If your WordPress site has been hacked, there’s a moment that comes after the panic, after the password resets, after Googling “WordPress malware removal” for the fifth time.
It’s this thought:
“Should I just burn it down and rebuild the whole thing?”
Short answer: sometimes, yes.
Long answer: it depends. And no, your hosting company’s checklist doesn’t count as an answer.
This article is for small business owners who don’t want to become accidental cyber security hobbyists. You want your site fixed, your business running, and your stress levels back below “eye twitch”.
For businesses in Bromley and across South East London, a hacked site isn’t just a technical glitch—it’s a threat to your local reputation.
Let’s talk it through properly.
Is your WordPress site compromised? The ‘Clean vs Rebuild’ dilemma
Most guides on fixing a hacked WordPress site focus on how to clean it. Scan this, delete that, replace some files, cross fingers.
What they rarely explain is whether that’s actually the best option for a business website.
Cleaning a hacked site can work.
Rebuilding a hacked site can also be the smarter move.
The problem is no one tells you when each option makes sense, because nuance doesn’t fit neatly into a support article.
So let’s add some.
5 Signs you should rebuild your hacked WordPress site
Rebuilding sounds extreme until you realise how many unknowns come with a compromised site.
Rebuilding is often the safer option if:
You don’t know how the site was hacked
If the entry point is a mystery, you’re guessing. Guessing with malware is not a strategy, it’s optimism.
Hidden backdoors are very good at staying hidden. You clean what you can see, they quietly wait.
The site has been reinfected before
If you’ve “fixed” it once already and it came back, that’s your answer. Something fundamental was missed.
The site is old and fragile
Outdated themes, abandoned plugins, years of bolt-ons layered on top of each other. Even if you clean it, you’re putting fresh paint on damp walls.
You don’t have a known clean backup
And no, a backup from “around the time it happened” does not count. Restoring malware is not recovery.
The site is business critical
If your site handles enquiries, payments, bookings, or customer data, peace of mind matters more than squeezing every last penny out of the current setup.
When does cleaning a hacked website make sense?
This isn’t a rebuild sales pitch. Cleaning can be the right move if:
- The hack is recent and obvious
- You have a confirmed clean backup from before the breach
- The site is simple and well maintained
- There’s no evidence of database tampering or multiple backdoors
In these cases, a proper clean followed by hardening can be perfectly reasonable.
The key word there is proper. Not “run a plugin and hope”.
The hidden business risks of a ‘quick fix’ cleanup
This is the bit no one tells you.
Ongoing anxiety
Every update, every slow load, every odd email notification makes you wonder if it’s back. That mental load is real.
SEO damage that lingers
Spam pages, poisoned sitemaps, search warnings. Even after cleanup, recovery can take months if things weren’t handled correctly.
Time you didn’t budget for
Monitoring, rescanning, rechecking. Time you could be spending running your business instead of babysitting a website.
Risk of silent reinfection
The worst hacks don’t announce themselves. They wait. That’s how businesses get compromised twice.
Rebuild vs Clean: the boring but useful comparison
Cleaning
- Faster upfront
- Cheaper initially
- Higher long term risk
- Relies on finding every issue
Rebuilding
- More work upfront
- Slightly higher initial investment
- Clean slate
- Known secure baseline
- Better long term stability
For brochure sites and side projects, cleaning often wins.
For real businesses, rebuilds usually pay for themselves in reduced risk and stress.
GDPR and reputation: A reality check for UK small businesses
If your WordPress site collects personal data and it’s been compromised, there are GDPR implications whether anyone mentions them or not.
There’s also reputation risk. Clients don’t care that “WordPress got hacked”. They care that your site did.
Rebuilding isn’t about aesthetics. It’s about control, compliance, and confidence.
So… should you rebuild your hacked WordPress site?
If this is your main business website and you don’t know exactly how the hack happened, rebuilding is often the sensible choice.
Not because cleaning never works.
But because guessing is expensive.
Sometimes the fastest way forward is to stop trying to save something that’s already broken.
If you’re still unsure
That’s normal. This isn’t a decision you make lightly.
If you want, I can look at your site and tell you honestly whether a rebuild is necessary or whether a clean is enough. No drama, no upsell theatre.
Because the goal isn’t to rebuild websites.
It’s to stop you having this conversation again in six months.
Get in touch if you want me to take a look at your website.
Leave a Reply to A WordPress Commenter Cancel reply