My WooCommerce Store Was Hacked: Emergency Recovery Guide

WooCommerce stores are targeted at a higher rate than standard WordPress sites because they hold what attackers want most: live payment flows, customer card data, and personal records. If your store has been compromised, every hour it stays live increases customer harm. Here is how to shut that down fast and recover completely.

Signs your WooCommerce store has been hacked

Some compromises are immediately visible. Others run silently for weeks, skimming card data from every checkout without any surface symptoms. Watch for:

• Customers reporting card fraud shortly after purchasing from your store
• Checkout redirecting to unexpected third-party sites or URLs
• Google showing a "Deceptive site ahead" warning when visitors open your URL
• Your payment gateway flagging or suspending your merchant account
• WooCommerce admin showing unknown orders, refunds, or coupon codes you did not create
• Unexpected admin users appearing in your WordPress user list
• Your hosting provider suspending your account for malware or spam
• A drop in organic traffic or Google Search Console security warnings

The most dangerous attack — a JavaScript payment skimmer — produces none of the above symptoms. The store appears to function normally. The attacker captures card data from every live transaction in the background and exfiltrates it without touching any visible page. The only way to detect a skimmer is a file integrity check and source code inspection of your checkout page.

Your first 30 minutes: stop the damage

Do these in this order. Every minute of delay increases customer exposure and liability.

1. Put the store into maintenance mode immediately — disable the checkout, or switch your payment gateway to test mode. Do not let customers complete purchases while the site is compromised. Use a maintenance plugin or ask your host to block the checkout path.
2. Notify your payment processor — call them directly, not via email. Explain that you have identified a suspected security incident. They will advise on whether to freeze card processing and what reporting is required. Most processors have a 24/7 fraud line.
3. Take a backup of the infected state — before cleaning anything, take a full file and database backup. This is your forensic record. You need it to understand the scope of the breach, identify what customer data may have been accessed, and comply with any breach notification obligations. Store it isolated from your live hosting.
4. Change every credential — WordPress admin passwords, FTP/SFTP, database password, hosting panel. An attacker with active server access can undo any cleanup in real time if you do not close their access first.
5. Document what you observe — note when the compromise was discovered, what symptoms you see, what plugins and themes are installed, and when they were last updated. This record is needed for your payment processor, your customers, and potentially for breach notification.

What attackers target in WooCommerce stores

JavaScript payment skimmers

The most serious WooCommerce attack injects a small JavaScript snippet into your checkout page — typically into a plugin file, a theme file, or directly into your WordPress database. When a customer enters their card number on your checkout form, the skimmer captures the data and sends it silently to an attacker-controlled server before the legitimate transaction processes. Your payment gateway processes the real transaction normally. The customer has no idea their data was stolen. You have no idea it is happening.

Skimmers are designed to be invisible to surface-level malware scans. They are often obfuscated, encoded, or disguised as legitimate analytics scripts. Detecting them requires a source code inspection of the rendered checkout page and a file integrity check against your plugin and theme versions.

Customer data exfiltration

WooCommerce stores hold order history, customer addresses, email addresses, phone numbers, and sometimes partial payment information. All of this has resale value on data markets. Attackers who gain database access via SQL injection or compromised credentials will extract and export your customer table — often without triggering any visible change to the site.

Admin account takeover

With WordPress admin access, an attacker can create additional admin users, install plugins containing backdoors, modify WooCommerce settings, change the bank account for payouts (on certain payment setups), and export your full customer database. Admin account compromises via brute force or credential stuffing are among the most common WooCommerce attack vectors.

Redirect malware

Malware that redirects mobile visitors (or all visitors) to phishing or spam sites. These redirects are often conditional — they only fire for visitors arriving from search engines, so they are invisible when you visit your own site directly. Customers clicking your Google search result get sent to a spam page. You visit the URL and see your normal store. This is a deliberate evasion technique.

The recovery process

Step 1: Full forensic scan — not a plugin scan

Basic plugin-based malware scans (Wordfence, Sucuri) compare files against known malware signatures. They find most common infections but miss custom-built or obfuscated attacks. A forensic scan inspects every file on your server — including the uploads directory, custom directories, and hidden files — decodes obfuscated PHP, compares core and plugin files against official checksums, and inspects the WordPress database for injected scripts in post content, widget settings, and the options table.

For WooCommerce stores where skimmers are suspected, you also need to inspect the rendered source code of the checkout page as delivered to a browser — not just the server-side files.

Step 2: Find and remove all backdoors

Before cleaning visible malware, locate every backdoor. A backdoor is a hidden file or code snippet that lets the attacker re-enter even after you clean everything else. Common WooCommerce backdoor locations include the uploads directory (PHP files disguised as images), encoded PHP files in plugin directories, modified WordPress core files, and malicious entries in the database options table.

If you clean the malware without removing all backdoors, the site will be re-infected within days — sometimes within hours.

Step 3: Close the entry point

Find and close the vulnerability that let the attacker in. Common WooCommerce entry points include an outdated plugin with a known CVE, a nulled or pirated plugin/theme with malware pre-installed, a compromised admin credential, or a vulnerable file upload handler. If you do not close the entry point, a different attacker will use the same path within days.

Step 4: Verify clean checkout before going live

Before re-enabling your payment gateway, run a test transaction end-to-end. Inspect the checkout page source code for any unexpected external scripts. Run a final scan. Only then should live transactions resume.

Step 5: Customer notification

If customer card data or personal data may have been exposed, your customers deserve to know. The appropriate notification depends on the nature of the data and your jurisdiction. If you process card payments under a payment processor agreement, your agreement likely requires you to notify your processor of any confirmed card data breach. Your processor will advise on next steps including whether cardholders need to be notified directly.

Prevention after recovery

Recovery fixes yesterday's problem. These steps prevent the next one:

• Web Application Firewall — deploy Cloudflare or a similar WAF in front of your store. It blocks exploit attempts before they reach WordPress.
• Remove every unused plugin and theme — deactivated plugins still present vulnerabilities. Delete them entirely.
• Two-factor authentication — enforce 2FA for every WordPress admin account without exception.
• Payment page integrity monitoring — set up automated monitoring that alerts you if your checkout page's JavaScript changes unexpectedly. This is the early warning system for skimmer attacks.
• Regular security audits — quarterly at minimum for active WooCommerce stores.
• Security retainer — ongoing managed protection means vulnerabilities are patched before attackers can exploit them, and incidents are caught in hours rather than weeks.