Hacked WordPress in the Philippines: What to Do in the First 60 Minutes

You open your browser, type in your business website, and something is wrong. Maybe Google is showing a "This site may be hacked" warning. Maybe your homepage has been replaced with Arabic text. Maybe your hosting provider just sent you a suspension notice. Or maybe a customer texted you to say your site is now redirecting to a gambling page.

Welcome to a situation that affects thousands of Philippine businesses every year — most of them small shops, restaurants, and service providers whose WordPress sites were quietly compromised months before anyone noticed. The good news: you can limit the damage significantly if you act fast and in the right order.

Why WordPress Sites in the Philippines Get Hacked

The Philippines has a large and growing number of WordPress-based business websites — and a large percentage of them are running on outdated core files, abandoned themes, and plugins that haven't been updated in years. Hackers don't specifically target Philippine businesses. They run automated scanners that crawl the entire internet looking for known vulnerabilities. If your WordPress is on version 5.8 and a known exploit exists for it, your site will be found — usually within days.

The most common attack vectors we see:

• Outdated plugins — especially contact form plugins, SEO plugins, and page builders
• Weak admin passwords — "admin" and "password123" are still frighteningly common
• Nulled (pirated) themes and plugins — pre-packaged with malware, widely shared in PH Facebook groups
• Outdated WordPress core — running 2–3 versions behind is a significant risk
• Cheap shared hosting — if another site on your shared server gets hacked, attackers can sometimes cross-contaminate

The First 60 Minutes: Step-by-Step

Speed matters. The longer a hacked site stays up, the more damage is done — to your SEO rankings, your customer trust, and your data. Here is what to do, in order:

1. Take your site offline immediately. Log in to your hosting control panel (cPanel, Plesk, or your host's dashboard) and put your site in maintenance mode, or temporarily rename your wp-config.php file to break the connection. This prevents the attack from spreading and stops visitors from being served malware.
2. Change all passwords now. Your WordPress admin password, your hosting account password, your FTP/SFTP credentials, and your database password. Use a password manager and generate 20+ character random strings. Do not reuse any old passwords.
3. Notify your hosting provider. Call or chat with your host support. Most providers (Hostinger, SiteGround, Bluehost, etc.) have a security team that can identify the attack vector and quarantine affected files. They may already have a backup from before the hack.
4. Restore from a clean backup. This is where having a proper backup system saves you. If you have a recent clean backup (from before the hack), restoring it is usually the fastest path to recovery. Check your hosting control panel — many hosts keep daily backups for 7–30 days.
5. Scan with a security plugin. If you can access WordPress admin, install Wordfence (free tier is solid) and run a full scan. It will identify malicious files, backdoors, and changed core files. Do not skip this step even after restoring — backdoors are often planted separately from the visible defacement.
6. Remove all backdoors and malicious files. Wordfence or Sucuri will flag them. Delete every flagged file. Check your wp-content/uploads folder specifically — it is a common hiding spot for PHP malware because it has write permissions.
7. Update everything. WordPress core, all themes, all plugins. Delete any plugin or theme you are not actively using. If a plugin has not been updated by its developer in 2+ years, remove it.

After Recovery: Prevent It From Happening Again

Getting hacked once is a setback. Getting hacked twice because you didn't change anything is a business problem. Here is the short list of what every WordPress site in the Philippines should have running:

• A real backup system — UpdraftPlus or your host's native backup, running daily, stored offsite (Google Drive or Dropbox, not just on the server)
• A security plugin with firewall — Wordfence Free or iThemes Security; configure login attempt limits immediately
• Two-factor authentication on your WordPress admin account
• A non-admin username — if your username is literally "admin", change it now
• SSL certificate — free via Let's Encrypt on most hosts; required for customer trust and Google rankings
• Regular update schedule — set a calendar reminder to update WordPress, themes, and plugins every 2 weeks

What If You Don't Have a Backup?

This is the hard situation. Without a backup, you have two options: manual cleanup or professional recovery. Manual cleanup means going through every file in your WordPress installation, comparing against the official WordPress checksums, and identifying anything that shouldn't be there. It's doable but time-consuming and easy to miss things.

Professional recovery is faster and more reliable. A developer experienced with WordPress security can typically clean a hacked site in 2–4 hours and implement proper hardening so the same attack vector doesn't work again. The cost of professional cleanup is almost always less than the cost of lost business during extended downtime.

Don't Forget: Google Needs to Know Too

If Google's Safe Browsing flagged your site as dangerous, you won't recover your search traffic just by cleaning the malware — you also need to submit a review request via Google Search Console. Once you have cleaned everything up, go to Google Search Console → Security Issues → Request Review. This process typically takes 1–3 business days.

If your site was de-indexed or penalized, recovery may take weeks even after the malware is removed. This is another reason why prevention is dramatically cheaper than recovery.