WordPress Hacked? What Indian Businesses Should Do Right Now

Discovering your WordPress site has been hacked is a serious moment — and the next 60 minutes matter more than most people realise. Acting in the wrong order destroys evidence, prolongs the damage, and in some cases creates additional legal exposure under India's DPDP Act and CERT-In reporting rules.

This guide covers the right sequence for Indian businesses: contain first, assess second, clean third.

Step 1: Confirm the hack before doing anything else

Before taking drastic action, confirm you are dealing with a genuine compromise and not a plugin conflict, a hosting error, or a browser cache issue.

Reliable signs your WordPress site has been hacked:

• Visitors are redirected to spam, pharma, or adult content — especially users arriving from Google.
• Google Search Console shows warnings — "This site may be hacked" or "Deceptive site ahead" browser alerts.
• Your hosting provider suspended the account citing malware or abuse complaints.
• Unfamiliar admin users have appeared in WordPress that you did not create.
• Your site loads slowly or shows unusual content injected into pages.

If two or more of these apply, treat it as confirmed and move to containment immediately.

Step 2: Contain immediately — do not start cleaning yet

The instinct is to start deleting suspicious files. Resist it. Cleaning before containing means attackers may still have live access, and cleaning before investigating destroys the forensic trail you will need to understand how they got in.

Contain first:

1. Take the site offline or enable maintenance mode — this protects visitors from malware exposure and stops the hack from damaging your Google rankings further.
2. Change all credentials immediately — WordPress admin passwords, hosting control panel, FTP/SFTP, database password, and any connected email accounts. Use unique, strong passwords for each.
3. Revoke unknown admin users — log into WordPress and remove any user accounts you did not create.
4. Preserve a copy of the current state — before cleaning anything, take a backup of the compromised site. This is your forensic record.

Step 3: Understand your CERT-In reporting obligation

For Indian businesses, a hacked website is not just a technical problem — it may trigger regulatory obligations.

Under CERT-In's 2022 directions, organisations are required to report cybersecurity incidents to CERT-In within 6 hours of becoming aware of them. Reportable incidents include:

• Unauthorised access to IT systems or data
• Website defacement
• Malware infections affecting business systems
• Data breaches involving personal information

The threshold is intentionally broad. When in doubt, report. Non-reporting carries penalties and is harder to defend than a prompt disclosure. Report via the CERT-In portal or by email to incident@cert-in.org.in.

Step 4: Assess your DPDP exposure

If your WordPress site collects any personal data — contact form submissions, customer accounts, WooCommerce orders, email sign-ups — the hack may have DPDP Act implications.

Under the Digital Personal Data Protection Act 2023, data fiduciaries (organisations that process personal data) are required to notify the Data Protection Board and affected individuals when a personal data breach occurs. The notification timeline and format are still being defined in rules, but the obligation to act is live.

Practically, this means:

• Document the incident: when you discovered it, what data may have been accessible, and what actions you took.
• Do not delete logs or database records before a forensic review — these are your evidence of scope.
• Assess whether customer email addresses, phone numbers, payment data, or health information was stored on the site.
• Seek legal guidance if customer data was likely accessed — voluntary early disclosure is almost always better than being found to have concealed a breach.

Step 5: Clean properly — or hire someone who will

The most common mistake after a hack is surface cleaning: removing visible malware files while leaving backdoors, rogue database entries, and compromised user sessions in place.

A surface-cleaned site is typically re-hacked within days or weeks because the root access method was never closed.

Proper cleanup requires:

• Full file-level scan for known malware signatures and anomalous code
• Database scan for injected content, rogue users, and malicious options
• Root cause identification — which plugin, theme, or credential was the entry point
• Backdoor removal — not just the visible payload but every persistence mechanism
• Hardening — changes to prevent the same entry point being used again
• Blacklist removal requests to Google, Bing, and hosting providers once clean

If your site processes customer orders, membership accounts, or business-critical data, professional recovery is almost always the right call. The risk of an incomplete DIY cleanup — especially with CERT-In and DPDP obligations in play — is higher than the cost of getting it done properly.