Hacked VPS or WordPress Incident Containment Checklist

halfbrain_logo512adminJune 16, 2026
1 lượt xem

Hacked VPS or WordPress Incident Containment Checklist

When a VPS or WordPress site appears hacked, the first goal is containment. Do not rush into deleting files. Preserve evidence, stop active damage, protect data, rotate access and rebuild trust step by step.

Core principle

Incident response has phases: contain, preserve, investigate, clean, recover and monitor. Skipping containment can let the attacker keep access while you clean symptoms.

Checklist

  1. Record the incident time and symptoms.
  2. Take a snapshot or backup of the current state if safe.
  3. Restrict admin access while investigating.
  4. Change critical passwords from a clean device.
  5. Review unknown users and SSH keys.
  6. Review recent file changes.
  7. Check logs for suspicious access.
  8. Disable suspicious plugins, services or workflows carefully.
  9. Restore from a clean backup or clean the system methodically.
  10. Monitor for reinfection after recovery.

Reusable lesson

Containment logic applies to hacked WordPress, compromised VPS, leaked API keys, abused webhooks and infected automation systems.

Checklist Type Security
Level Advanced
Risk Level Critical Risk
Estimated Time 60–180 minutes

When to Use This Checklist

Use this checklist when a VPS or WordPress website shows signs of compromise, unknown admin access, malware, redirects or suspicious services.

Required Tools

Admin access, SSH access, backup or snapshot, clean device, logs, security plugin, DNS and hosting access

Before You Start

Do not clean only visible symptoms. First contain access and preserve enough evidence to understand how the compromise happened.

Structured Checklist Steps

  1. Record symptoms.
  2. Backup current state.
  3. Restrict admin access.
  4. Rotate critical passwords.
  5. Review users and SSH keys.
  6. Review file changes.
  7. Check logs.
  8. Disable suspicious components.
  9. Restore or clean methodically.
  10. Monitor reinfection.
See also  504 Gateway Timeout Checklist for Nginx WordPress

Verification Steps

  1. Unknown access is removed.
  2. Critical credentials are rotated.
  3. Suspicious files are documented.
  4. Site works after recovery.
  5. No reinfection appears during monitoring.

Rollback Plan

If cleanup breaks production, restore the latest safe backup or isolate the site on staging while keeping the compromised state for investigation.

Common Mistakes

  • Deleting files before backup.
  • Changing only WordPress password but not VPS or database credentials.
  • Ignoring SSH keys.
  • No post-cleanup monitoring.
  • Restoring from a backup that is already infected.

Related Commands

date
who
last -a | head
sudo tail -n 100 /var/log/auth.log
find /var/www/example.com -type f -mtime -7
wp user list
sudo ss -tulpn

Share:

Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

halfbrain_logo512
admin

HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles: