Most business owners don’t think about website security until something weird happens. A redirect. A spam page showing up in Google. Orders that clearly aren’t real.

Or the login just stops working. And now…it’s a situation.

We’ve been pulled into a lot of these “weird” situations. Sometimes it’s obvious, malware everywhere, files changed, admin users added that nobody recognizes. Other times it’s quieter – a single injected script or something that has been sitting there for weeks.

WordPress Security - malware warning and hacked site example

The difference between those two usually comes down to how long it went unnoticed.

What “Fixing a Hacked WordPress Site” Actually Looks Like

There’s this idea that you run a scan, click “clean,” and you’re done, but that…is a fiction.

Sometimes the infection is in the database. Sometimes it’s in a theme file that hasn’t been touched in years. Sometimes it’s a plugin that looked harmless but had a known issue sitting there. Sometimes, it lives in the server’s memory and cannot be deleted like a file can be deleted.

We’ll usually start by isolating the site. Not always taking it offline, depends on the situation, but at least stopping the spread. Then digging through files, comparing against known clean versions, using a wide array of scanners and other malware identification tools to find that which does not belong.

Often there is more than one entry point. Hackers like to give themselves a “back door” as soon as they get access.

We’ve seen sites cleaned three times before they came to us that are still infected in some subtle way. Sometimes it is a leftover cron job or a backdoor tucked into an uploads folder, and sometimes it is more insidious.

And Then There’s the Part People Miss

Cleaning it is one thing. Figuring out how it got in (the “vulnerability”) – that’s the part that actually matters.

Otherwise the malware infection just comes back (usually after a pause long enough to make you think that you were rid of it).

Outdated plugins, a single weak admin password, file permissions, soft hosting config, something. There’s always a reason. We trace that down and then test the heck out of it.

Security Isn’t a Plugin

Plugins are useful. We use them. But they’re tools, not a plan, and they can’t anticipate some things.

A plugin can flag known malware signatures. It can block some login attempts. But it’s not going to notice that a custom theme file was modified in a subtle way. Or that a user account shouldn’t exist.

That’s where a human has to look at it.

And yeah, that sounds obvious. But a lot of sites we see are basically running on autopilot. Updates turned off because something broke once. Backups that haven’t been tested. Security plugin installed and then… trusted.

How Sites Actually Get Compromised

It’s usually not targeted. That’s the thing.

This is one reason that even “important” sites get taken down by ordinary neglect. A famous example was the Panama Papers breach. Not because someone cracked some impossible code wall, but because one outdated plugin (for a home page slider) was sitting there, exposed. We wrote a little more about that here: WordPress maintenance and the Panama Papers.

Bots just scan the web all day looking for known vulnerabilities. Old plugin versions, exposed endpoints, predictable login URLs. If something responds the wrong way, they try it.

This is why even small sites get hit. It’s not personal. It’s just “business” for the bad actors behind the attack.

If you’re curious how that works at a broader level, WordPress has a solid overview here. It’s worth skimming.

What Ongoing Protection Looks Like (In Reality)

After cleanup, the goal is pretty simple. Don’t end up back here.

That usually means:

Keeping plugins and themes updated, carefully, not blindly
Monitoring for file changes that shouldn’t happen
Locking down access points, login attempts, admin roles
Having backups that actually restore (this one gets overlooked a lot)

We handle all of that and more through our WordPress maintenance services. The bigger point is just that it needs to be handled somewhere. By someone…because the alternative is waiting until something breaks again.

If Something Feels Off, It Probably Is

That’s usually how these start. A small thing. A report from a customer. A weird page indexed in search results. The site is suddenly a lot slower than it was yesterday and nobody seems to be able to figure out why. A few customers have reported that their credit cards were used for fraudulent purchases after visiting your site.

You don’t need to diagnose it before reaching out. In fact, it’s usually better not to guess. We can take a look, figure out what’s actually going on, and go from there.

Sometimes it’s nothing. Sometimes it’s already in progress.

Let’s Take a Look

If your site is acting strange, or you just want a second set of eyes on it, get in touch. We’ll walk through what we’re seeing and what it would take to get it stable again.

Related Guides

OMS Anita

2 years ago

Watermelon Web Works has been incredible to work with. They are patient, understanding, and quick to answer any questions (or emergencies) you might have. After switching over to them to help re-vamp our online retail store, we hired them to build our wholesale website as well. I can't recommend them enough - Thank you team!

Garrett Lister

Jared and the watermelon team were great - they quickly interpreted our website needs and designed a wonderful site. The project management site worked great to keep track of project.

N B

3 years ago

My previous web developer who I was very happy with retired and I was pretty sad about it because it seems now days it is hard to hire a web developer close by with a good set of skills who is interested in helping small business at reasonable prices. Then I found Watermelon and I have been very happy. They are responsive, are able to solve problems, and work at reasonable prices.

Dark Star Magick

We hired Watermelon to help us with our website. They were very thorough and took the time to explain in layman's terms what they were doing and how we could improve SEO and site functionality. We will definitely be back for future website needs!

Astoria Column

Great work and amazing service! We're a non-profit, and our priorities are always focused on maintaining the Astoria Column. We had a website built by someone else a few years ago, but without regular updating and maintenance, sections of our site were no longer functional. Joanna and the rest of the team came in and had everything working within a week and it's been smooth sailing since then!

Ben Harris

7 years ago

Watermelon has been a fantastic web development partner. Through every phase of our project they have always been 100% responsive to our requests and have always provided highly knowledgeable, creative, prompt, and personable team members to work with. As a financial institution we’re always concerned about the security and maintenance or our website and Watermelon has always provided the appropriate resources in order to meet and/or exceed our compliance and security requirements. We would surely refer them to any business associates looking for a qualified WordPress web designer in the future. – Denali Federal Credit Union

Mohr IP Law Attorneys

Watermelon Web Works did a great job creating a custom shopping cart page for our firm. Gavynn in particular was especially helpful and responsive. We appreciated the upfront costs and the technical competency of Watermelon Web Works and would not hesitate to work with the people there again.

Kim Markle

Our company has been working with the Watermelon team for more than 10 years to help build and grow our website and customer portal. They are not only extremely talented and responsive, but are continuously looking for ways for us to enhance our current website. They are consistent, provide excellent customer service and really know what they are doing. Highly recommend!

Rick Brodner

9 years ago

I cannot say enough good things about Watermelon. They are terrific communicators, highly competent coders, and really, really nice people. They were instrumental in helping us to assemble a very usable, easily maintainable website for our organization. They' have demonstrated great flexibility in accommodating our evolving needs. They have been highly responsive to any technical issues, typically resolving them in less than 4 hours. Watermelon Web Works will make your organization better, and your CFO/Treasurer will be happy when they see the bill - what more can you ask for?