Table of Contents
- The Four Stages of a WordPress Hack Response
- Stage 1: Containment — The First 2 Hours
- Step 1: Take the Site Offline or Enable Maintenance Mode
- Step 2: Change All Credentials Immediately
- Step 3: Notify the Hosting Provider
- Step 4: Client Communication — What to Say and What Not to Say
- Stage 2: Assessment — Hours 2 to 6
- Stage 3: Recovery — Hours 6 to 48
- Option A: Clean the Existing Installation
- Option B: Restore from Clean Backup
- Post-Cleanup Security Hardening
- Stage 4: Post-Recovery — Hours 48 to 72
- The Post-Recovery Client Report
- Google Search Console: Requesting Blacklist Removal
- Converting the Recovery into a Care Plan
- Frequently Asked Questions
- Download the WordPress Hacked Site Response Checklist (Agency Version)
The call every agency dreads: a client rings to say their website is showing a warning message, their hosting provider has suspended their account, or their customers are being redirected to a spam site. The agency built the site. The agency manages the relationship. The agency is now on the hook.
How an agency responds to a client site hack determines whether the client stays or leaves — and whether the agency’s reputation survives intact. A slow, disorganised response compounds the damage. A fast, structured response becomes a demonstration of professionalism that deepens trust.
This playbook documents the exact response process Technocrackers executes as a white label partner when an agency client site is compromised — from the first alert to the post-recovery report.
The Four Stages of a WordPress Hack Response
| Hack Response Overview | |
|---|---|
| Stage 1: | Containment (0–2 hours) — Stop the damage from spreading |
| Stage 2: | Assessment (2–6 hours) — Understand what happened and how |
| Stage 3: | Recovery (6–48 hours) — Clean, restore, and harden |
| Stage 4: | Post-Recovery (48–72 hours) — Report, prevent, and retain the client |
Stage 1: Containment — The First 2 Hours
The moment a hack is confirmed, the priority is containment — preventing the compromised site from doing further damage to the client’s brand, their customers, or their hosting environment.
Step 1: Take the Site Offline or Enable Maintenance Mode
If the site is actively serving malware, displaying defaced content, or redirecting users, it must be taken offline immediately. A maintenance page is preferable to a live hacked site for every minute it remains accessible.
Step 2: Change All Credentials Immediately
Reset: WordPress admin password, hosting control panel password, FTP/SFTP credentials, and the database password. Do this before any investigation — if the attacker still has credential access, any cleanup will be undone.
Step 3: Notify the Hosting Provider
Most hosting providers have a security team that can assist with server-level threat identification and quarantine. Notify them immediately and request a server-level malware scan.
Step 4: Client Communication — What to Say and What Not to Say
| Agency Client Communication Script — Hack Notification |
|---|
| Hi [Client Name], we’ve identified a technical security issue with your website and have taken immediate action to protect it. |
| We’ve taken the site offline while we investigate and address the issue. This is a precautionary measure to protect you and your customers. |
| Our team is working on this now. We will update you within [X hours] with a full assessment and a recovery timeline. |
| Please do not attempt to log in to the site or change any settings until we confirm it is safe to do so. |
| We’ll keep you closely updated. If you have any urgent questions, contact [agency PM name] directly. |
What not to say: do not tell the client how the site was hacked until you have confirmed it. Do not speculate about data loss. Do not apologise for the hack itself — apologise for the disruption and focus on resolution.
Stage 2: Assessment — Hours 2 to 6
Malware Scan
Run a server-level malware scan using a tool such as Maldet or the hosting provider’s scanner. Additionally, run a WordPress-specific scan using Wordfence, Sucuri SiteCheck, or MalCare. Document every infected file identified.
Entry Point Investigation
The single most important forensic question: how did they get in? Without identifying the entry point, cleaning up the site without closing the vulnerability will result in immediate reinfection. Common entry points to check:
- Outdated plugin with a known CVE (check against WPScan database)
- Compromised admin credentials — check admin user list for unknown accounts
- Vulnerable file upload functionality
- Server-level compromise via outdated PHP or FTP vulnerability
- Nulled or unlicensed themes/plugins containing malicious code
Scope Assessment
Determine: which files are infected, whether the database has been modified, whether any data has been exfiltrated, and whether the site is blacklisted by Google or other security authorities.
| Check | Tool |
|---|---|
| Google blacklist status | Google Safe Browsing: transparencyreport.google.com |
| Sucuri blacklist check | sitecheck.sucuri.net |
| File modification timestamps | Hosting file manager or FTP client |
| WordPress admin user audit | WordPress admin > Users |
| Database integrity | phpMyAdmin or WP-CLI |
Stage 3: Recovery — Hours 6 to 48
Option A: Clean the Existing Installation
Appropriate when: the infection is limited to specific files, the entry point is identified and closed, and the database is uncompromised.
- Remove all identified malicious files
- Replace WordPress core files with fresh copies from wordpress.org
- Replace compromised plugin files with fresh downloads from the official repository
- Audit the database for injected content in posts, options table, and user meta
- Remove any unknown or unauthorised admin accounts
- Reinstall the security plugin with a clean configuration
Option B: Restore from Clean Backup
Appropriate when: the infection is widespread, the entry point is unclear, or the database has been significantly modified. Requires a verified clean backup — Technocrackers tests all backups monthly to confirm restore capability.
