WordPress incident response

My website was hacked - what should I do in the first 30 minutes?

My website was hacked - what should I do in the first 30 minutes?

If your website was hacked, the first 30 minutes are not about solving everything perfectly. They are about limiting damage, preserving evidence, stopping further access and deciding whether the incident can be handled safely in-house.

Panic-driven cleanup often makes the situation worse. If you delete files blindly, you may lose the clues that reveal how the attacker got in. If you restore a backup without closing the entry point, the infection can return.

If you want a reliable cleanup, WebShield can perform a fast SOS recovery: inspect the site, remove malicious code, identify persistence and set up protection. For a business-critical website, this is often cheaper than guessing for hours while leads, orders or ads are affected.

Minutes 0-5: identify what is happening

Collect concrete symptoms:

Do not just write "hacked". Save screenshots, URLs, timestamps and warning messages. These details help determine whether the issue is SEO spam, redirect malware, account compromise or a server-side backdoor.

Minutes 5-10: preserve evidence

Before deleting or updating anything, try to save:

This is not because you want to restore the infected state. It is because the entry point and persistence are often visible only in logs, timestamps and database records.

Minutes 10-15: reduce further damage

If the site actively redirects visitors or serves harmful content, use maintenance mode or temporary restrictions. For a webshop, the decision is more nuanced: downtime hurts, but compromised payment or customer data handling can be worse.

Immediate actions:

If redirects are the visible symptom, review our guide to WordPress redirect malware.

Minutes 15-20: rotate critical access

Changing the WordPress admin password matters, but it is not enough. Attackers often use hosting, SFTP, database or API access.

Rotate:

Regenerate WordPress salts so old login cookies become invalid.

Minutes 20-30: decide who cleans it

If you do not handle WordPress incidents regularly, do not learn on a live compromised website. Behind a simple-looking infection there may be a backdoor, fake plugin, cron job, hidden admin account or database-injected code.

Call an expert if:

WebShield SOS cleanup is not just a scanner run. We inspect files, database records, administrators, cron events, HTTP requests and logs. If you need a clean and working site quickly, use the SOS recovery option.

What not to do in the first 30 minutes

Do not delete logs. Do not restore a backup blindly. Do not assume a green scanner result closes the case. Do not keep old credentials. Do not restart paid traffic until you test the site from different devices, networks and referrers.

If Wordfence or another scanner says the site is clean but symptoms remain, read why a site can look clean while malware is still present.

Conclusion

In the first 30 minutes, focus on limiting damage, preserving evidence and restricting access. Complete cleanup is more than deleting suspicious files: you must find the entry point and persistence. If you want certainty, WebShield can clean the site quickly and set up protection that reduces the chance of reinfection.

Want to avoid the next WordPress infection?

WebShield helps with continuous protection, backups and logging so reinfections are easier to prevent.