When a WordPress site shows signs of compromise, the first 30 minutes matter more than anything else. The goal is to contain damage, preserve evidence, and restore service without introducing new risk.
Minute 0-5: Contain and preserve
- Put the site in maintenance mode if active abuse is visible.
- Snapshot current files and database before making cleanup edits.
- Export recent access and error logs immediately.
Minute 5-15: Validate attack surface
- Check for unauthorized admin users and suspicious plugin/theme changes.
- Verify integrity of `wp-config.php`, `.htaccess`, and upload directories.
- Review recent requests to `wp-login.php`, `xmlrpc.php`, and unknown `.php` paths.
Minute 15-25: Recover safely
- Rotate admin passwords and salts.
- Update WordPress core, plugins, and themes to current stable versions.
- Remove unknown files and compare against known-good backups.
Minute 25-30: Harden and monitor
- Apply edge rules for high-risk paths (`wp-login.php`, `xmlrpc.php`).
- Confirm Fail2Ban jails are active and banning correctly.
- Set post-incident monitoring for repeated probes and auth failures.
Operational recommendation
Write your own environment-specific runbook and rehearse it quarterly. Teams that practice response before an incident recover faster and make fewer high-risk mistakes under pressure.
Related resources
- Internal: Layered security for repeated attacks
- Internal: Contact us
- External: WordPress hardening guide
- External: OWASP Web Security Testing Guide