Recover a Hacked WordPress Site: The Complete Emergency Response Guide

Young man trying to figure out how to recover a hacked WordPress Site in a modern office.

How to Recover a Hacked WordPress Site in Nigeria: What Business Owners Should Know

Your website starts showing spam links you never added. Google displays security warnings when people search for your business. You cannot log into your WordPress dashboard, or your homepage has been defaced. These are some of the clearest signs that your site has been hacked.

The good news is that a hacked WordPress site can be recovered. This guide explains how to recover a hacked WordPress site step by step with clear actions you can follow immediately. For Nigerian businesses, fast recovery is especially important for NDPA compliance and maintaining customer trust.

Important: If you’re running an e-commerce site that handles customer payment data or sensitive information, call professional help immediately.

Once recovered, read our WordPress security prevention guide to avoid this nightmare again.

Is Your Site Actually Hacked? (Recognizing the Signs)

Common Signs of a Hacked WordPress Site

Here’s what a hacked WordPress site looks like:

  • Site redirects visitors to spam or adult content websites
  • Google shows security warnings when people search for your business
  • Unexpected admin accounts you didn’t create
  • New plugins or themes appeared that you never installed
  • The site suddenly crashes or loads extremely slowly
  • Hosting provider sent an account suspension email
  • You can’t log into the WordPress dashboard with the correct password
  • Strange code or links appeared in posts and pages
  • Customers complain that your site is sending spam emails

False Alarms vs. Real Hacks

Not every site problem is a hack. Plugin conflicts can completely break your site, making it inaccessible or displaying error messages. Hosting server issues can cause downtime unrelated to security. A theme update gone wrong can mess up your design.

The difference? Real hacks leave evidence: suspicious files, unauthorized users, malicious code injected into your database, or your site actively spreading spam. Technical issues break things without leaving malware behind.

The Nigerian Reality

In Nigeria, you often discover hacks through your hosting provider. They notice the malicious activity first and suspend your account to protect their servers. You get an email saying “Account suspended for abuse” and only then realize something’s wrong.

Google Search Console sends security warnings if it detects malware. Customers sometimes notice before you do, complaining that your site showed them weird content or tried to download suspicious files.

⚠️ What NOT to Do

Stop right here before you make things worse:

Don’t install random “quick fix malware cleanup” plugins during an active hack. They rarely work and might make recovery more complicated. Don’t update plugins or themes yet. You might destroy evidence of how hackers got in, making it impossible to prevent future attacks. Don’t blindly restore backups without checking whether they’re clean first. You might restore the malware.

Don’t ignore NDPA reporting timelines if customer data is involved. The 72-hour notification window is strict. Don’t assume the hack is over because your homepage looks normal. Hackers often hide backdoors in obscure files or the database, waiting to strike again.

First Response: What To Do When Your WordPress Site Is Hacked

Time is critical. Every minute your hacked site stays online damages your reputation, spreads malware, and deepens Google blacklisting. Take these steps immediately.

Step 1: Document Everything

Take screenshots of what you’re seeing: spam content, error messages, weird redirects. Note the exact time you discovered the hack – this timestamp is critical for NDPA breach notifications. Write down suspicious behavior: new admin emails, file modification alerts, and hosting warnings.

Step 2: Change All Passwords

Hackers steal passwords to maintain access after cleanup. Change everything immediately from a different device if possible (your computer might be compromised):

  • WordPress admin password (through hosting control panel if locked out)
  • Hosting account password
  • FTP/SFTP passwords
  • Database password

Step 3: Isolate Your Site

Isolating your site means temporarily taking it offline or blocking public access while you investigate and clean it.

If your site is actively spreading malware, redirecting to spam sites, or sending phishing emails, take it offline temporarily. This protects visitors and prevents Google from blacklisting you harder.

Most hosting control panels let you put up a maintenance page. Use that. A simple “We’re performing emergency maintenance and will be back shortly” is sufficient for your public maintenance page. Handle security disclosures directly with affected customers and regulators as required by NDPA.

Step 4: Contact Your Hosting Provider

Nigerian hosting providers vary wildly in response time. Some respond within hours with helpful support. Others take days and offer minimal assistance. Contact them anyway and document the interaction.

Ask specifically for server access logs (shows who accessed your files and when), backup status (do they have clean backups you can restore), and malware scan results (some hosts run automatic scans). If they offer security assistance, accept it. If they’re unresponsive, document this. You might need to switch hosts after recovery.

Assessing the Damage

Scan for Malware

Use Sucuri SiteCheck (free external scanner – just enter your URL). If you can access your dashboard, run your security plugin’s malware scanner. Check Google Search Console for security issues. Check your hosting control panel for any unusual file changes.

