You've just discovered something is wrong. Maybe Google flagged your site, your host sent an abuse notice, or you noticed suspicious admin accounts. Whatever triggered the alarm — the next 60 minutes matter more than the next 60 hours.
Here's the exact playbook.
Minutes 0–5: Contain
Do not make random changes yet. Your first instinct might be to start deleting files, but you need to contain the incident first and preserve evidence second.
Put the site in maintenance mode immediately
// Add to wp-config.php or functions.php temporarily
define( 'WP_MAINTENANCE', true );
Or use your hosting panel to throw a 503 page while you work. This prevents the attacker's malware from continuing to infect visitors while you investigate.
Do NOT restore from backup yet
If you have a solid backup strategy in place, a backup restore might feel like the obvious move. Don't do it yet. You need to understand the entry point first — if the vulnerability is still present, you'll be reinfected within hours.
Minutes 5–15: Assess
Run an emergency scan
If you have WO Security Shield installed, run a full scan immediately. It will show you:
- Every modified core file with a diff
- PHP backdoors and webshells by signature
- Suspicious files in locations they shouldn't exist
- Database injections
If you don't have it installed, use our standalone emergency scanner tool for immediate triage.
Identify the attack type
Different attack types have different remediation paths:
| What you see | Likely attack type |
|---|---|
| Redirect to spam sites | Redirect hack, htaccess injection |
| Fake pages in Japanese/pharma URLs | SEO spam injection |
| New admin accounts | Backdoor with persistence mechanism |
| Modified core files | Webshell or persistent backdoor |
| Suspended by host | Spam sending or DDoS relay |
Check recently modified files
# Find files modified in the last 7 days
find /path/to/wordpress -name "*.php" -newer /path/to/reference-file -type f
# Find all PHP files in uploads (should never exist)
find /path/to/wp-content/uploads -name "*.php" -type f
Minutes 15–30: Document
Before you change anything, document what you found:
- Screenshot the scan results
- Copy the content of any suspicious files to a local text file (for later analysis)
- Note the timestamps of modified files
- Export your database (even the compromised one — it's evidence)
This documentation helps you understand how the attack happened, which is critical for preventing reinfection.
Minutes 30–50: Remediate
Now you can act.
Reset all credentials
- Change all WordPress admin passwords
- Change your database password and update
wp-config.php - Change your FTP/SFTP/SSH credentials
- Revoke and regenerate all WordPress secret keys and salts via api.wordpress.org/secret-key/1.1/salt/
- Log out all current sessions: add
define('WP_SESSION_TOKENS_DB_KEY', 'new_random_string');towp-config.php
Remove malicious files and code
Use your scan results to locate and remove:
- PHP files in
/uploads/ - Modified core files (replace from a fresh WordPress download)
- Injected code in
functions.php,wp-config.php,index.php - Rogue admin accounts
Update everything
Before bringing the site back online, update:
- WordPress core
- All plugins
- All themes
Delete any inactive plugins and themes entirely.
Minutes 50–60: Harden and restore
- Re-enable maintenance mode (keep it on a bit longer)
- Install or re-configure WO Security Shield with file integrity monitoring enabled
- Set up login attempt limits and 2FA
- Disable XML-RPC if not needed
- Block the attacker's IP range at the server or WAF level
- Remove maintenance mode
- Submit a reconsideration request to Google Search Console if you were blacklisted
After the incident
- Conduct a full post-mortem: how did they get in?
- Check your other sites (if you manage multiple, an attacker who compromised one has likely tried others)
- Enable WO Security Shield's real-time file monitoring so you catch future incidents the moment they happen, not days later
For a detailed walkthrough of the full cleanup process after containment, see our guide on how to clean a hacked WordPress site. The difference between a minor incident and a catastrophic one is almost always response speed. WO Security Shield's emergency recovery service can take over the remediation process if you need professional help fast.