Your website displays a 500 error when accessed. So something isn’t quite right.
My recommendation: check why the 500 error is occurring. This should also help you identify the issue with the backend. The reason for the error should be visible in the error log. You can find it in your hosting area. If necessary, the support of your hosting can help you.
Alternatively, you could also enable debugging in WordPress. How to do this is described here: https://developer.ww.wp.xz.cn/advanced-administration/debug/debug-wordpress/ – also here the support of your hosting can help you if necessary to edit the file accordingly.
In both cases you should be able to see what the cause is in the logfile.
A 403 error can be caused either by incorrect entries in the .htaccess file or by security tools in your hosting environment. You can simply delete the .htaccess file – WordPress will recreate it for you. Also check whether there is a separate .htaccess file in the wp-admin directory – if so, remove it (WordPress itself does not create one there; only security tools in your hosting environment or plugins do).
I called the host of the website. They went into my backend and most of my WordPress files are missing hence all the error messages.
It appears that I have been hacked. Unfortunately, they can only retrieve 7 days so it’s not possible to trigger the backup.
The 403 on /wp-admin combined with a blank /wp-login.php points to one of two things: a corrupted or modified .htaccess file, or a security plugin (Wordfence, iThemes Security, All-In-One WP Security) that’s either blocked your IP or written bad rules into .htaccess.
The blank login page is the telling detail — a pure server 403 would show on both URLs. Something is loading PHP on /wp-login.php but killing output before it renders, which is more typical of a plugin conflict or a PHP error with display turned off than a straight permissions issue.
Without FTP, your best route is back to your hosting provider with specific requests rather than a general “please check”:
Ask them to rename the .htaccess file in your root directory to .htaccess.bak temporarily — this rules out a corrupted or over-restrictive .htaccess in about 30 seconds. Also ask them to check if any server-level firewall or ModSecurity rule is blocking /wp-admin for your IP specifically.
If they can give you phpMyAdmin access even without full cPanel, you can deactivate all plugins at once by renaming the wp_options row where active_plugins is stored — or more simply, ask hosting to rename your /wp-content/plugins/ folder to /wp-content/plugins-disabled/ which deactivates everything without deleting anything.
Start with the .htaccess rename — it’s the quickest thing to rule out and hosting can do it in under a minute.