Check Your Backups

Do you have clean backups from before the hack? This is the most important question for quick recovery.

Check when your last backup was taken (UpdraftPlus, hosting backups, or manual files). The backup must be from before the hack occurred. Don’t restore yet – verify it’s clean first.

Identify the Entry Point

Check recently modified files through the hosting file manager or FTP. Look for changes you didn’t make in wp-content/uploads (shouldn’t contain PHP files) or themes/plugins folders.

Review WordPress user accounts for admins you don’t recognize. Check for new plugins or themes that appeared mysteriously.

Common entry points include outdated plugins (the number one cause), weak passwords, and nulled themes from sketchy websites with pre-loaded backdoors.

However, the infection can sometimes originate on the hosting server itself. Cheap web hosts often run outdated PHP versions, Apache servers, or other server software with known security holes. If multiple sites on the same server get hacked around the same time, the server is likely the problem. This is common with budget Nigerian hosting packages, where server maintenance is neglected.

If your hosting server is the entry point: Cleaning your WordPress site alone won’t fix the problem. You’ll get re-infected immediately because the server itself is compromised. The solution is to clean your site completely, then migrate to a better hosting provider. Staying on a compromised server guarantees repeat infections, no matter how well you secure WordPress. See our guide to choosing web hosting in Nigeria for reliable alternatives.

Assess NDPA Breach Risk

Was customer data potentially accessed? If your site has user accounts, contact forms, e-commerce orders, or newsletter subscribers, personal data exists in your database.

Check for database exports or modifications to user tables. If customer data was accessed or stolen, you must notify the Nigeria Data Protection Commission (NDPC) within 72 hours. Penalties can be as high as 2% of annual revenue or ₦10 million.

See our NDPA compliance guide for details.

🛠️ Tools You’ll Need

Free Tools:

Hosting Control Panel Access:

  • File Manager (to view and delete files)
  • phpMyAdmin (database access)
  • Backup tools

Optional for Advanced Users:

  • Text editor for reviewing code
  • Local WordPress installation for testing backups

Recovery Option A: Restore from Backup

If you have a clean backup from before the hack, this is your fastest path to recovery.

How to Restore

Verify the backup date is before the hack. Use UpdraftPlus or your hosting backup tool to restore files and the database. Restoring only files or only the database can leave part of the malware in place, so always restore both together. Test that your site works after restoration.

After Restoration

Immediately change all passwords. Update WordPress core, all plugins, and themes. Scan the restored site to confirm it’s clean. Investigate what caused the hack – review our WordPress website best practices to avoid common mistakes. Skip to Post-Recovery Security Hardening.

If you don’t have clean backups or they’re infected, proceed to manual cleanup.

Recovery Option B: Manual Cleanup

Manual cleanup requires technical skills with FTP and databases. If this paragraph already makes you uncomfortable, skip to “When to Call Professional Help” and get support. Trying to guess your way through database changes can destroy your site permanently.

Clean Infected Files

Access Your Site Use FTP/SFTP (FileZilla, WinSCP) or the hosting File Manager. Download a complete backup before making changes.

Delete Malicious Files. Check wp-content/uploads for .php files (shouldn’t be there). Look for suspicious folders in wp-content. Compare wp-includes to a fresh WordPress download – replace modified files. Common malware spots: wp-content/plugins, wp-content/themes, root directory.

Replace WordPress Core: Download fresh WordPress from WordPress.org (same version you’re running). Replace the wp-admin and wp-includes folders. Replace root files EXCEPT wp-config.php and .htaccess. Keep the wp-content folder.

Clean Plugins and Themes: Delete unrecognized plugins/themes. Delete all nulled/pirated plugins and themes (likely entry point). Update remaining plugins and themes.

Clean Your Database

Access phpMyAdmin from your Hosting Control Panel

Remove Malicious Users: Check the wp_users table for admin accounts you didn’t create. Common hacker usernames: “admin2”, “support”, “service”, or random strings. Delete suspicious users and change passwords for all legitimate users.

Clean Malicious Content: Search wp_posts for base64-encoded strings (which look like random gibberish and often start with “eval(base64_decode)”). Delete any posts containing this code. Check for unauthorized scheduled posts (post_status=”future”). Look for spam comments in the wp_comments table.

Important: If you’re not comfortable with phpMyAdmin, stop here and call professional help. Database mistakes are permanent.

Security Reset

Regenerate WordPress Security Keys: Use WordPress.org’s secret key generator.

Copy generated keys. Open wp-config.php via FTP. Replace AUTH_KEY, SECURE_AUTH_KEY, etc., with new keys. This logs out everyone, including attackers.

