WordPress Emergency Help — Triage Guide for Panicking Site Owners
Your site is down. Your phone is buzzing. A customer is asking why checkout shows a white page. Breathe. This guide walks you through the five most common WordPress emergencies — site down, white screen, critical error, hacked, locked out — with a 30-second diagnostic and a 5-minute fix for each. Keep this page open in a tab; read only the section that matches your symptom.
in /wp-content/plugins/woocommerce/includes/class-wc-cart.php:812
SimpleReview 24/7WP_MEMORY_LIMIT to 512M, clear object cache, pin WC versionEmergency Cheat Sheet
- Before touching anything: take a backup of
wp-content/and the database. If your host offers one-click snapshots, use it. - Site totally down? Check in incognito first. Your browser may be caching an old error.
- White screen? It is almost always a PHP fatal error. Enable
WP_DEBUG_LOGand readwp-content/debug.log. - Can't log in? Reset password in database via phpMyAdmin, or rename the security plugin folder over FTP.
- Hacked? Rotate every password, rotate auth salts in
wp-config.php, scan with Wordfence, restore from clean backup if possible. - No FTP, no panel access, sensitive data at risk? Escalate — call hosting support or a pro developer now.
First 60 Seconds — Stay Calm, Gather Facts
Before you touch a single file, answer these four questions. They decide which section of this guide to read.
- Is it just you, or is the site down for everyone? Open isitdownrightnow.com or test from your phone on mobile data. If it is only you, clear browser cache or flush DNS.
- What exactly do you see? White page? Red "critical error"? "Error establishing database connection"? "502 Bad Gateway"? The exact wording tells you whether the problem is PHP, database, or server.
- What changed in the last 24 hours? Plugin update, theme update, WordPress core update, DNS change, host migration, new code deploy? 95% of emergencies trace back to a change in the last day.
- Do you have access? wp-admin, FTP/SFTP, hosting cPanel, database (phpMyAdmin)? Write down what you can reach. If you have none of them, skip to the escalation section below.
wp-content/ and export the database. A bad fix can turn a recoverable problem into data loss.
Scenario 1: Site Is Completely Down
"This site can't be reached" / timeout / 502 / 503
Visit your site in an incognito window. If you see a host-branded error page (SiteGround, Cloudflare, Kinsta), the issue is at the hosting or CDN layer — WordPress never got to run. If the browser times out entirely, DNS or the origin server is down.
- Log into your hosting panel. Check if the server / container is running. Most hosts have a "Restart" or "Reboot" button.
- Check your Cloudflare / CDN dashboard. If Cloudflare shows "host error," pause Cloudflare temporarily (DNS only) to see if the origin responds.
- Verify DNS:
dig yoursite.comor use dnschecker.org. If the A record points to the wrong IP, fix it. - Check disk space on the server. A full disk is a common cause of 502s: MySQL cannot write, PHP cannot write sessions.
If hosting panel is unreachable too, this is a hosting-side outage. Open a ticket with your host and ask about their status page. Nothing you can do from WordPress will help.
Scenario 2: White Screen of Death
Completely blank page, no error message
White screen = PHP fatal error with error display disabled. The error exists — it is just hidden. Enable logging and you will see it in seconds.
Edit wp-config.php via FTP or your host's file manager. Add these four lines just above /* That's all, stop editing! */:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true ); // writes to wp-content/debug.log
define( 'WP_DEBUG_DISPLAY', false ); // hide errors from visitors
@ini_set( 'display_errors', 0 );Reload the broken page. Then read wp-content/debug.log — the exact file, line number, and PHP function that crashed will be in the last few lines.
If the log says Allowed memory size exhausted, add one more line:
define( 'WP_MEMORY_LIMIT', '512M' );If the log points at a specific plugin, deactivate that plugin by renaming its folder over FTP (e.g., /wp-content/plugins/slug → /wp-content/plugins/slug.off). Site should come back.
If debug.log shows errors you do not understand (class not found, abstract method, type error in core files), you are probably looking at a PHP version mismatch — your host upgraded PHP and a plugin is not compatible. Ask your host to downgrade PHP temporarily, or read our detailed guide on the WordPress critical error screen.
Scenario 3: "Critical Error on This Website" Message
Red / plain WordPress error page with the word "critical"
WordPress caught a PHP fatal error and replaced the white screen with a friendlier message. Check your email — WordPress sends a recovery-mode link to the admin address with the full error stack trace.
