WordPress Site Hacked? Complete Recovery Guide for Belgian Businesses

Discovering that your WordPress site has been hacked is a stressful experience, especially when your business depends on it. For Belgian companies, a compromised website is not just a technical problem — it can trigger GDPR notification obligations, damage customer trust, and cost revenue for every hour your site remains down. This step-by-step recovery guide walks you through identifying the breach, cleaning your site, and hardening it against future attacks.

Signs Your WordPress Site Has Been Hacked

Many hacks go unnoticed for days or weeks. Knowing the warning signs lets you act quickly and limit the damage:

• Unexpected redirects — visitors are sent to spam, phishing, or pharmaceutical sites without your knowledge. This is one of the most common hack symptoms.
• Strange admin accounts — new user accounts with administrator privileges that you did not create. Check your Users panel immediately.
• Modified files — core WordPress files, theme files, or plugin files have been altered. You may notice unfamiliar PHP files in your uploads directory.
• Google warnings — Google Search Console flags your site for malware or deceptive content, or your site shows "This site may be hacked" in search results.
• Slow performance or high resource usage — cryptominers or spam scripts running on your server consume CPU and memory, causing noticeable slowdowns.
• Spam content injected — hidden links, pages, or posts appear on your site promoting products or services you have nothing to do with.
• Email delivery problems — your domain is blacklisted because the hacker used your server to send spam emails.

Regular vulnerability scanning can detect many of these indicators before they escalate into a full breach.

Immediate Steps After Discovering a Hack

Speed matters. The longer malware remains active, the more damage it causes. Follow these steps in order:

1. Do not panic and do not delete anything yet — you need evidence to understand the attack vector and assess the scope of the breach.
2. Take your site offline — enable maintenance mode or temporarily block public access. This prevents visitors from being exposed to malware and stops the attacker from causing further damage.
3. Change all passwords immediately — WordPress admin passwords, FTP/SFTP credentials, database passwords, hosting control panel passwords, and any connected API keys.
4. Document everything — note the date and time of discovery, what symptoms you observed, and take screenshots. This documentation is critical for GDPR breach reporting and for any forensic analysis.
5. Contact your hosting provider — they may have server-level logs, can help identify the entry point, and may have clean backups available.
6. Assess whether personal data was compromised — if your WordPress site stores customer data through contact forms, WooCommerce orders, or user registrations, you may have a GDPR-reportable breach on your hands.

Identifying and Removing Malware

Systematic malware removal requires checking every layer of your WordPress installation:

File-Level Cleanup

• Compare core files — download a fresh copy of your WordPress version and compare every file in wp-admin and wp-includes against the originals. Replace any modified files.
• Inspect wp-content — check your themes, plugins, and uploads directories for unfamiliar PHP files. Hackers often hide backdoors in files named to look legitimate, such as wp-cache.php or class-wp.php inside your uploads folder.
• Check wp-config.php — look for unfamiliar code injected above or below your configuration settings. Regenerate your WordPress security keys and salts.
• Scan .htaccess — malicious redirect rules are frequently inserted into .htaccess files. Compare against the default WordPress .htaccess.
• Look for obfuscated code — search for base64_decode, eval, str_rot13, gzinflate, and similar functions that are commonly used to hide malicious payloads.

Database Cleanup

• Check the wp_users table — remove any unauthorised administrator accounts.
• Inspect wp_options — look for suspicious entries in siteurl, home, and any unfamiliar option names that could be backdoor configurations.
• Search post content — scan wp_posts for injected spam links, iframes, or JavaScript. Pay special attention to posts with recent modification dates you do not recognise.
• Review scheduled tasks — check wp_cron entries for malicious scheduled events that could re-infect your site after cleanup.

Following web application security best practices during cleanup ensures you do not accidentally introduce new vulnerabilities while fixing existing ones.

Hardening Your Site After Recovery

Cleaning up malware is only half the battle. Without hardening, your site will likely be re-compromised. Implement these measures immediately after recovery:

• Update everything — WordPress core, all themes, and all plugins to their latest versions. Remove any themes or plugins you are not actively using.
• Install a security plugin — Wordfence or Sucuri Security provides a web application firewall, malware scanning, and login protection.
• Enable two-factor authentication — add 2FA to every administrator and editor account.
• Restrict file permissions — set directories to 755, files to 644, and wp-config.php to 600.
• Disable file editing — add define('DISALLOW_FILE_EDIT', true); to wp-config.php.
• Implement regular backups — automate daily backups stored offsite so you always have a clean restoration point.
• Set up monitoring — configure file integrity monitoring and uptime alerts to catch any future compromise quickly.

For a comprehensive hardening checklist, read our dedicated guide on WordPress security hardening.

Belgian GDPR Data Breach Notification Obligations

If your hacked WordPress site stored personal data — and most business websites do, through contact forms, newsletter signups, user accounts, or e-commerce orders — you have legal obligations under GDPR:

• 72-hour notification window — you must notify the Belgian Data Protection Authority (Autorite de protection des donnees / Gegevensbeschermingsautoriteit) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights.
• Assess the risk — determine what personal data was exposed (names, email addresses, passwords, payment information) and how many individuals are affected.
• Notify affected individuals — if the breach poses a high risk to individuals' rights and freedoms, you must also inform the affected people directly.
• Document the breach — regardless of whether you report it, GDPR requires you to maintain an internal record of all data breaches, including facts, effects, and remedial actions taken.

Understanding the intersection of cybersecurity and compliance is critical. Our guide on security audit costs in Belgium can help you budget for proactive measures that prevent breaches in the first place.

When to Call in Professional Help

While minor hacks can sometimes be resolved in-house, several situations warrant bringing in cybersecurity professionals:

• You cannot identify the entry point — if you do not know how the attacker got in, you cannot be confident the vulnerability is patched.
• The hack keeps recurring — persistent reinfection usually means a backdoor was missed during cleanup.
• Personal data was compromised — GDPR breach situations require careful handling and documentation that benefits from expert guidance.
• Your site handles financial transactions — WooCommerce or payment-processing sites demand forensic analysis to determine if payment data was exfiltrated.
• You lack technical expertise — attempting a cleanup without sufficient knowledge can destroy evidence and potentially make the situation worse.

Before engaging a security firm, learn how to prepare for a penetration test so you can schedule a thorough post-recovery assessment.

How ICTLAB Can Help

ICTLAB's cybersecurity team provides emergency WordPress hack recovery and forensic analysis for Belgian businesses. We identify the attack vector, remove all malicious code, clean your database, harden your installation, and help you meet your GDPR notification obligations. After recovery, we conduct a full security audit to ensure your site is protected against future attacks.