📋 Table of Contents
- How to Tell If Your WordPress Site Has Been Hacked
- Common Types of WordPress Hacks (2026)
- Step 1 — Stay Calm & Assess the Situation
- Step 2 — Put Your Site in Maintenance Mode
- Step 3 — Change All Passwords Immediately
- Step 4 — Scan for Malware
- Step 5 — Clean the Infection
- Step 6 — Restore from a Clean Backup
- Step 7 — Harden Your WordPress Security
- Step 8 — Request Google Review & Remove Blacklist
- Frequently Asked Questions
- Conclusion
Getting hacked is every website owner's nightmare. One moment your business is online, generating leads and credibility. The next, visitors are seeing spam ads for pharmaceuticals, or worse — Google has slapped a big red "This site may be harmful" warning on your listing. For a Mumbai business owner, the damage isn't just technical. It's real money walking out the door, and real trust being destroyed in real time.
The good news? Most hacked WordPress websites can be fully recovered. TechMR has cleaned dozens of infected WordPress sites for businesses across Mumbai, Thane, and Navi Mumbai. We've seen every kind of hack — from simple admin takeovers to sophisticated database injections. This guide shares exactly what we do, step by step, so you can either handle it yourself or know what to ask for when you call us.
Do NOT just delete your site and reinstall WordPress thinking it'll fix everything. Hackers often plant multiple backdoors — simply reinstalling leaves them all in place. Follow this guide in order.
How to Tell If Your WordPress Site Has Been Hacked
Not every hack announces itself loudly. Some attackers stay hidden for months, quietly harvesting data or using your server to send spam. Here are the most common warning signs to watch for:
Even if you don't see obvious signs, if something feels off — unexpected server load, customer complaints about strange pop-ups, or anything unusual — treat it seriously and run a scan immediately.
Common Types of WordPress Hacks in 2026
Understanding what kind of hack you're dealing with helps you clean it faster and close the right vulnerability afterward. These are the attacks TechMR sees most frequently on Mumbai business websites:
| Hack Type | What It Does | Severity | Most Common Cause |
|---|---|---|---|
| Backdoor | Hidden PHP file gives attacker ongoing secret access even after you change passwords | Critical | Nulled themes/plugins, outdated core |
| Pharma Hack | Spammy pharmaceutical keywords injected into your pages — visible to Google, invisible to you | High | Old vulnerable plugins, no updates |
| Malicious Redirect | Visitors from Google are silently redirected to spam or adult websites | High | Infected .htaccess or functions.php |
| Cross-Site Scripting (XSS) | Malicious JavaScript runs in visitors' browsers, stealing data or showing pop-ups | Medium | Vulnerable theme or plugin input fields |
| Database Injection (SQLi) | Attacker injects SQL into your database to steal data or modify content | Critical | Unvalidated form inputs, outdated plugins |
| Brute Force Login | Automated bots try thousands of password combinations to break into /wp-admin | Medium | Weak passwords, no login rate limiting |
| Site Defacement | Homepage is visually replaced with hacker's message — usually for "fame" | Medium | Admin takeover via brute force or leaked credentials |
Step 1 — Stay Calm & Assess the Situation
Don't Panic — Document Everything First
The worst thing you can do when you discover a hack is to start clicking around, deleting files, or reinstalling WordPress out of panic. That destroys evidence and can make the cleanup much harder. Take a breath. You have time to do this right.
Before you touch anything, take screenshots and note down:
- What you saw — the exact symptoms (redirects, defacement, Google warning, etc.)
- When you first noticed it — and when it likely started
- Any recent changes — new plugins installed, themes updated, new admin users added
- Your hosting account details, cPanel credentials, and FTP access
- Your most recent backup date and where it's stored
Now also inform your hosting provider. Call or raise a support ticket right away — many hosts have a security team that can immediately tell you what they've detected and whether they've suspended the account.
Step 2 — Put Your Site in Maintenance Mode
Protect Visitors While You Clean
While your site is infected, every visitor who lands on it is at risk — they could be redirected, shown malicious pop-ups, or have their browser exploited. Putting the site into maintenance mode is a responsible, professional action that protects your audience while you work on the fix.
If you can still access your WordPress dashboard:
- Install and activate a maintenance mode plugin like Coming Soon Page & Maintenance Mode by SeedProd
- Enable maintenance mode — visitors will see a clean "We'll be back soon" page
- Your admin dashboard access remains unaffected
If you cannot access the dashboard, contact your host to temporarily take the site offline at the server level while you work. A brief downtime is far less damaging to your reputation than leaving an actively infected site running.
Step 3 — Change All Passwords Immediately
Lock Out the Attacker Right Now
The moment you suspect a hack, change every password associated with your website — not just the WordPress admin password. Attackers often gain access through one weak point and then plant multiple entry paths. Changing passwords cuts off their active access while you investigate.
Change passwords for all of these in order:
- All WordPress admin accounts — Use a 20+ character random password. Delete any unknown admin users immediately.
