LochStudios  /  Help Centre  /  Security  /  What to do if your website is hacked

What to do if your website is hacked

Immediate steps to take when your website is compromised: isolate it, restore from backup, and prevent re-infection.

Updated

A hacked website is a serious but recoverable problem. The key is to act quickly and methodically: isolate the damage, determine how you were compromised, restore from a clean backup, and close the security gap. This guide walks you through each step.

Immediate actions (first hour)

1. Take the site offline
- Disable the website as soon as you confirm it's been hacked – Don't wait
- Move it to a maintenance page or password-protect it in your control panel
- This prevents attackers from using your site to attack visitors and stops them spreading malware further

2. Change all passwords
- Change your hosting control panel password immediately (from a different, clean computer)
- Change your FTP/SSH login credentials
- Change your database admin password
- Change your email account passwords (especially the one linked to your hosting account)
- Use strong, unique passwords for each

3. Document what you see
- Take screenshots of any suspicious files, error messages, or unusual content
- Note the date and time you discovered the compromise
- Write down any abnormal activity (unexpected new user accounts, unfamiliar files, database changes)
- This information helps identify the attack vector

4. Contact your hosting provider
- Notify them immediately—they may already be aware if your site is sending spam or malware
- Ask them to:
- Check server logs for unauthorized access
- Review file modification dates
- Identify the attack entry point if possible

Assess the damage (next few hours)

Check what was compromised:

  • Visitor data – Did the attacker steal customer information, emails, or credit card data? If yes, you may have legal obligations to notify affected users
  • Site files – Are there unfamiliar files or backdoors? (Look for new .php files, suspicious uploads folder, hidden files starting with .)
  • Database – Are there new admin users, modified content, or injected spam links?
  • Malware spread – Did attackers inject malicious code into existing files?

Ask yourself:
- When was my last clean backup? (You'll use this to restore)
- How far back do I need to go to find an uncompromised version?

Restore from backup

This is why backups matter. A clean backup lets you start over without rebuilding manually.

1. Stop the infection cycle
- Before you restore, close the security gap that let them in (see "Prevent re-infection" below)
- If you restore without fixing the vulnerability, they'll compromise you again

2. Choose a clean backup
- Use your most recent backup that was created BEFORE the hack
- If you're not sure when you were hacked, go back further (1–2 weeks)

3. Restore the website
- Use your hosting provider's backup restore feature (usually in your control panel)
- Restore both your website files and your database
- Follow your provider's instructions carefully—restore time varies (minutes to hours)

4. Test before going live
- After restore completes, verify the site works
- Check that your content, products, and customer data are intact
- Look for any remaining suspicious files or backdoors

5. Go live
- Once confirmed clean, take the site out of maintenance mode
- Update your DNS records or domain pointer if needed (your provider can advise)

Prevent re-infection

Find and close the entry point. Attackers exploit one of these:

| Vulnerability | What to do |
|---|---|
| Outdated software | Update your CMS, plugins, web server, and OS to the latest versions. This is the #1 cause. |
| Weak password | Change to a long, unique password (16+ characters). If multiple accounts were compromised, your password was likely weak. |
| SQL injection or XSS | If you run custom code, request a security audit from your developer. These vulnerabilities are in the code itself. |
| Unpatched plugin | Remove or update vulnerable plugins. Check your hosting provider's security reports if available. |
| Compromised FTP/SSH account | Change all FTP and SSH credentials. If a contractor or developer had access, revoke it. |
| Malicious file upload | Check your uploads folder and disable file upload features unless absolutely necessary. Use server-side validation. |

Harden your site:

  • Enable two-factor authentication (2FA) on your hosting control panel and CMS admin account
  • Disable unnecessary plugins and features – Each one is a potential attack surface
  • Set file permissions correctly (your hosting provider can advise; typically 644 for files, 755 for folders)
  • Keep regular, automated backups going forward so you can recover faster next time
  • Remove backdoors – Attackers often leave hidden access points; your hosting provider can help identify these

Notify affected users (if needed)

If you collected customer data (emails, phone numbers, addresses, credit cards) and an attacker accessed it:

  • Notify affected users as soon as reasonably possible
  • Explain what data was accessed and what you're doing to prevent it
  • Provide guidance (change passwords, monitor credit card statements, etc.)
  • Check your local regulations—some jurisdictions legally require notification
  • Document the breach for compliance records

After recovery

  • Monitor your site for the next week – Attackers sometimes leave backdoors for later re-infection
  • Review access logs – Ask your hosting provider to show you recent login activity
  • Enable security alerts – Many CMS platforms and hosting providers offer email notifications for suspicious activity
  • Subscribe to security updates for your CMS, plugins, and framework
  • Schedule monthly security audits – Check for new backdoors and verify all changes are legitimate

When to ask for professional help

  • You can't identify the entry point after thorough checking
  • You suspect SQL injection or malicious code in your custom code
  • You've restored multiple times and keep getting re-infected
  • You need legal or compliance guidance on a data breach
  • Your hosting provider recommends a professional security assessment

Many hosting providers offer security cleanup services, or you can hire an independent security firm. It's often worth the cost to avoid repeat infections.

A hacked website is stressful, but it's not the end. With backups, quick action, and a thoughtful approach to closing the security gap, you'll be back online safely and stronger than before.


Was this article helpful?

← Back to Security