Incident response

WordPress and WooCommerce cleanup for hacked sites

Revitt is a Sheffield, UK dev shop run by Max Revitt; we build and run production software systems.

Book a cleanup call Email us

Max Revitt

Sheffield-based developer. Public evidence first, private access only with permission.

signalindexed spam page

riskcheckout or SEO compromise

nextverify, contain, clean

Public signals

What we can review without private access

Start here. These are the observable traces that do not require us to log into your hosting, database, or admin area.

Search results or indexed pages showing spam, gambling, or pharmaceutical content that you did not publish.

Unexpected redirects when following links from search or direct URLs.

Google Search Console messages about spam, malware, or hacked content.

Unfamiliar admin users, plugins, or files reported by your team or hosting logs you control.

Checkout or order anomalies reported by customers (failed payments, unexpected pages, modified totals).

Modified timestamps or content in publicly crawlable plugin, theme, or core files.

Share Search Console reports, search result screenshots, customer reports, or server logs you already have. We use this to assess scope before any deeper discussion.

Approach

Remediation process

We follow a deliberate sequence. Each phase is scoped to what you authorise. We document what was found and what was changed.

01 Verify

Confirm the indicators using public sources and any materials you choose to provide. We map what is visible without credentials.

02 Contain

Advise immediate practical steps you can take yourself: password rotation for known accounts, review of public user lists, temporary restrictions on new registrations or orders if warranted.

03 Clean

Remove unauthorised changes to files, database entries, and users. We work from a defined scope and only on systems you authorise.

04 Patch

Update WordPress core, themes, and plugins to current versions. Address known vulnerable extensions that were in use.

05 Harden

Apply configuration changes for file permissions, login hardening, plugin allow-lists, and security headers appropriate to a WooCommerce store.

06 Monitor

Set up or advise on file integrity checks, login monitoring, and Search Console alerts so issues surface early.

Store specifics

WooCommerce considerations

A compromised WooCommerce site affects real transactions and customer data. We pay particular attention to these areas during assessment and remediation.

Orders and payments. Review recent orders for anomalies, payment gateway logs, and any modified checkout flows that could have captured card details or altered totals.

Checkout integrity. Confirm that the checkout process, thank-you pages, and order emails have not been altered to inject scripts or redirect customers.

Customer accounts and data. Check for bulk user creation, changed email addresses on accounts, or exported customer lists that may have occurred without your knowledge.

Transactional email and plugins. Inspect email templates, SMTP or email service plugins, and any extensions that touch orders, subscriptions, or shipping. These are common persistence points.

Themes and extensions. Woo-specific plugins (payment gateways, membership, subscriptions, shipping) and custom themes often contain the initial compromise vector or later backdoors.

How we work

Public review first, explicit permission always

We can begin with a review of public signals and materials you send us. No hosting login, database access, or admin panel credentials are required for the initial conversation.

We do not access private systems without permission. If a cleanup engagement proceeds, we define scope in writing, use least-privilege access for the minimum time needed, and return or destroy credentials on completion.

You stay in control of every step. We document findings and actions so you have a clear record for your own team, hosting provider, or payment processor.

Book a cleanup call

Need a safe second look?

Book a call to walk through the indicators you have seen, or send a brief with the public signals and timeline.

Book a cleanup call Contact us