Check Critical Files: Review the .htaccess file for suspicious redirects or Base64-encoded code. Check wp-config.php for eval(), base64_decode(), or gzinflate() functions – these are red flags in wp-config.

Fix File Permissions: Set folders to 755, files to 644. Apply these permissions to your WordPress installation directory and its subfolders, unless your host has specific different recommendations. This limits what hackers can modify.

Force Password Resets: Change all user passwords via phpMyAdmin or use a plugin that forces password resets on next login.

Post-Recovery Security Hardening

Your site is clean but vulnerable. Harden it immediately to prevent re-infection.

Install Security Plugin

Install WP Cerber or NinjaFirewall with NinjaScanner. Configure firewall, login protection, and malware scanning. See our WordPress security guide for detailed setup.

Enable Two-Factor Authentication

Install the 2FA plugin for all admin accounts. Use Google Authenticator or Authy. Even if hackers guess passwords, they can’t log in without your phone code.

Disable File Editing

Add to wp-config.php: define('DISALLOW_FILE_EDIT', true);

This prevents file editing through the WordPress dashboard. Hackers with admin access can’t inject code directly.

Set Up Proper Backups

Install UpdraftPlus with Google Drive or Dropbox storage. Schedule daily backups for active sites. Test restoration to verify backups work. See our article on website maintenance services.

Add Cloudflare

Sign up for Cloudflare’s free plan for network-level protection. See our Cloudflare guide for Nigerian businesses.

Monitor for Re-infection

Check Google Search Console daily for one week. Watch the security plugin for suspicious logins or file changes. Set up UptimeRobot for immediate downtime alerts.

NDPA Breach Notification (If Customer Data Was Affected)

Only applies if personal data was potentially accessed, stolen, or compromised.

Do You Need to Notify?

Yes, if:

  • Customer data was in your database (names, emails, phone numbers, addresses, order history)
  • You’re not 100% sure data was accessed (err on the side of notification)

No, if:

  • Only defacement or spam injection with no database access
  • Your site has no user data (basic informational site)

The 72-Hour Rule

From discovery, you have 72 hours to notify the Nigeria Data Protection Commission (NDPC) and affected customers. Penalties can be as high as 2% of annual revenue or ₦10 million. Don’t wait to investigate fully – notify based on reasonable suspicion.

What to Document

  • When you discovered the hack
  • What data was potentially compromised
  • How many people were affected
  • What you did to clean the site
  • Steps to prevent future breaches

How to Notify

NDPC: Follow official breach notification procedures on ndpc.gov.ng

Customers: Email explaining what happened, what data was affected, what you’ve done, and what they should do (change passwords, monitor accounts). Keep copies of all notifications.

Get Professional Help

For significant breaches involving payment data or large customer bases, hire NDPA compliance experts. Penalties for mistakes are severe. See our IT consulting services.

Getting Off Google Blacklist

Why Google Blacklists Sites

Google blacklists sites that distribute malware to visitors, attempt phishing attacks, host malicious downloads, or inject severe spam into search results. If your hacked site did any of these things, you’re probably blacklisted.

Check If You’re Blacklisted

Google Search Console clearly shows security warnings. Search for your site – if blacklisted, Google displays a warning before results. Use Google Transparency Report: https://transparencyreport.google.com/safe-browsing/search?url=yourdomain.com

Request Review

Clean your site thoroughly FIRST. In Google Search Console, find Security Issues and request a security review. Explain what was compromised and what you fixed. Google typically reviews within 24-72 hours.

If Blacklisting Persists

Rescan thoroughly using multiple tools. Check the database for hidden backdoors. Look for hidden files like .suspected or .bak copies that malware cleaners leave behind – attackers sometimes repurpose these. Consider professional malware removal if you can’t find the infection.

When to Call Professional Help

You Need Professional Help If:

  • Site keeps getting re-infected after cleanup (indicates server-level compromise or missed backdoors)
  • Hosting server itself is compromised (requires cleanup + migration to a new host)
  • You lack FTP/database skills
  • Customer payment data was compromised (PCI compliance required)
  • Business is losing significant daily revenue
  • Can’t identify malware or entry point
  • NDPA breach notification is required, and you need compliance guidance

What Professional Recovery Includes

Complete malware scanning, database deep cleaning, security hardening, vulnerability patching, entry-point identification, post-recovery monitoring, and NDPA breach assistance, if needed. For server-level compromises, professionals also handle migration to secure hosting while ensuring your cleaned site doesn’t carry malware to the new server.

Finding WordPress security experts in Nigeria is challenging. International services require dollar payments with slower response times. At PlanetWeb, we provide emergency WordPress recovery with local support, naira pricing, and fast response for Nigerian businesses.

See our managed IT services, IT consulting, or when to hire IT support.

