Down right now?
Read this first
Half the emergency WordPress help we provide starts with undoing somebody's first repair attempt. Deleted files here, a stale backup restored there. First rule: hands off. On a hacked WordPress site, the server logs are the only witness you've got — and a careless fix erases them.
Useful WordPress support starts with boring questions. Is the domain renewed? Does the host's status page show an outage for everyone, or just for you? Screenshot whatever the site shows right now and send it over — an error code in a screenshot beats ten minutes of guessing on the phone.
Triage comes first when you reach us. A senior developer pulls the server and error logs and works out what broke, before anyone touches anything else. First stable, then fixed. SLA clients hear back within minutes, day or night; everyone else gets picked up the same business day, ahead of every job already on the calendar.
No ticket queue, no tier-one script. The developer who answers the phone is the developer who reads your logs.
For our monitoring to flag downtime
Critical response on the top SLA tier
WordPress sites brought back after hacks and crashes
Rate for emergency troubleshooting
Hacked WordPress?
The cleanup, step by step
Resist the urge to delete. Every infected file is also a clue, and the cleanup goes faster when the clues survive. Our first move is a full copy of files and database, followed by log analysis until we know exactly how the attacker got in. Nine times out of ten: a plugin that missed months of security updates.
The cleanup itself runs through WP-CLI, swapping infected core and plugin files for verified originals from WordPress.org rather than patching them by hand. Then the part most cleanups skip. An attacker who got in once has left a way back — a spare admin account, a cron job, a file named to look like it belongs. Skip the backdoor hunt and you'll redo this whole exercise within a month.
Hardening closes the loop. We rotate every password and API key along with the salts in wp-config.php, and two-factor becomes mandatory for administrators. Configuration gets tightened to the same baseline our WordPress security agreements use. If Google has blacklisted the site in the meantime, we file the review request the same day the cleanup is documented and follow it until the warning disappears.
You also get a post-mortem the board can read: what the attacker did, and what now stands between them and a second visit. Two pages, no jargon.
Six signs of a hacked WordPress site
- 01
Google traffic lands on websites you've never heard of, while direct visits look perfectly normal — the redirect only fires for visitors arriving from search.
- 02
Admin accounts you never created. Open Users → Administrators in wp-admin; attackers almost always set up their own.
- 03
Your search listing carries Google's "This site may be hacked" warning, or Search Console has flagged a security issue.
- 04
Customers report spam coming from your domain, or your own email starts landing in junk folders because the domain hit a blacklist.
- 05
The site got slow and nobody changed anything. Spam scripts and cryptominers are quietly spending your server resources.
- 06
Pharma ads and Japanese product pages you never published start showing up in Google's index under your domain.
When the people who built it
stop answering
Maybe the agency folded. Maybe your account simply stopped mattering to them. Either way you're left holding a site nobody fully controls — no documentation anywhere, and a domain that turns out to be registered to an employee who quit years ago. The admin password walked out the door with her.
Takeovers like this are routine work for us. Ownership gets sorted first: who legally holds the domain, and where the admin credentials live. You own your site. Silence from a former supplier doesn't change that, and Norwegian registrars and hosting companies all have procedures for handing control back to a documented owner — we know which paperwork each of them expects.
Next we read the code: how much is custom-built, and whether the server runs PHP 8.4 or something that stopped getting security patches years ago. Usually the latter. The condition report comes in plain language with a recommendation you can act on, and if the site needs ongoing development afterwards, you can hire a WordPress developer on a monthly retainer.
What happens after the rescue
An emergency fix buys you a working site, not a safe one. Whatever let the attacker in last time is exactly what the scanning bots keep probing for — around the clock, against every WordPress site they can reach. A site that got hacked because nothing was updated for two years isn't unlucky. It's on schedule.
Most of our rescue jobs therefore turn into WordPress maintenance and operations agreements from NOK 2,500 a month: updates tested before they ship, monitoring on uptime and security, backups someone has verified by restoring them, and a defined response time for the next incident. We'd rather skip the second crisis than invoice for it.
Do the napkin maths. A breach cleanup starts at NOK 15,000 and has no ceiling worth promising, because the bill grows with every week the attacker had access. Maintenance: NOK 2,500 a month, every month. Only one of those two numbers fits in a budget.