You’ve received a message from a client saying they can’t access your website. You calmly check it out and see that you can navigate to your website, but it’s sending you off to a different, strange URL. Then you click back to your site and some weird content is on the pages. Content you didn’t put there.

Hmmm…this does not look good. Unfortunately, you may have been hacked. But don’t worry, I’m going to explain some simple steps you can take to get the situation under control and lower your stress levels. Let’s go.


Steps to follow if your WordPress website has been hacked


1.   Don’t panic. If you have a backup, it’ll be fine (and if you don’t have a backup, read this post. Please.)


2.   If you can log onto the website, check your Admin Users by navigating to Users in the left-hand menu

a. If there are any you didn’t add, delete them

b. For any that are legit, change their passwords



3.   The next step will depend on your webhost. If you have a host like Flywheel or WP Engine, jump on their live chat. I doubt you would get hacked with these hosts, so this comment is probably irrelevant – but you get my point.

a. If you are not with one of these companies, then continue.


4.   Install the Wordfence plugin. Activate it and navigate to the Scan section – you will find the plugin on the left-hand menu, and “Scan” under this. Hit the “Start new scan” button and wait for the results.

a. At the bottom of the page the results will load – if you notice any items that say “file changes” or “malicious content” then you have been hacked and this needs to be removed.


5.   The file changes and malicious content need to be cleaned up for the site to be secure again. At this point if you’re unsure you can contact your webhost and ask if they can assist – in some cases they may, in some they won’t. You can attempt to clean up the files yourself but just be very careful. Deleting the wrong file will completely bring the site down.


6.   Once it’s cleaned up, re-run the scan to make sure it’s all clear.


7.   If you have Google Search Console connected – check the console to make sure Google hasn’t flagged you as having malware (although if they have, you should’ve received an email by this point). If there is a warning about malware, you can submit your site for review.


8.   Pat yourself on the back as you’ve survived being hacked. Now, go make a cuppa and sign up to my email list below to access my guide to maintaining your WordPress website, so you never have to go through this again!

Hey, I’m Kristy

Kristy Morton is a mother, multiple business owner and numbers gal. She runs a web development consultancy, specialising in WordPress websites. Kristy combines her excellent technical knowledge with her ability to translate this into ways that are understandable to the average person, so her clients feel informed and in control of how their websites are developed and managed. She is also the Co-Founder of B Directory where the team is supercharging small business growth.

Despite seeming like an overachiever, Kristy admits to always be chasing the sun, a simple life and one more homemade chocolate.