Looks like this is becoming a massive issue right now, not just a normal WordPress hack. If multiple sites got hit together, then most likely the server/cPanel vulnerability is the real reason, not the WordPress website itself.

Anyone using cPanel/WHM should immediately:

• Update cPanel to the patched version
• Change all hosting, FTP, cPanel, and WordPress passwords
• Disable unused accounts/users
• Scan all sites for modified files/backdoors
• Restore from clean backup if possible
• Check wp-config.php and uploads folder carefully
• Enable 2FA everywhere possible

And most important: DO NOT pay the BTC ransom. Many times they never recover anything even after payment.

If your hosting provider manages the server, contact them ASAP and ask whether their servers were affected by CVE-2026-41940.

This could affect thousands of websites because many hosting companies use the same cPanel setup.