurations, delete suspicious plugins. Stop. Take a screenshot of the homepage, a backup of the files and database as they are now. Even if they're infected. You'll need it to understand what they changed and, if necessary, to do a clean restore. If you don't know how to do a backup, use a plugin like UpdraftPlus or download the database from phpMyAdmin. Then block access to the site with .htaccess or put it in maintenance mode until you figure out what to do.
How to tell if WordPress is really hacked
Clear signs: the homepage shows content in Chinese or Russian, links to phishing sites appear, WordPress has administrator users you didn't create, the site redirects to external domains, plugins you don't recognise are installed. Less clear signs: sudden slowness, pages loading strange content from the database, spam emails sent from your domain, Google flagging your site as compromised. If you see any of these signs, the site is compromised. There's no 'maybe'. You need to intervene.
The first 24 hours: what to do
Change all passwords. WordPress admin, database, FTP, admin account email, hosting panel. Use long, different passwords for each account. Check WordPress users: delete any you didn't create, especially those with administrator role. Check theme and plugin files: look for base64_decode, eval, file_get_contents from external URLs, strange .php files in wp-content/uploads. If you don't know what to look for, stop here and call someone who does this for a living. A mistake at this stage can make things worse.
Cleaning the site: two approaches
Approach one: restore from a clean backup. If you have a backup from before the hack, you restore that, update WordPress and plugins to the latest version, change all credentials and add more security. Approach two: manual cleanup. Go file by file, compare with original plugin versions, remove infected files, clean the database of suspicious records and hidden redirects. The first approach is faster and safer. The second is needed when there's no backup or it's old. In both cases, you need to verify the site is clean before reopening it. Google checks and if it comes back online infected, they penalise you.
How to prevent it happening again
WordPress is the most attacked CMS in the world. Not because it's insecure by design, but because it's the most widespread and there are more bots trying to exploit it. Things that actually work: never use 'admin' as password, disable XML-RPC access if you don't use it, rate limit wp-login.php, use HTTPS with forced redirect, update WordPress and plugins within a week of release, don't install plugins from unknown sources. Things that don't really help: an 'all-in-one' security plugin that isn't configured properly, a CDN if you have no other problem beyond DDoS, an application firewall if the plugins are already vulnerable. WordPress security is constant maintenance, not a product to buy.
How much does it cost to recover a hacked WordPress
It depends on how bad it is and how long it went unnoticed. A site with a few infected files, restored from a recent backup: 2-4 hours of work. A site with backdoors scattered throughout the code, compromised database, hidden redirects: 6-12 hours. A site without a backup, with hackers who modified months of content: might need rebuilding. In economic terms: from €90 to €540, if a freelancer does it at their hourly rate. From €300 to €3,000 if an agency sells you an 'emergency recovery package'. The real difference is how clean the job is, not the price.
If the article made you realize your site has the same problem, email me. Written estimate within 48 hours, €45/h fixed.