WordPress powers more Perth business websites than any other platform. From Subiaco cafes to Osborne Park trade suppliers, from Cottesloe boutique hotels to Balcatta logistics companies — WordPress is the default choice for WA small businesses. That ubiquity also makes it the number one target for attackers.
When your WordPress site gets hacked, the impact is immediate. Customers see a Google warning and leave. Your phone stops ringing. Your competitors climb the local search rankings while yours collapse. For Perth businesses that depend on "near me" searches and Google Maps visibility, a hacked site is not just a technical problem — it is a revenue emergency.
This guide documents our complete WordPress recovery process, adapted for the specific needs and compliance requirements of Western Australian businesses.
How Perth WordPress Sites Get Compromised
Understanding the entry point is critical — if you repair the damage without closing the door, the attacker walks right back in.
Vulnerable Plugins (Most Common)
WordPress plugins are the primary attack vector. A Perth business running WooCommerce with 20 plugins has 20 potential entry points. When a vulnerability is disclosed in a popular plugin, automated bots begin scanning the entire internet within hours. If your site has not updated, the bot finds you — regardless of whether you are in Perth, Mandurah, or Bunbury.
Most exploited plugins in 2025–2026:
- Elementor and Elementor Pro — multiple critical vulnerabilities allowing unauthenticated uploads — see our analysis of supply chain attacks on WordPress
- WPForms — SQL injection vulnerabilities in older versions
- Contact Form 7 — file upload vulnerabilities in specific configurations
- WooCommerce — payment data exposure through API vulnerabilities
- All-in-One WP Migration — arbitrary file upload in older versions
Weak Credentials
We regularly see Perth business owners using passwords like Company2024! or admin123. Combined with the default admin username, brute force attacks succeed in minutes.
Compromised Hosting Environment
Budget shared hosting places your site alongside hundreds of others on the same server. If one site is compromised, attackers can often pivot to neighbouring accounts. This is particularly common with cheap hosting plans marketed to Perth small businesses.
Nulled Themes and Plugins
Pirated "premium" themes downloaded from unofficial sources frequently contain pre-installed backdoors. We see this pattern with Perth freelancers and small agencies trying to minimise costs on client projects.
Emergency Response: The First Hour
When you discover the hack, every action in the first 60 minutes matters:
Immediate Containment
# 1. Enable maintenance mode immediately
wp maintenance-mode activate
# Or manually:
echo '<?php $upgrading = time(); ?>' > /var/www/html/.maintenance
# 2. Backup the current state (infected — for forensic evidence)
tar -czf ~/evidence/site-$(date +%Y%m%d-%H%M).tar.gz /var/www/html/
mysqldump --single-transaction -u dbuser -p dbname > ~/evidence/db-$(date +%Y%m%d-%H%M).sql
# 3. Preserve access logs
cp /var/log/apache2/access.log ~/evidence/
cp /var/log/apache2/error.log ~/evidence/
cp /var/log/nginx/access.log ~/evidence/ 2>/dev/null
# 4. Lock down access
# Change: WordPress admin password, database password, FTP password,
# cPanel/Plesk password, email account passwords
Critical Mistakes to Avoid
- Do not "just restore the backup" — the backup likely contains the same vulnerability that was exploited. Restoring without patching means reinfection within hours
- Do not delete everything — you destroy forensic evidence needed to understand the attack and meet NDB obligations
- Do not panic-buy a new domain — your existing domain can be fully recovered, and starting fresh means losing all your SEO authority
Forensic Analysis
Before removing a single file, we map the full extent of the compromise:
File System Forensics
# Files modified in the last 14 days (adjust based on when you think the hack started)
find /var/www/html -type f -name "*.php" -mtime -14 -printf "%T+ %p\n" | sort -r | head -50
# PHP files in the uploads directory (almost always malicious)
find /var/www/html/wp-content/uploads -type f -name "*.php" -ls
# Files with suspicious permissions
find /var/www/html -type f -perm -o+w -ls
# Hidden files and directories (excluding legitimate ones)
find /var/www/html -name ".*" -not -name ".htaccess" -not -name ".well-known" -not -name ".git" -ls
# Common backdoor signatures
grep -rl --include="*.php" "eval(base64_decode\|gzinflate(base64\|str_rot13\|assert(\$_" /var/www/html | head -30
# Check for web shells by file size (backdoors are usually small)
find /var/www/html -name "*.php" -size -2k -newer /var/www/html/wp-includes/version.php -ls
Database Forensics
-- Rogue administrator accounts
SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%'
ORDER BY u.user_registered DESC;
-- Injected content in posts and pages
SELECT ID, post_title, post_type, post_modified
FROM wp_posts
WHERE post_content LIKE '%<script%'
OR post_content LIKE '%eval(%'
OR post_content LIKE '%document.write%'
ORDER BY post_modified DESC
LIMIT 20;
-- Modified site URL (attackers sometimes change this)
SELECT option_name, option_value
FROM wp_options
WHERE option_name IN ('siteurl', 'home', 'active_plugins');
-- Injected WP Cron jobs (persistence mechanism)
SELECT option_value FROM wp_options WHERE option_name = 'cron';
Access Log Analysis
# Find the most active IPs hitting admin endpoints
grep -E "wp-login|wp-admin|xmlrpc" /var/log/apache2/access.log | \
awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# POST requests to unusual PHP files (backdoor communication)
grep "POST" /var/log/apache2/access.log | \
grep -v "wp-login\|wp-admin\|wp-cron\|admin-ajax\|wc-ajax" | \
tail -50
