A hacked website is a serious but recoverable problem. The key is to act quickly and methodically: isolate the damage, determine how you were compromised, restore from a clean backup, and close the security gap. This guide walks you through each step.
Immediate actions (first hour)
1. Take the site offline
- Disable the website as soon as you confirm it's been hacked – Don't wait
- Move it to a maintenance page or password-protect it in your control panel
- This prevents attackers from using your site to attack visitors and stops them spreading malware further
2. Change all passwords
- Change your hosting control panel password immediately (from a different, clean computer)
- Change your FTP/SSH login credentials
- Change your database admin password
- Change your email account passwords (especially the one linked to your hosting account)
- Use strong, unique passwords for each
3. Document what you see
- Take screenshots of any suspicious files, error messages, or unusual content
- Note the date and time you discovered the compromise
- Write down any abnormal activity (unexpected new user accounts, unfamiliar files, database changes)
- This information helps identify the attack vector
4. Contact your hosting provider
- Notify them immediately—they may already be aware if your site is sending spam or malware
- Ask them to:
- Check server logs for unauthorized access
- Review file modification dates
- Identify the attack entry point if possible
Assess the damage (next few hours)
Check what was compromised:
- Visitor data – Did the attacker steal customer information, emails, or credit card data? If yes, you may have legal obligations to notify affected users
- Site files – Are there unfamiliar files or backdoors? (Look for new
.phpfiles, suspicious uploads folder, hidden files starting with.) - Database – Are there new admin users, modified content, or injected spam links?
- Malware spread – Did attackers inject malicious code into existing files?
Ask yourself:
- When was my last clean backup? (You'll use this to restore)
- How far back do I need to go to find an uncompromised version?
Restore from backup
This is why backups matter. A clean backup lets you start over without rebuilding manually.
1. Stop the infection cycle
- Before you restore, close the security gap that let them in (see "Prevent re-infection" below)
- If you restore without fixing the vulnerability, they'll compromise you again
2. Choose a clean backup
- Use your most recent backup that was created BEFORE the hack
- If you're not sure when you were hacked, go back further (1–2 weeks)
3. Restore the website
- Use your hosting provider's backup restore feature (usually in your control panel)
- Restore both your website files and your database
- Follow your provider's instructions carefully—restore time varies (minutes to hours)
4. Test before going live
- After restore completes, verify the site works
- Check that your content, products, and customer data are intact
- Look for any remaining suspicious files or backdoors
5. Go live
- Once confirmed clean, take the site out of maintenance mode
- Update your DNS records or domain pointer if needed (your provider can advise)
Prevent re-infection
Find and close the entry point. Attackers exploit one of these:
| Vulnerability | What to do |
|---|---|
| Outdated software | Update your CMS, plugins, web server, and OS to the latest versions. This is the #1 cause. |
| Weak password | Change to a long, unique password (16+ characters). If multiple accounts were compromised, your password was likely weak. |
| SQL injection or XSS | If you run custom code, request a security audit from your developer. These vulnerabilities are in the code itself. |
| Unpatched plugin | Remove or update vulnerable plugins. Check your hosting provider's security reports if available. |
| Compromised FTP/SSH account | Change all FTP and SSH credentials. If a contractor or developer had access, revoke it. |
| Malicious file upload | Check your uploads folder and disable file upload features unless absolutely necessary. Use server-side validation. |
Harden your site:
- Enable two-factor authentication (2FA) on your hosting control panel and CMS admin account
- Disable unnecessary plugins and features – Each one is a potential attack surface
- Set file permissions correctly (your hosting provider can advise; typically
644for files,755for folders) - Keep regular, automated backups going forward so you can recover faster next time
- Remove backdoors – Attackers often leave hidden access points; your hosting provider can help identify these
Notify affected users (if needed)
If you collected customer data (emails, phone numbers, addresses, credit cards) and an attacker accessed it:
- Notify affected users as soon as reasonably possible
- Explain what data was accessed and what you're doing to prevent it
- Provide guidance (change passwords, monitor credit card statements, etc.)
- Check your local regulations—some jurisdictions legally require notification
- Document the breach for compliance records
After recovery
- Monitor your site for the next week – Attackers sometimes leave backdoors for later re-infection
- Review access logs – Ask your hosting provider to show you recent login activity
- Enable security alerts – Many CMS platforms and hosting providers offer email notifications for suspicious activity
- Subscribe to security updates for your CMS, plugins, and framework
- Schedule monthly security audits – Check for new backdoors and verify all changes are legitimate
When to ask for professional help
- You can't identify the entry point after thorough checking
- You suspect SQL injection or malicious code in your custom code
- You've restored multiple times and keep getting re-infected
- You need legal or compliance guidance on a data breach
- Your hosting provider recommends a professional security assessment
Many hosting providers offer security cleanup services, or you can hire an independent security firm. It's often worth the cost to avoid repeat infections.
A hacked website is stressful, but it's not the end. With backups, quick action, and a thoughtful approach to closing the security gap, you'll be back online safely and stronger than before.