- Hosting cPanel or WHM password — Your hosting control panel is the master key to everything.
- FTP / SFTP accounts — All FTP users associated with your hosting account, not just the primary one.
- Database password (wp-config.php) — Change the MySQL database user password in cPanel, then update wp-config.php to match.
- Email accounts — Any email address connected to your domain, especially the one used as WordPress admin email.
- Domain registrar account — To prevent DNS hijacking, ensure your registrar account is also secured with a new strong password and 2FA.
After changing your WordPress admin password, go to Users → All Users and look for any accounts you don't recognise — especially anyone with the "Administrator" role. Delete them immediately. Hackers routinely create ghost admin accounts for continued access.
Step 4 — Scan Your Site for Malware
Find Every Infected File & Database Entry
Now it's time to find out exactly what's been planted on your site. A proper malware scan will check every PHP file, every database table, and every uploaded file for known malicious code signatures. Don't rely on just one tool — use at least two to cross-check results.
Recommended Security Scanning Tools
Manually Check These Key Files
Even after running automated scans, TechMR always manually checks these specific locations — hackers know to hide code where automated tools are less thorough:
- .htaccess file in your root directory — look for any Redirect or RewriteRule you didn't add
- wp-config.php — should only contain database credentials and standard WordPress configuration constants
- wp-includes/ and wp-admin/ folders — these should contain only official WordPress core files. Any extra PHP files here are almost certainly malicious.
- Theme files — especially functions.php, header.php, and footer.php where injected code is commonly hidden
- Uploads folder (/wp-content/uploads/) — this folder should never contain PHP files. Any .php file in uploads is a backdoor.
- WordPress database — check wp_posts and wp_options tables for injected JavaScript, iframe tags, or base64-encoded strings
Run the scan and keep a complete list of every flagged file and database entry. Don't start deleting yet — you need the full picture first.
Step 5 — Clean the Infection
Remove Every Trace of Malicious Code
This is the most technically demanding step. If you're confident with FTP and file editing, you can do it yourself. If not — and there's absolutely no shame in this — contact a professional. Getting the cleanup wrong means the attacker can walk right back in.
Option A: Use an Automated Cleanup Tool
Wordfence Repair and MalCare's One-Click Malware Removal can automatically clean most infections. They replace infected core WordPress files with clean versions from the official WordPress repository and remove detected malicious code from your theme and plugin files.
Option B: Manual Cleanup (Advanced)
- Download a clean copy of your current WordPress version from wordpress.org and replace all core files — especially wp-admin/ and wp-includes/ — via FTP, keeping wp-config.php and wp-content/ untouched
- Delete and reinstall every plugin from official sources — do not just "deactivate", actually delete and get a fresh copy
- Delete and reinstall your active theme — again, from the official theme repository or from the original developer, not from your current files
- Manually clean your .htaccess file — delete and let WordPress regenerate it from Settings → Permalinks
- Clean your database — use phpMyAdmin to search wp_posts and wp_options for eval(base64_decode, hidden iframes, or script tags pointing to unknown domains, and remove them
- Delete the infected uploads — any PHP files found in /wp-content/uploads/ should be deleted immediately
TechMR offers emergency WordPress malware removal and recovery services across Mumbai, Thane, and Navi Mumbai. We typically assess and clean hacked sites within 24 hours. WhatsApp us now for immediate assistance.
Step 6 — Restore from a Clean Backup
The Fastest Road to a Clean Site
If you have a recent backup from before the hack happened, restoring it is often the cleanest, fastest recovery path — especially for complex infections or database-heavy hacks. The key word is "clean" — you need to verify the backup itself wasn't created after the infection started.
How to find a clean backup:
- Check your hosting control panel (cPanel → Backup Wizard or JetBackup) for automatic backups
- Check any manual backups you created — and confirm their dates predate the first signs of the hack
- If you use a backup plugin like UpdraftPlus, check your cloud storage (Google Drive, Dropbox) for stored copies
Once you identify a clean backup, restore it through your hosting panel or backup plugin. Then immediately run a fresh malware scan on the restored site to confirm it's clean before taking it live again.
If you don't have a backup, follow the manual cleanup steps in Step 5. Then, after this incident is fully resolved, set up an automated daily backup immediately — this is the single most important thing you can do to protect your site going forward.
Step 7 — Harden Your WordPress Security
Close Every Door the Hacker Used
Getting hacked once is bad. Getting hacked again, through the same vulnerability, because you didn't fix it — that's avoidable. After you've cleaned and restored your site, spend time properly hardening it. This is the step most business owners skip, and then they're back in the same situation six months later.
Step 8 — Request Google Review & Remove Blacklisting
Restore Your Google Rankings & Trust
Once your site is fully clean and hardened, it's time to fix your reputation with Google. A hacked site often gets flagged in Google Search Console and blacklisted in Chrome — meaning visitors see a security warning before they even reach you. Even after you've cleaned everything, Google won't automatically know until you tell them.
