Free diagnostic
WordPress Hack Triage Scorecard
Answer these 10 quick questions to work out whether your WordPress site likely still has persistent malware, whether rollback is risky, and whether the next step should be cleanup, monitoring, or urgent incident response.
How to use it
Give yourself the points for every answer that is yes. Add the total. Then use the score bands below to judge how seriously to treat the incident.
The 10-question scorecard
This is intentionally simple. It is not a forensic guarantee. It is a fast way to stop people from making the classic mistake: assuming the site is clean because the obvious symptom changed.
Interactive score
0 points
0 of 10 warning signs selected
0–4 points — Low visible severity
There may not be enough evidence yet to assume deep persistence, but do not rely on that alone. Review plugin history, core files, users, and search visibility before declaring the site clean.
When to escalate immediately
If the site is down, redirecting visitors, showing spam in Google, or you suspect admin takeover, skip the careful score interpretation and treat it as an active incident.
What your score means
Use the highest matching band. If you are torn between two bands, treat the site as the more serious one rather than the more convenient one.
0–4 points
Low visible severity
There may not be enough evidence yet to assume deep persistence, but do not rely on that alone. Review plugin history, core files, users, and search visibility before declaring the site clean.
5–10 points
Moderate concern
The site shows signs that deserve a structured review. This is where teams often patch the obvious symptom and miss the actual persistence path.
11–17 points
High risk
The compromise likely went beyond a simple vulnerable plugin or isolated file issue. Assume persistence is possible and avoid casual cleanup.
18+ points
Critical
Treat the site as an active incident. The biggest risk here is false confidence after incomplete cleanup or the wrong restore decision.
What to do next
The score only matters if it changes your next move. Use it to avoid both panic and false confidence.
- If your score is 0–4, verify recent plugin history, trusted backups, and whether Google or hosting saw anything you missed.
- If your score is 5–10, do a structured review before deleting files or restoring a backup in a rush.
- If your score is 11+, assume the compromise likely went beyond the visible symptom and plan for real cleanup work.
- If your site is WooCommerce, membership, or lead-gen, weigh rollback against lost business data before touching production.
- If the site is down, redirecting, or actively serving spam, skip the checklist debate and treat it as urgent incident response.
What to send me if you want a second opinion
If you use the form after running the scorecard, send the details that actually affect the cleanup decision.
- Site URL
- Your score band
- Main visible symptoms
- Recent plugin or theme history
- Whether you have a trusted backup
- Whether rollback would lose orders, leads, or users
- Anything already tried
- Whether the issue is live and urgent
Related reading
Updating a hacked plugin does not mean your site is clean
The most common false assumption behind incomplete cleanup work.
Restore a backup or clean the hacked site?
Use this when the real decision is business risk, not just technical neatness.
How to know if wp-config.php is infected
A useful signal when the compromise likely went beyond the original plugin.
WordPress incident response process
How I handle triage, cleanup, validation, and handover on real incidents.
Want me to sanity-check the situation?
Send the site URL, score band, and main symptoms. I will tell you whether this looks more like cleanup, rollback, or urgent incident response.
You will be speaking to the person doing the investigation and cleanup work, not a generic support queue.
Ferre Mekelenkamp
Senior developer handling WordPress malware cleanup and incident response.