A compromised WordPress site is every UK business owner's nightmare — defaced pages, spam redirects, Google warnings, admin lockout, outbound spam triggering IP blacklists. Under UK GDPR you may also have a 72-hour window to notify the ICO if personal data was accessed. The sooner you recognise the signs and act, the easier the recovery. This guide covers recognising a compromise, the most common causes, and six solutions — from Imunify360 malware scanning through file permission fixes to restoring a clean backup — ordered by the typical diagnostic and recovery workflow on smartxhosting.uk.
Recognising a compromised site · Common causes of security issues · Solution 1: Imunify360 malware scan · Solution 2: WordPress Toolkit integrity check · Solution 3: fix file permissions · Solution 4: audit WordPress user accounts · Solution 5: security plugin scan · Solution 6: restore from a clean backup · Preventing future security issues · UK GDPR breach obligations · When to contact smartxhosting.uk support · Frequently asked questions
Symptoms to watch for:
wp-content, wp-includes, or uploads directory.If any of these apply, work through the solutions below in order. For urgent situations, contact smartxhosting.uk support immediately — the team can investigate at server level and take fast action.
wp-login.php.smartxhosting.uk WordPress hosting includes Imunify360 — server-level security that automatically detects and quarantines malware across all WordPress installations. Operates at server level, blocking threats before PHP executes.
Imunify360's Proactive Defense uses runtime analysis to block malicious PHP execution even if an infected file bypasses the scanner. Multi-layered protection far more effective than any WordPress plugin alone.
Plesk WordPress Toolkit can verify WordPress core file integrity by comparing against official checksums from WordPress.org. Reveals whether core files have been modified, replaced or added by an attacker.
A compromised core typically means an attacker gained file-system access. Reinstalling restores core; further investigation is needed to find and remove the initial entry point.
Incorrect permissions are both a symptom and a cause of security issues.
| Path | Permission | Meaning |
|---|---|---|
| All directories | 755 | Owner: read/write/execute. Others: read/execute. |
| All files | 644 | Owner: read/write. Others: read. |
| wp-config.php | 600 or 440 | Restrict to owner only. |
777 permissions grant everyone (including any malicious script on a shared server) full read/write/execute. If a tutorial suggests 777 to "fix upload issues", the tutorial is wrong. Correct fix is setting 755/644 with correct file ownership.
The Plesk WordPress Toolkit applies correct permissions automatically during installation. If permissions have drifted, use Plesk > File Manager > select the site root > right-click > Properties > Permissions. Apply recursively.
If you have SSH access:
find /var/www/vhosts/yourdomain.co.uk/httpdocs -type d -exec chmod 755 {} \;
find /var/www/vhosts/yourdomain.co.uk/httpdocs -type f -exec chmod 644 {} \;
chmod 600 /var/www/vhosts/yourdomain.co.uk/httpdocs/wp-config.phpA common attacker tactic after gaining access is to create new admin accounts or escalate existing low-privilege accounts to administrator.
For every remaining admin/editor account, change the password to a new strong one. If the site was compromised, old passwords may be in attacker's hands.
Via Plesk WordPress Toolkit: on the site card, click Setup, update administrator password directly.
Users > [user] > Application Passwords. Delete any you do not recognise — these are API credentials that bypass normal login.
After changes, invalidate all sessions. Users > [user] > Log Out Everywhere Else. Forces re-authentication.
Install a WordPress-level security plugin for a thorough file-by-file scan.
Sucuri's free online scanner (sitecheck.sucuri.net) performs external checks from Sucuri's servers. Identifies blacklist status, injected JavaScript, spam keywords. Useful second opinion.
Cloud-based WordPress malware scanner. Less resource-intensive than Wordfence (scans on Sucuri's servers). Paid for full features.
If the infection runs deep and you cannot be certain you have caught every artefact, restoring from a pre-compromise backup is the cleanest solution.
Retained for 30 days. Plenty of pre-compromise recovery points if you catch the compromise within a month.
Restoring without fixing the original hole means the attacker comes back. The most common entry points: outdated plugin (update), weak password (force reset + 2FA), nulled plugin (delete, use a legitimate one).
Post-compromise hardening:
If personal data on your WordPress site was accessed during the compromise, UK GDPR Article 33 requires notification to the ICO within 72 hours of becoming aware of the breach.
Personal data includes: user accounts with email addresses, WooCommerce customer records, contact form submissions, comment author details.
The ICO prefers over-notification to under-notification. If you are uncertain whether data was accessed, lean toward notifying.
Article 34 may require notifying affected individuals directly if the breach is likely to result in high risk. Obtain legal advice if unsure.
Contact support immediately when:
Support has access to server-level logs, backups and can take actions (IP blocks, mail throttling, WAF rule adjustments) unavailable from the WordPress dashboard.
How can I tell if my site has been hacked?
Signs: unfamiliar redirects, Google warnings, new admin accounts, suspicious files in wp-content, outbound spam, blacklisted IP. Run Imunify360 and Wordfence scans to confirm.
What should I do first if I think my site is hacked?
Do not panic. Take the site offline (Plesk > Maintenance Mode). Change all passwords. Run Imunify360 scan. Contact support if unsure. Work through the solutions in this guide systematically.
Will changing my password stop the hack?
If the attacker still has file-system access via an uploaded backdoor, password changes alone are not enough. Combine with malware scans and, if needed, restore from a clean backup.
Can I run WordPress while it is infected?
Better to take it offline during investigation. Maintenance mode serves a friendly page while you clean up — prevents visitors from seeing the compromise or being redirected to spam sites.
What if Google has blacklisted my site?
Clean the site completely. Run Google's Security Issues report in Search Console. Submit a reconsideration request. Takes 1–4 weeks for Google to re-crawl and remove the warning.
Is recovery always possible?
Yes, with backups. Without backups, recovery means rebuilding from scratch — which is why daily server backups on smartxhosting.uk matter. The 3-2-1 rule (live + server backup + off-site via UpdraftPlus) makes recovery near-certain.
How do I know when it is safe to come back online?
When: Imunify360 shows clean, Wordfence scan clean, file integrity check clean, all passwords rotated, all updates applied, Sucuri external scan clean, user accounts audited. Monitor for 48 hours before declaring recovery complete.
Do I need to tell my customers about the breach?
Under UK GDPR, if personal data was accessed and the risk to individuals is high, yes (Article 34). Even if not legally required, transparency generally helps maintain trust. Obtain legal advice for specific situations.
How do I prevent this happening again?
Update regularly, strong passwords, 2FA enforced, unused plugins removed, regular security scanner scans, keep Plesk WordPress Toolkit's security hardening applied, monitor Google Search Console. Security is ongoing, not a one-off.
Is my WordPress more at risk than another CMS?
WordPress is the most-targeted CMS because of its market share. That does not make WordPress inherently insecure — core WordPress is well-audited. What makes WordPress sites compromised is usually outdated plugins and weak passwords, both of which are owner-controlled.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →