What To Do When Your New WordPress Site Is Hacked

Last Updated on February 8, 2021 by WordPress Expert

You’ve made the smart choice to build your new site in WordPress, and you’ve successfully made it through the tricky launch phase, so everything’s looking up — until things go awry when your site is hacked. Everyone knows that websites are hacked regularly, but they assume that it will never happen to them. You’re probably in the same situation.

How should you react in this situation? What should you do to get things back on track? How you react will determine how your site fares in the future, so you need to be smart about your approach. In this post, we’re going to set out four things you should do when your new WordPress site gets hacked. Let’s get to them.

What To Do When Your New WordPress Site Is Hacked

Take your site offline.

The very first thing you should do is take your site offline because you won’t know to what extent it’s been compromised until you take a look at what’s happened. Even if your site is just a hobbyist blog, it could be dangerous to its handful of visitors — plus, it’ll be bad for people to see your site if the hacker made changes to its content.

Notify anyone whose data may have been compromised, and put up a 404 page (Atlassian has some great examples) to explain that the site has been taken down due to a hack and will be back in operation as soon as possible. Your task is to get it ready to relaunch, so don’t say that it’ll be back within a week because you can’t know it’ll be safe by then. It’s better to be vague than end up missing your own deadline and making yourself look bad.

Stay calm and look ahead.

It’s really easy to feel targeted when your site gets hacked: after all, there must be a reason why they attacked you in particular. What if they try it again? What if the person responsible has a grudge against you? Well, there’s a quote that applies here: “Worry is a misuse of imagination.” In all likelihood, the hack was nothing personal: the hacker probably happened upon a vulnerability and took advantage of it.

You’re not going to deal with a deluge of hacks in the future, as your chance of being hacked hasn’t gone up. This is true even if you have a lot of money riding on your site. WooCommerce (the most common retail extension for WordPress) isn’t 100% secure against all hacks. However, it’s still perfectly solid, getting a 4-star security rating in a review on Ecommerce Platforms. One hack doesn’t mean another one is coming.

Furthermore, you’ll be so much better prepared because of this experience. Focus on the positives you can take from the hack, be optimistic, and focus on the future ahead of you instead of dwelling on the past.

Address the vulnerability. 

With the site offline, you need to look into what actually happened. How did the hacker get in? In all likelihood, they either guessed your admin login (or brute-forced it) or took advantage of a vulnerability inherent to the system, a live plugin, or a plugin-based conflict. The good news is that WordPress, despite its flexibility, can be very secure: you just need to be sensible.

Update your login: not just the password, but also the password recovery process so a hacker can’t take advantage of your secret questions or recovery email address. Remove all the plugins that you don’t absolutely need — and do some research on those you keep to see if anyone else has had security issues because of them. Ensure that your WordPress installation is fully updated, and if you want some extra safety, move to a host with greater safeguards

Relaunch with an explanation.

Lastly, when you’re confident that your site is secure and you can put it live again, prepare a decent explanation of what’s happened. In addition to recapping the instigating issue, explain the action you’ve taken to protect your site and keep further hacks from happening. Anyone who noticed the hack (or your 404 page about it) will understandably be wary, after all.

If your explanation is sufficiently detailed and you’ve done everything you can to make your site safe for use, then most people will look past the hack and give your site another chance. 

Seeing your site hacked is a dreadful experience, but you shouldn’t make it a bigger deal than it needs to be. Take it down, resolve the issue, and get it back up and running. That’s the only sensible way to proceed.

If you’d like to know more about site security, take a look at this post on tips to keep your WordPress site secure.

At Sunny HQ we love all things WordPress! If you need a little help with your WordPress site, please reach out. Or, if you’d like to find out how we can take the stress out of managing and securing your website, check out our all-inclusive WordPress website management plans.