- Open Gmail / inbox for your admin email. Search "Your Site is Experiencing a Technical Issue." The email contains a recovery-mode link.
- Click the recovery link. WordPress loads wp-admin in a special mode where the offending plugin is auto-paused.
- Deactivate that plugin, update it (or find a replacement), reactivate. Done.
- If the email never arrived, enable
WP_DEBUG_LOG(see Scenario 2) and readdebug.log.
- Plugin auto-update installed a version incompatible with your PHP
- Theme update removed a function a child theme relied on
- WordPress core major update (like 6.9) deprecated a function — see our WP 6.9 recovery guide
- Cache plugin serialized data that can't be unserialized after a version bump
Scenario 4: Site Is Hacked
Redirects to spam, unknown admin users, strange files, Google Safe Browsing warning
Open wp-admin → Users → All Users. Any admin you do not recognize? Check /wp-content/uploads/ for random .php files (uploads should only contain images and documents). Search site root for files like wp-conflg.php, wso.php, radio.php — classic backdoors.
- Take the site offline by putting it in maintenance mode or returning a 503 in
.htaccess— stop the attack from reaching visitors. - Change every password in this order: hosting account, SFTP, database, then WordPress admin. Do this from a different, clean computer if possible.
- Rotate auth salts in
wp-config.php. Generate fresh ones at api.wordpress.org/secret-key/1.1/salt/ and paste over the existingdefine('AUTH_KEY', ...)block. This force-logs-out every attacker session instantly. - Install Wordfence or Sucuri and run a full scan. Follow the remediation list.
- Delete unknown admin users from Users → All Users.
- If you have a known-clean backup from before the compromise, restore from it. That is faster and safer than manual cleanup.
If you handle credit cards, GDPR-regulated personal data, or medical records, stop and call a professional incident response firm immediately. You may have legal notification obligations (72 hours for GDPR). Do not try to DIY a hack involving regulated data — document everything and bring in experts.
Scenario 5: Locked Out of wp-admin
Wrong password, IP blocked, 2FA broken, redirect loop
Which lockout is it? (a) Forgot password and email reset doesn't arrive, (b) security plugin banned your IP, (c) 2FA app got wiped, (d) you log in but immediately get redirected back to login.
Forgot password, email broken: open phpMyAdmin in your hosting panel → select the WordPress database → table wp_users → edit your row → set user_pass to MD5 of your new password:
UPDATE wp_users
SET user_pass = MD5('MyNewSecurePass123!')
WHERE user_login = 'admin';WordPress will detect the MD5 hash and upgrade it to bcrypt on your next login.
IP banned by security plugin (Wordfence, iThemes, Limit Login Attempts): connect via FTP, rename /wp-content/plugins/wordfence to /wp-content/plugins/wordfence.off. Log in, add your IP to the whitelist, rename the folder back.
2FA broken: same FTP trick — rename the 2FA plugin folder. Log in, reset your 2FA, re-enable the plugin.
Redirect loop (login succeeds, kicks you back to login): caused by cookies or URL mismatch. Clear all browser cookies for your site, or force the correct URL in wp-config.php:
define('WP_HOME','https://yoursite.com');
define('WP_SITEURL','https://yoursite.com');If you lost access to the admin email AND cannot reach phpMyAdmin, you need your host — they can reset the WordPress password through the hosting panel.
Quick Reference — Symptom to Fix
| Symptom | Likely cause | First action |
|---|---|---|
| Blank white page | PHP fatal, errors hidden | Enable WP_DEBUG_LOG, read debug.log |
| "Critical error" screen | PHP fatal in plugin / theme | Check admin email for recovery link |
| "Error establishing database connection" | DB credentials wrong, DB server down | Check wp-config.php DB creds, call host |
| 502 Bad Gateway / 503 | PHP-FPM crashed, memory exhausted | Restart PHP / container from hosting panel |
| Redirect to spam site | Compromise — rogue admin, malware | Rotate salts, scan with Wordfence, restore backup |
| Stuck in maintenance mode | .maintenance file not removed | FTP — delete /.maintenance in site root |
| Can't log in — wrong pass | Lost password, email broken | Reset user_pass in phpMyAdmin via MD5 |
| Login redirect loop | Cookie / URL mismatch | Set WP_HOME / WP_SITEURL in wp-config |
| Admin bar missing, site "almost works" | Theme function deprecated | Switch to Twenty Twenty-Four to isolate |
| Slow / timing out | Runaway plugin, DB query, DDoS | Check New Relic or host's slow-query log |
One-Click Repair With SimpleReview
If you do not want to spelunk through debug.log, edit wp-config.php over SFTP at 2am, or phone-support a developer, SimpleReview is a 24/7 AI-assisted emergency option. It works like this:
- Install the Chrome extension and open your broken site (any URL that loads, even the error page).
