Potentially hacked WordPress site. What do I do?

I’ve been working with a client on building a new website with Squarespace. They don’t have the time or money to hire a full-time web manager so we both decided that something like Squarespace is easier for them and their small business.

However, in the meantime they still have their original Word Press site up. Just recently the client has contacted me to tell me that when they try to access it on mobile it won’t go through, and just says something to the effect of “Too many redirects.” When I tried to visit their WP site on a desktop computer I got a warning Google’s “This website is unsecure” warning. The client has told me that they haven’t had anyone managing it for more than a year now.

I’m assuming that their website has been hacked, especially if it hasn’t been updated or maintained by anyone. I myself am not educated on Word Press. I’ve edited a different, existing Word Press site before, learned how to save previous versions of a site, but that’s about it.

I would think that the first thing to try to do is request the client’s Admin name and password, log into the Adminstrator version of the website and see If I can just restore the site to a previously saved version, if possible. If not, at least delete whatever compromised plug-ins/pages there are and leave only a homepage that says “Under Maintenance.” However, here’s my dilemma:

If I log into this likely hacked/infected Word Press site as an administrator, would that put the computer I’m using at risk?

I would like to fix this for my client, however, maintaining or fixing his WordPress site was never part of our work agreement, and more importantly, I don’t want to get in over my head in a way that compromises my work ability, and/or could somehow mess up whatever he has with Word Press. I’m not well-versed in how a hacked WP site could affect things like hosting, etc. Is it safe and doable that I can remedy this client’s WP site problem?

Any advice or recommendations on how to approach this is greatly appreciated. Thanks.

I would start with a phone call to the host. They won’t want a hacked website on their server any more than your client wants a hacked website. With any luck, they could aid you in restoring a backed up version – this is a good reminder to always use a high quality host.


Ah, okay. Thank you!

After checking Builtwith.com it shows that they have both Cloudflare and Dreamhost as their web hosting providers. I believe that the client has only mentioned having one host provider, and they are not very tech savvy, but I’m hoping that they have access to their account with them.

In the meantime I’m going to contact both host providers right now and seeing what they can tell me, and then report back to my client on what they advised.

Thanks again.

Maybe, but not necessarily.

Hackers usually concentrate on larger websites where there’s a payoff for the hack. I don’t know the nature of the website in question, but from what you’ve said, I’m assuming it’s a small brochure website where a hacker doesn’t have much to gain.

This typically happens when there’s a redirect loop of some kind. For example, an HTTP directive might exist that redirects a page to another page that has its own redirect that ends up looping back to the original directive, which starts the process over again in an infinite loop. It’s usually not that straightforward, however. There are lots of situations that can cause a loop or a bunch of sequential redirects. Unfortunately, these things can be difficult to track down.

Perform a Google search on Too many redirect errors to read more about them. For example, this website.

This is likely because the connection between the server and the browser isn’t secure. This happens when there’s no SSL certificate encrypting the data sent back and forth between the browser and the server. This might be because it was never set up to begin with or that the certificate has expired.

Again, it’s too complicated to explain in detail here, but a Google search will yield endless pages about this problem and how to correct it.


Thank you! I will look into that as well.

I assumed it was a hack because not too long ago an acquaintance of mine had a WP site, and although it didn’t behave the same way—in fact it seemed normal and functional for the most part—once you clicked on one particular page link, it started redirecting to some weird news site that was clearly not the news site it claimed to be. Since then I just assumed anything connected to crazy redirects is some sort of hack. Your explanation of what’s possibly happening makes more sense and puts me a little more at ease.

Am with Just-B, I don’t think the issues you’re experiencing are consistent with it being hacked.

It is technically possible, but I doubt it very, very much.
If your browser is up to date and don’t download and run suspicous files, you’ll probably be alright.

1 Like

Good to know. Thank you.

If it were me, I’d ensure the latest WordPress version was installed. WordPress makes their updates very easy. Next, I would check any plugins that might be installed. If any are installed, I’d deactivate them one at a time to see if the problem goes away. I would also make sure any plugin was the latest version.

The older a 3rd-party plugin is, the higher the chances are that it contains various PHP security vulnerabilities that enable cross-scripting and code injection by hackers. Most plugin updates are fixes for these kinds vulnerabilities once they’re discovered.

All that said, I still have my doubts about the problem you’re seeing being the result of hacking. Even so, the updates might address the too many redirects problem. I’d definitely check the site’s security certificate before I did anything, though.

1 Like

Thanks for the walkthrough. I’m a little unclear on having the latest WordPress version installed. Is that in regards to downloading WP software from Wordpress.org and making sure I have the latest version, or do you mean when logging into the Wordpress site as an administrator and making sure that the latest version of WP is installed and running? Because I haven’t downloaded the software. I’ve only had some experience logging in to a client’s WP site as an Administrator and making changes from there.

Since you’d log into the administrator to see what the latest version is before downloading a more recent one, I’m not quite sure what you’re asking.

The easiest way to upgrade WordPress is to log into the administrator and click the update button. WordPress automatically downloads the version and installs it. Typically, it’s as easy as that unless the site is way out of date or there are plugins that are incompatible with the latest WordPress version.

It’s also possible to download the update and install it via FTP.

Here’s a link with more explanation.

Before an update installation, back up the site’s static files and the database so you can reinstall both — just in case. How to do that is a bit more complicated and depends on the hosting company.

Some hosting companies include cPanel as part of the hosting package. If that’s the case, it’s a matter of logging into the hosting account and using cPanel to perform the backup. If the site doesn’t have cPanel (or something like it), it’s more of a manual process using phpMyAdmin to back up the database while backing up the static files via FTP.

Here’s a link for those sorts of procedures.

1 Like

Thank you! I’m going to check out the two links.

I wasn’t sure if you previously meant I needed to update the WordPress software on my computer, but I’ve never downloaded WP software to my computer before. I’ve only logged into a client’s website as Administrator and do what I need to do. And come to think of it, I think I have done what the first part you described before, once before. But with that client’s site I had already saved previous versions of the site with a WP app which I think may have been Updraft. I doubt this new client has that so thank you for the directions about the static files, database, cPanel, and phpMyAdmin.

Oh, I see. I was referring to the website installation of WordPress.

1 Like

It sounds like you’re planning to login just to scrape the content for the new website you’re building? If so, I wouldn’t worry about upgrades etc unless they’re planning to sustain a second website.

1 Like

In regards to scraping the content from the old site for the new one, pretty much.

The client is okay with just a “maintenance” sign on the old site in the meantime, but I’d prefer that his their old site be up while I work on the new one. That way they don’t lose any potential business or brand awareness during this transition period.

1 Like

i think this is what I would do if there isn’t budget then this bandaids for the moment