- Verify ownership in Google Search Console — if not already done, add and verify your site at search.google.com/search-console
- Check Security Issues report — in Google Search Console, go to Security & Manual Actions → Security Issues to see exactly what Google flagged
- Fix everything listed — make sure every issue Google flagged has been resolved on your end before requesting review
- Request a review — click "Request Review" in the Security Issues panel. Describe what happened, what you found, and what steps you took to clean and secure the site
- Wait for Google's response — Google typically reviews within 1–3 days for security issues and will notify you via GSC once the warning is removed
- Check Bing Webmaster Tools too — if you have traffic from Bing, check and clear the security flag there as well
In parallel, check if your domain has been added to any major blacklists using MXToolbox Blacklist Check or Sucuri SiteCheck. If your domain appears on email blacklists due to spam sent from your server, you'll need to submit removal requests to each list individually.
Also, if your business has a Google Business Profile, check it for any alerts or flags — a hacked website linked to your GBP can trigger warnings there too.
After Recovery: The Ongoing Security Mindset
Recovering from a hack is one thing. Making sure it doesn't happen again requires a small but consistent ongoing investment of attention. Think of website security the same way you think about fire safety in your office — you don't just install a fire extinguisher once and forget about it. You check it, you maintain it, and you make sure everyone follows protocols.
After recovery, build these habits into your website routine:
- Monthly maintenance visits — log into your WordPress dashboard at least once a month, update everything, and review your security plugin's dashboard for any alerts
- Review user accounts quarterly — check the Users list and remove any accounts that are no longer needed or look unfamiliar
- Monitor uptime — use a free uptime monitor like UptimeRobot to alert you if your site goes down unexpectedly
- Check your Google Search Console monthly — the Security Issues and Manual Actions reports are your early warning system
TechMR offers affordable WordPress website maintenance packages for Mumbai businesses that cover all of the above — updates, security monitoring, backup management, and emergency support. Many of our clients who now have maintenance agreements with us came to us first through a hack. Once bitten, twice wise.
Getting hacked feels personal and overwhelming in the moment. But it's a technical problem with a technical solution. Follow this guide step by step, don't rush, and you'll have your site back — cleaner and more secure than it was before the attack.
Frequently Asked Questions
Common signs include: Google showing a "This site may be hacked" warning in search results, visitors being redirected to unknown or spam websites, unfamiliar admin users in your WordPress dashboard, your hosting provider suspending the account, your site becoming extremely slow or going offline, or Google Search Console sending a security alert. Not all hacks are visible — some attackers hide completely, so running a regular malware scan is important even when things seem fine.
The very first thing is to stay calm and document what you see — take screenshots and note when it started. Then immediately put the site into maintenance mode to protect visitors. Change all passwords right away — WordPress admin, hosting cPanel, FTP, and database. Inform your hosting provider as they may have already detected the infection and have tools to help. Do not delete files yet until you've run a full scan.
Yes, in most cases you can recover without losing data — especially if you have a clean backup from before the hack. If there's no backup, professional malware removal tools like Wordfence or MalCare clean infections while preserving your posts, pages, images, and settings. The only data at risk is content added after the infection if you restore from an older backup — and even then, you can manually re-add those changes.
WordPress powers over 43% of all websites globally, making it the most targeted CMS by automated hacking tools. The most common reasons for hacks are: outdated WordPress core, themes, or plugins with known vulnerabilities; weak or reused admin passwords; nulled (pirated) themes and plugins that contain pre-installed backdoors; no two-factor authentication; shared hosting where a neighbour site is compromised; and no regular security monitoring or maintenance in place.
For a straightforward hack with a clean backup available, recovery typically takes 2–6 hours. For complex infections involving multiple backdoors, database injection, or no backup, full recovery can take 1–3 days. TechMR offers emergency WordPress hack recovery services in Mumbai — we typically assess and restore hacked sites within 24 hours. WhatsApp us for immediate support.
No — Google does not automatically remove the warning after you clean your site. You need to manually request a review through Google Search Console. Go to Security & Manual Actions → Security Issues, resolve all listed issues, then click "Request Review" and describe the steps you took. Google typically reviews and removes the warning within 1–3 business days after you submit the request.
Conclusion
A hacked WordPress website is stressful, disruptive, and damaging to your business. But it is recoverable — and the experience, when handled right, often results in a more secure website than you had before the attack ever happened.
The key is moving with purpose, not panic. Document first. Lock down access. Scan thoroughly. Clean completely. Harden seriously. Then notify Google and get back online. Every step in this guide builds on the previous one, and skipping any of them is what leads to repeat infections.
If your site was built by TechMR or if you need expert help recovering a hacked WordPress website in Mumbai, our team is available to assist. We offer ongoing WordPress maintenance and security monitoring so your business never has to face this situation again. Prevention — not recovery — is where we want every client to be.
Stay secure. Stay online. And if you ever need us, we're a WhatsApp message away.