# Requests to the uploads directory containing PHP
grep "/uploads/.*\.php" /var/log/apache2/access.log | tail -20
Complete File Restoration
Our restoration process ensures nothing malicious survives:
WordPress Core
- Identify your exact WordPress version from
wp-includes/version.php - Download the matching release from
wordpress.org/download/releases/ - Completely replace
wp-admin/andwp-includes/directories - Replace root-level PHP files:
index.php,wp-login.php,wp-settings.php,wp-cron.php,xmlrpc.php - Manually verify
wp-config.php— restore to clean version with your database credentials and fresh security salts
Plugins
- Document every installed plugin and its version number
- Delete the entire
wp-content/plugins/directory - Download fresh copies of each needed plugin from WordPress.org or the vendor
- Do not reinstall plugins you do not actively use — every plugin is attack surface
Themes
- Delete all themes except your active theme and one default theme (Twenty Twenty-Four)
- If your active theme is from WordPress.org, download a fresh copy
- If it is a custom theme, compare every file against your last known-good version (check Git history or your developer's backup)
Upload Directory
# Remove all executable files from uploads (they should never be there)
find /var/www/html/wp-content/uploads -type f \
\( -name "*.php" -o -name "*.phtml" -o -name "*.php5" -o -name "*.phar" -o -name "*.sh" \) -delete
# Block PHP execution in uploads permanently
cat > /var/www/html/wp-content/uploads/.htaccess << 'EOF'
<FilesMatch "\.(?:php|phtml|php5|phar)$">
Deny from all
</FilesMatch>
EOF
Hardening for Perth WordPress Sites
After cleanup, implement these security measures:
Server Configuration
// wp-config.php additions
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', false); // Keep true if you update via CLI only
define('FORCE_SSL_ADMIN', true);
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_POST_REVISIONS', 5);
Recommended Security Stack for WA Businesses
- WO Security Shield — continuous file integrity monitoring with checksum verification against WordPress.org, instant email and dashboard alerts
- Cloudflare (Free/Pro) — Perth has a Cloudflare edge node, so your visitors get fast page loads plus WAF protection and DDoS mitigation
- Two-Factor Authentication — use a plugin or enforce via your hosting panel
- UpdraftPlus or similar — automated daily backups to S3 ap-southeast-2 (Sydney) for minimal latency from Perth
Ongoing Maintenance Schedule
| Frequency | Task |
|---|---|
| Daily | Automated file integrity scan (WO Security Shield handles this) |
| Weekly | Review security alerts, check for pending updates |
| Fortnightly | Apply plugin and theme updates |
| Monthly | Review user accounts, check access logs for anomalies |
| Quarterly | Full security audit — remove unused plugins, test backup restoration |
Notifiable Data Breaches: What Perth Businesses Must Know
If your hacked WordPress site handled personal information of Australian residents, you have obligations under the Notifiable Data Breaches (NDB) scheme:
Assessment Obligation
Once you become aware of a breach (or suspected breach), you have 30 days to assess whether it is likely to result in serious harm.
When You Must Notify
- Unauthorised access to personal information occurred, AND
- A reasonable person would consider serious harm is likely (financial, emotional, physical, reputational)
- This includes names + email addresses if combined with financial data, health information, or government identifiers
Who to Notify
- Office of the Australian Information Commissioner (OAIC) — via the online NDB form
- Affected individuals — directly if possible, or via public statement if direct notification is not practicable
Penalties
- Civil penalties up to $50 million for body corporates under the enhanced penalty framework
- Potential for OAIC-initiated investigations and enforceable undertakings
For Perth businesses operating primarily in WA, remember that the Privacy Act is federal legislation — there is no state exemption.
Recovery Timeline
| Phase | Duration | What Happens |
|---|---|---|
| Emergency containment | 30–60 minutes | Site isolated, credentials changed, evidence preserved |
| Forensic analysis | 2–4 hours | Entry point found, full infection scope mapped |
| File restoration and cleanup | 4–8 hours | All malicious code removed, clean files restored |
| Hardening and monitoring setup | 1–2 hours | Security measures deployed, ongoing scans configured |
| Google Safe Browsing review | 1–3 days | Warning removed from search results |
| Local ranking recovery | 2–6 weeks | Perth local search rankings return to pre-hack levels |
Professional Help for Perth Businesses
When your WordPress site is hacked, the clock is ticking on multiple fronts — customer trust, Google rankings, and NDB compliance obligations. WO Security Shield provides emergency WordPress repair for Perth and Western Australian businesses with response times typically under 4 hours.
We handle the forensics, the cleanup, the hardening, and the ongoing monitoring — so you can get back to running your business. Our file integrity monitoring runs continuously inside your WordPress dashboard, comparing every file against official checksums and alerting you the moment anything changes.
Related Articles
- Website Malware Cleanup in Perth — broader malware cleanup guide for WA businesses on any platform
- Website Hacked Repair Perth: Emergency Guide — platform-agnostic emergency recovery checklist
- WordPress Login Page Security: Hardening Your First Line of Defence — prevent the most common attack vector
- How Malware Hides Inside WordPress Plugins — know what to look for during cleanup
- Setting Up Two-Factor Authentication on WordPress — essential post-repair hardening step