- Click the SimpleReview icon, then click the broken element — the red error box, a frozen button, the white page, a hacked banner.
- Type what you want to happen ("site is down — diagnose and fix") and click Fix it.
- SimpleReview pulls your
debug.logover SFTP, reads the last fatal error, identifies the file and line, and opens a pull request with the one-line fix. You review it, merge, and the site is back.
It is not a replacement for a backup strategy or an experienced developer retainer — but when the site is down and nobody is answering the phone, it is the fastest way to get running again. See the product page for the full workflow.
Get Emergency Help — 24/7, AI-Assisted
Click the broken element. SimpleReview diagnoses the fatal error and ships a PR. No ticket queue, no waiting.
Install SimpleReview Chrome Extension →Prefer a WordPress plugin? SimpleReview for WordPress → — 30-second install, no Chrome required.
When to Escalate to a Human
DIY emergency triage has limits. Call a professional developer or incident-response firm if any of these apply:
- You do not have FTP, SFTP, or hosting-panel access, and email reset does not work.
- The site was hacked and you process regulated data (PCI, GDPR, HIPAA). You may have a 72-hour breach-notification clock running.
- Your database is corrupted and backups are missing or older than acceptable data loss.
- You have tried rollback, plugin deactivation, and theme switch — and the site is still broken after 30 minutes.
- The site drives meaningful revenue and every hour down costs more than a developer's hourly rate.
Before calling, prepare: hosting login, FTP credentials, the last known working date, a list of recent changes (plugin updates, deploys, migrations), and a screenshot of the error.
Prevent the Next Emergency
- Automated off-site backups, daily, retained 30 days. UpdraftPlus, BlogVault, or your host's backup plan — whichever actually runs without your attention.
- Staging environment for every major update. Apply WordPress core, plugin, and theme majors to staging first. Managed hosts (Kinsta, WP Engine, SiteGround) give one-click staging.
- Disable core auto-majors: add
define( 'WP_AUTO_UPDATE_CORE', 'minor' );towp-config.php. Security patches still auto-apply; majors wait for you. - Uptime monitoring — UptimeRobot, BetterStack, Pingdom — SMS you within 60 seconds of downtime. The worst emergencies are the ones you learn about from a customer.
- Keep the emergency kit in a password manager: hosting login, SFTP credentials, database credentials, domain registrar, DNS host, backup restore instructions. At 3am you will not remember where anything is.
Frequently Asked Questions
WP_DEBUG_LOG in wp-config.php and read wp-content/debug.log. If you see a host error page (503, 502, "Error establishing database connection"), the issue is server- or database-side — call your host. If the page loads but admin is broken, deactivate plugins via FTP by renaming /wp-content/plugins/ to /wp-content/plugins-off/.WP_DEBUG_LOG, reload, read the exact fatal error from wp-content/debug.log. Memory limit can be raised by adding define( 'WP_MEMORY_LIMIT', '512M' ); to wp-config.php.wp-conflg.php or random .php files in /uploads/), sudden redirects to spam, Google Safe Browsing warning, or SEO spam pages you didn't create. Run Wordfence or Sucuri scanner, change all passwords, rotate auth salts in wp-config.php, and restore from a clean pre-compromise backup if you have one.UPDATE wp_users SET user_pass = MD5('newpass') WHERE user_login = 'admin'. (2) If a security plugin locked you out by IP, deactivate it via FTP by renaming its folder under /wp-content/plugins/. (3) If 2FA is broken, remove the 2FA plugin folder over FTP. Re-enable security after recovery.debug.log and source over SFTP, identifies the exact file and line of the fatal error, and generates a PR with the one-line fix. It works 24/7 — no ticket queue, no waiting for a developer to wake up.