If your WordPress site is hacked, your first priority is to remove the malware used in the attack. You then need to restore your website, including getting it removed from any blacklists. Last but not least, you need to work out what enabled the attack and identify any other security weaknesses you need to rectify. Depending on your individual circumstances, you may also need to preserve evidence of the attack and/or report it to relevant authorities.
Remove the malware used in the attack
Before you dive into a clean-up operation, it’s worth contacting your host to see if they are aware of an attack on their server. You may discover that the issue is actually at their end and that all you need to do is sit back and wait for them to resolve it. Even if it isn’t, your host may be able to offer you some help and support, or at least some guidance.
Scan your website with a proper website vulnerability scanner from a reputable cybersecurity company. If you want extra reassurance, you can also scan it with an application-based scanner (plugin) but make sure that you use one from a reputable developer, otherwise, you could make the problem worse.
Restore your website
If you’re only running a small website, then it may be feasible for you just to scrub everything and restore it from a backup. If, however, your website contains anything more than a few pages of content, then you’re probably going to find it quicker and less painful just to clean up the infected areas.
Before you start this operation, however, ask yourself seriously if you’re really comfortable getting up close and personal with files, database tables, and user accounts. If the answer is no, then it’s best to admit it up-front and bring in professional help. It can work out a lot more affordable than having to put right any damage you do.
Regardless of whether you clean up your website yourself or if you bring in outside help, it’s strongly recommended to document the process and consider backing up and important files/tables before you restore them so that you can refer to them later. This could be because of issues with your clean up (even for professionals these can be complicated jobs) or it could be for a “learn and prevent” discussion at some future point.
Once you have your site back in working order, you can contact your host, the search engines, and blacklisting authorities (such as security companies) for a review while you go through your site and close off any back doors you find. These are usually cunningly hidden in PHP extensions, generally ones that can be legitimately used by plugins. This means that you need to work carefully or you could wind up breaking your site again.
For completeness, at this point, you aim to put your website back as it was before. In other words, resist the temptation to take this exercise as an opportunity to update your website. That can and should wait until the next stage of the process, when you can think clearly not only about what needs to be updated but in what way and what order.
Address the security issues
Assuming you have the resource, you can use the time while your website is being fixed to run an anti-malware scan on your local computers. As before, make sure you use a product from a reputable cybersecurity company. It is far from unusual for websites to be compromised by malware placed on a local machine which is used to run it. For example, spyware can steal the login details of an administrator's account, which then, effectively gives an attacker a free run on the website.
Even if your local machines come up clear, change all administrator passwords, no exceptions, and, ideally, implement two-factor authentication. This should be a fairly easy way to add a lot of extra security to your WordPress site. Then update all software, including, and especially, WordPress itself and any plugins you use.
With this done, it’s time to undertake a security audit of your WordPress site. You’re looking for the answers to two questions. Firstly, what caused this specific attack? Secondly, what can be done to improve security in general?
When looking at the second point, remember to consider the structure of your website and what users are allowed to do on it. For example, forms with free-text fields can be used to inject malicious code into your site. The way to deal with this is to used fixed inputs (such as drop-down menus) as much as you can and to perform thorough validation on any fields which require a free-text input.
How to see if a website is safe?