Cost Considerations

Emergency recovery: ₦50,000 – ₦200,000+ depending on complexity. Weigh against daily revenue loss and potential NDPA fines. Prevention is always cheaper than recovery.

Preventing Future WordPress Hacks

Don’t Go Back to Old Habits

This hack was a warning. Take security seriously. Implement all recommendations from our WordPress security prevention guide.

Essential Prevention Steps

Keep everything updated (WordPress, plugins, themes, PHP). Use strong passwords and 2FA. Install and configure a security plugin. Set up daily automated backups to an off-site storage location. Monitor regularly for suspicious activity.

Common Mistakes After Recovery

Using the same weak passwords. Not investigating the root cause. Skipping backups because “site is fine now.” Assuming it won’t happen again. Continuing to use nulled themes or plugins.

The Cost of Repeat Hacks

Each hack damages your reputation more severely. Customers forgive one incident. Multiple hacks look incompetent. Google may permanently blacklist repeat offenders. Customers permanently lose trust. NDPA fines increase for repeat violations.

Frequently Asked Questions

How do I know if my WordPress site is actually hacked?
Common signs include redirects to spam websites, Google security warnings, unauthorized admin accounts, new plugins you didn’t install, hosting suspension emails, and inability to log in. False alarms like plugin conflicts or server issues don’t leave malware evidence.
Can I recover a hacked WordPress site without backups?
Yes, through manual cleanup involving FTP file removal, database cleaning, and WordPress core replacement. However, this requires technical skills. Without backups, recovery takes 4-8 hours compared to 1-2 hours with clean backups. Professional help is recommended if you’re not comfortable with FTP and databases.
How long does WordPress hack recovery usually take in Nigeria?
Backup restoration: 1-2 hours. Manual cleanup: 4-8 hours or more depending on infection severity. Professional help: typically 24-48 hours including thorough scanning and hardening. Nigerian hosting response times vary from hours to days. As a simple rule, if you’re still struggling after 4-6 hours of trying to fix it yourself, it’s time to call in help.
Do I need to notify my customers if my WordPress site was hacked?
Under NDPA 2023, yes, if customer personal data (names, emails, phone numbers, addresses, order histories) was potentially accessed. You have 72 hours from discovery to notify NDPC and affected customers. Penalties can be as high as 2% of annual revenue or ₦10 million. No notification needed for simple defacement without database access.
What is the fastest way to recover a hacked WordPress site?
Restore from a clean backup taken before the hack. This bypasses manual file cleaning and database work. After restoration, immediately change all passwords, update everything, and scan to confirm the restored site is clean.
When should I hire a professional instead of trying to fix it myself?
Hire professional help if: site keeps getting re-infected after cleanup attempts, you lack FTP/database skills, customer payment data was compromised, your business is losing significant daily revenue, you can’t identify the malware source, or NDPA breach notification is required and you need compliance guidance.
How much does professional WordPress hack recovery cost in Nigeria?
Emergency recovery in Nigeria typically costs ₦50,000 to ₦200,000+ depending on infection complexity and urgency. Weigh this against daily revenue loss and potential NDPA fines. Prevention is always cheaper than recovery.
Will Google permanently blacklist my hacked WordPress site?
No. After thorough cleanup, request review in Google Search Console. Most sites get removed from blacklist within 24-72 hours if malware is completely gone. Persistent blacklisting indicates missed malware requiring additional scanning.

Conclusion

Recovering from a hacked WordPress site is stressful but manageable with a systematic approach. Act quickly: document everything, change all passwords, assess damage, clean or restore your site, and harden security immediately.

Even if this is your first security incident, you’re not starting from zero. If you document carefully, clean methodically, and harden your site afterward, the chances of repeat hacks drop sharply.

Don’t skip the NDPA notification if customer data was affected. The 72-hour deadline is strict, and penalties are severe. Most Nigerian businesses can successfully recover using these steps.

Manual cleanup requires technical skills with FTP and databases. Don’t hesitate to call professional help if you’re uncomfortable with these tools. Making mistakes during cleanup can cause more damage than the original hack.

Prevention is critical. Don’t return to the same insecure habits that led to this hack. Implement proper security measures, maintain regular backups, and actively monitor your site.

Need emergency WordPress recovery help? PlanetWeb provides rapid-response malware removal, security hardening, and NDPA breach assistance to businesses. Contact us for immediate assistance.

Share this article:

Leave a Comment

Your email address will not be published. Required fields are marked *

🎯 Fresh Reads

👉 Browse by Category

Grow Your Business Today

PlanetWeb Solutions is committed to delivering IT services that support your goals. Whether you need day-to-day IT management, a digital overhaul, or strategic advice, we’re here to provide solutions that drive success.

Get Started
Scroll to Top