Skip to content
All writing
Web Dev Jun 10, 2026 · 6 min read

WordPress site hacked? Here's what to do before you hire anyone

Your WordPress site is showing pharma ads, redirecting to spam, or flagged by Google. Before you panic-hire a freelancer on Fiverr, here's what to check, what to protect, and how to find someone who can actually fix it.

SK

Shezad Ali Khan

CMO · Trainer · Mumbai

You open your site and instead of your homepage, there’s a pharma redirect. Or your Google listing says “This site may be hacked.” Or a customer forwards you a screenshot of your checkout page injecting casino links.

Your stomach drops. You Google “WordPress malware removal” and find 400 freelancers who’ll “clean your site in 24 hours” for ₹3,000.

Stop. Before you hire anyone, do these things first.

Laptop showing a cybersecurity warning screen The moment you realise your WordPress site has been compromised is never convenient. What you do in the next hour matters more than the next month.

First 30 minutes: contain the damage

1. Do NOT delete anything

Your first instinct will be to delete suspicious files or reinstall WordPress. Don’t. You’ll destroy the evidence that a competent security person needs to find the entry point. Deleting files without understanding how the attacker got in guarantees reinfection.

2. Take a full backup — right now

Even though the site is compromised, back up everything:

  • Full database export (via phpMyAdmin or WP-CLI)
  • Complete wp-content folder (themes, plugins, uploads)
  • Root directory files (.htaccess, wp-config.php)

This backup is your forensic evidence. Label it “compromised-backup-[date]” and store it somewhere that isn’t your server.

3. Change your passwords — all of them

Not just WordPress admin. Change:

  • WordPress admin and all user passwords
  • FTP/SFTP credentials
  • Database password (update wp-config.php to match)
  • Hosting panel (cPanel/Plesk) password
  • Any API keys stored in the site

If you reuse passwords across services (you shouldn’t, but most people do), change those too.

4. Check for unknown admin users

Go to Users → All Users in WordPress admin. Sort by role. If you see administrator accounts you don’t recognise, that’s your attacker’s backdoor. Don’t delete them yet — screenshot them first, then remove them.

If you can’t access wp-admin at all, check the database directly:

SELECT * FROM wp_users WHERE ID IN (
  SELECT user_id FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%'
);

A security padlock icon on a screen — representing the need to lock down access immediately Lock everything down before you start cleaning. A clean site with the same credentials gets reinfected overnight.

What’s actually happening to your site

Most WordPress hacks fall into a few patterns. Knowing which one you’re dealing with tells you where to look.

Pharma hack

Your site looks normal to you, but Google sees thousands of spam pages (Viagra, Cialis, casino links) injected into your sitemap or database. Check by searching site:yourdomain.com in Google — if you see pages you didn’t create, this is it.

Entry point: Usually a nulled (pirated) theme or plugin with an eval() backdoor.

Redirect hack

Visitors get redirected to spam sites, but only sometimes — the malware checks if the visitor came from Google, if they’re on mobile, or if it’s a first visit. This makes it hard to reproduce.

Entry point: Injected JavaScript in your theme’s header.php or footer.php, or a modified .htaccess file.

Backdoor infection

No visible symptoms, but the attacker has persistent access. They might be using your server for sending spam email, hosting phishing pages, or cryptomining.

Entry point: A PHP file disguised as a legitimate plugin file, often in wp-content/uploads/ (where PHP files should never be).

SEO spam injection

Your content is modified to include hidden links to other sites. You won’t see it visually, but “View Source” shows dozens of links in tiny white text pointing to gambling or loan sites.

Entry point: Compromised database — the malware lives in post content or widget areas, not in files.

The five things a competent WordPress security person does

When you hire someone to clean a hacked site, this is the standard of work you should expect. If they skip any of these steps, they’re not solving the problem — they’re painting over it.

Step 1: Forensic scan

Check file modification dates, compare core files against WordPress checksums, scan for known malware signatures, review access logs for the initial compromise timeline.

Step 2: Identify the entry point

The most important step that most cheap cleanups skip entirely. How did the attacker get in? Nulled plugin? Weak password? Outdated PHP? Vulnerable plugin with a known CVE? If you don’t find this, you’ll be hacked again.

Step 3: Manual cleanup

Not just running Wordfence or Sucuri scanner. Manually reviewing suspicious files, checking the database for injected content, removing backdoor files, cleaning modified core files.

Step 4: Hardening

After cleanup:

  • Update all plugins, themes, and WordPress core
  • Remove unused themes and plugins entirely
  • Block PHP execution in /uploads/ directory
  • Set correct file permissions (644 for files, 755 for directories)
  • Add security headers
  • Implement rate limiting on wp-login.php

Step 5: Monitoring

Verify the site stays clean for 14–30 days. Set up file integrity monitoring. Register with Google Search Console and request a security review if the site was flagged.

How to tell if the freelancer you’re talking to is any good

Ask these questions. The answers tell you everything.

“What’s the first thing you do when you access a hacked WordPress site?”

  • Good answer: “I check file modification dates, review access logs, and take a forensic backup before touching anything.”
  • Bad answer: “I run a Wordfence scan.”

“How do you find the entry point?”

  • Good answer: “I compare file checksums, look for recently modified files outside of core updates, check for eval/base64 encoded strings, and review user accounts and login logs.”
  • Bad answer: “I reinstall WordPress and delete the bad files.”

“What do you do after the cleanup?”

  • Good answer: “Harden file permissions, block PHP in uploads, update everything, set up monitoring, and verify for 2-4 weeks.”
  • Bad answer: “Install a security plugin.”

“Do you guarantee against reinfection?”

  • Good answer: “I guarantee my cleanup work. Reinfection depends on whether you maintain updates and don’t reinstall the vulnerable component. I’ll document what caused the breach.”
  • Bad answer: “Yes, 100% guarantee forever.” (This is impossible — they’re selling certainty they can’t deliver.)

The real cost math

Here’s what I see play out repeatedly:

ApproachCostOutcome
Fiverr freelancer, ₹3,000₹3,000 × 3 attempts = ₹9,000Keeps getting reinfected because entry point was never found
Security plugin (DIY)₹8,000/yearCatches known signatures, misses custom backdoors
Competent specialist, one-time₹25,000–60,000Forensic cleanup, entry point identified, hardened, monitored
Agency retainer₹1.5–3 lakh/yearOverkill for a one-time incident, right for ongoing maintenance

The ₹3,000 “quick fix” that gets attempted three times before someone finally hires a specialist costs more — in money, in downtime, in lost Google trust, and in customer confidence.

If you’re in Mumbai and this is happening to you right now

I’ve cleaned and recovered enough hacked WordPress sites to know the panic you’re feeling. Here’s how I work:

  1. Diagnostic first — I assess the damage, identify the infection type and entry point before quoting cleanup
  2. Manual remediation — no scanner-only approach; I go through the files and database
  3. Hardening and handoff — you get a documented checklist of what was wrong, what was fixed, and what to maintain
  4. 14-day monitoring — I verify the site stays clean post-cleanup

The diagnostic takes 2–4 hours. Cleanup takes 4–12 hours depending on severity. You get a written report either way.

Don’t panic-hire at midnight. Take the backup, change your passwords, and reach out in the morning with a clear head. The site will still be there tomorrow — and so will I.

#wordpress #security #malware #hacked-website #freelancer