Critical: after restoring from backup, still close the entry point. A restore without patching the vulnerability will result in reinfection within hours.
Post-Cleanup Security Hardening
| Security Hardening Steps After Every Hack Recovery |
|---|
| Update all plugins, themes, and WordPress core to current versions |
| Remove all unused plugins and themes — inactive code is still a risk |
| Implement or reconfigure web application firewall (Cloudflare or Wordfence) |
| Enable two-factor authentication on all admin accounts |
| Restrict admin access by IP address where possible |
| Disable XML-RPC if not in use |
| Implement file permission hardening (755 directories, 644 files) |
| Configure login attempt limiting |
| Submit site to Google for blacklist removal review (if applicable) |
| MINI CASE STUDY: UK E-Commerce Agency — WooCommerce Hack Recovery in 18 Hours | |
|---|---|
| Client Type: | Manchester-based digital agency managing a WooCommerce store for a UK fashion retailer (4,000+ customers, active transaction volume) |
| Problem: | On a Wednesday afternoon, the agency received a call from the client — customers were being redirected to a pharma spam site from the product pages. The hosting provider had flagged the account for malware. Google had not yet blacklisted the site but the window was narrow. The client had approximately £8,000 in pending orders that could not process. |
| Technocrackers was contacted at 3:00pm. Within 30 minutes, Technocrackers had staging access and the live site was in maintenance mode. | |
| Assessment Findings: | A WooCommerce plugin (version 13 months out of date) had a known CVE that had been publicly disclosed 4 months prior. Attackers had used it to inject a redirect script into the theme’s footer.php and create a secondary admin account. |
| Recovery Execution: | |
| Hour 1: | Credentials rotated, site taken offline, hosting security team notified |
| Hour 2: | Full malware scan — 14 infected files identified across theme and uploads directory |
| Hour 3: | Entry point confirmed — CVE in outdated plugin patched and plugin updated |
| Hour 4–8: | Infected files replaced with clean versions, database audited and cleared, rogue admin account removed |
| Hour 8–12: | Full security hardening pass — WAF configured, 2FA enabled, XML-RPC disabled |
| Hour 12–16: | QA pass on all WooCommerce flows — cart, checkout, payment confirmed functional |
| Hour 18: | Site brought back online. Google blacklist check confirmed clean. |
| Client Communication: | The agency PM provided 3 updates to the client throughout the night. At no point did the client know that Technocrackers was involved — all communication came from the agency. |
| Results: | Site recovered in 18 hours. No Google blacklisting occurred. All pending orders processed successfully within 24 hours. The client signed a Premium Care Plan within the week — the hack became the catalyst for a retained service relationship. |
| When a client site is hacked, speed and structure are everything. Technocrackers provides white label hack response for agencies — available within 2 hours of contact. Contact Us Now |
|
Stage 4: Post-Recovery — Hours 48 to 72
The Post-Recovery Client Report
Every hack recovery should conclude with a written client report — delivered by the agency in their own name. The report covers: what happened (in non-technical language), what was done to recover the site, what measures are now in place to prevent recurrence, and a recommendation for ongoing maintenance.
The recovery report is the single best conversion tool for a care plan sale. A client who has just experienced a hack is maximally receptive to a maintenance proposal. Lead with the prevention story.
Google Search Console: Requesting Blacklist Removal
If Google issued a ‘Dangerous Site’ warning, submit a reconsideration request via Google Search Console after the site has been fully cleaned. Google typically reviews within 24–72 hours. Document this process in the client report.
Converting the Recovery into a Care Plan
The post-recovery call script: ‘As part of this incident, we have implemented a number of security measures. To ensure these are maintained and that this cannot happen again, we recommend placing your site on our care plan. This covers monthly updates, daily backups, security monitoring, and priority response if anything ever occurs in the future. The cost is [price] per month — which is a fraction of what this incident cost us both in time.’
Is a client site hacked right now? Contact Technocrackers — white label recovery response within 2 hours.
Frequently Asked Questions
Q: How long does a WordPress hack recovery take?
A: Simple recoveries — limited file infection, identified entry point, clean backup available — typically take 4–12 hours. Complex recoveries — widespread database compromise, multiple entry points, no recent backup — can take 24–72 hours. Technocrackers provides a written timeline estimate within 2 hours of assessment.
Q: Will my client’s customer data have been stolen?
A: This depends entirely on the nature of the attack. Most opportunistic WordPress hacks are aimed at redirects and spam injection — not data theft. However, if the site stored customer data and the database was accessed, a data breach notification obligation may apply under GDPR or UK GDPR. We flag this risk in our post-recovery report.
Q: Can a restored site get hacked again immediately?
A: Yes — if the entry point is not closed. Restoring from backup without patching the vulnerability that was exploited will result in reinfection, often within hours. Technocrackers always identifies and closes the entry point as part of every recovery, regardless of whether we clean or restore.
Q: Does Technocrackers handle the Google blacklist removal process?
A: Yes. As part of the Premium recovery service, we manage the Google Search Console reconsideration request and monitor the review status until the blacklist warning is removed.
Download the WordPress Hacked Site Response Checklist (Agency Version)
A step-by-step response checklist covering all 4 stages: Containment, Assessment, Recovery, Post-Recovery. Includes client communication scripts and Google blacklist removal guide.
