This Standard Operating Procedure (SOP) outlines the approved and recommended process for recovering a compromised or hacked WordPress website hosted with A7 Host.
This guide applies when a site has been:
- Defaced
- Redirecting visitors to malicious websites
- Injected with spam or malware
- Flagged by browsers or search engines
- Compromised by unauthorized access
Follow the steps in order. Skipping steps may result in reinfection.
1. Incident Confirmation & Initial Assessment
1.1 Confirm the Site Is Compromised
Common indicators include:
- Unexpected redirects
- Spam pages indexed by search engines
- Unknown admin users in WordPress
- Browser security warnings
- Modified site content without authorization
If any of the above are present, treat the situation as a security incident.
1.2 Determine Scope of Impact
Before taking action, identify:
- Is only the WordPress site affected?
- Are email accounts impacted?
- Are multiple domains or installations involved?
This information is important for containment.
2. Immediate Containment (Critical)
2.1 Stop Making Live Changes
Once compromise is suspected:
- Do not install new plugins
- Do not attempt partial file cleanup
- Do not repeatedly restore random files
- Do not continue logging in from compromised credentials
Uncontrolled actions increase recovery time.
2.2 Secure Access Immediately
Change all related passwords:
- A7 Host client area
- Hosting control panel
- WordPress admin accounts
- FTP/SFTP credentials
- Database credentials (if applicable)
- Email accounts tied to the domain
Passwords must be strong and unique.
3. Backup Evaluation & Selection
3.1 Identify a Clean Backup
Determine:
- When the site last functioned normally
- Whether a backup exists from before the compromise
Important:
Restoring a backup made after infection will reintroduce malware.
3.2 Decide Recovery Path
Choose one of the following approaches:
- Restore from clean backup (recommended and fastest)
- Manual cleanup (advanced, not guaranteed)
- Full rebuild (when no clean backup exists)
For most cases, backup restoration is the correct path.
4. Recovery Execution (Primary Phase)
4.1 Restore from Backup (Recommended)
If a clean backup is available:
- Restore the full site (files + database)
- Confirm the restore completed successfully
- Do not re-enable plugins yet
Support can assist with backup restores where applicable.
4.2 Manual Cleanup (Advanced Users Only)
If no clean backup exists:
- Remove all plugins and themes
- Reinstall WordPress core files from official sources
- Scan files for injected code
- Review database entries for malicious content
Manual cleanup is time-intensive and error-prone.
5. Post-Recovery Hardening (Mandatory)
After the site is restored and accessible, do not skip this phase.
5.1 Update Everything
- WordPress core
- Themes
- Plugins
Outdated software is the #1 cause of reinfection.
5.2 Remove Unused Components
Delete:
- Unused plugins
- Unused themes
- Old installations
- Inactive admin accounts
Minimizing attack surface is essential.
5.3 Re-Secure WordPress
Implement basic security controls:
- Strong passwords for all users
- Limit admin access
- Avoid shared credentials
- Use reputable plugins only
6. Verification & Monitoring
6.1 Verify Site Integrity
Confirm:
- No redirects occur
- No unknown users exist
- Content appears normal
- Admin access is restricted appropriately
6.2 Monitor for Recurrence
For at least 72 hours:
- Monitor site behavior
- Watch for search engine warnings
- Check logs if available
If issues reappear, stop and escalate.
7. Search Engine & Browser Warnings (If Applicable)
If your site was flagged:
- Google Safe Browsing
- Search engine spam warnings
- Browser “dangerous site” notices
You may need to:
- Request a security review
- Submit a reconsideration request
- Wait for re-indexing after cleanup
These steps occur after recovery, not before.
8. When to Escalate to Support Immediately
Contact A7 Host support if:
- You cannot identify a clean backup
- The site reinfects after restore
- Multiple sites are compromised
- Database corruption is suspected
- You are unsure how to proceed safely
Support portal:
https://www.a7host.com/billing
9. What Support Can and Cannot Do
Support Can:
- Assist with hosting-level issues
- Restore backups (plan-dependent)
- Help isolate server-side concerns
- Provide recovery guidance
Support Cannot:
- Perform custom malware cleanup
- Guarantee future immunity
- Fix third-party plugin vulnerabilities
- Rebuild custom WordPress code
10. Root Cause Prevention (Post-Incident Review)
After recovery, identify why the compromise occurred:
- Outdated plugin?
- Weak password?
- Pirated (“nulled”) theme/plugin?
- Shared credentials?
- Insecure third-party integration?
Fixing the root cause is essential to prevent recurrence.
Final Statement
A hacked WordPress site is recoverable only when handled methodically.
Rushing, guessing, or partial fixes often lead to reinfection.
Follow this SOP fully, and contact support when unsure.
Client Area & Support:
https://www.a7host.com/billing
