Finding out your website's been hacked feels horrible. You might discover it through a scary browser warning, angry customers, or plummeting search rankings. But here's the thing - it happens to thousands of websites every day. You're not alone, and it's fixable.
Let's walk through exactly what to do, step by step.
First Things First: Don't Panic
Your immediate reaction might be to start clicking around, trying to fix things. Stop. Take a breath. Rushing often makes things worse.
The hack has already happened. A few more minutes won't hurt, but making the wrong move might.
Step 1: Document Everything
Before touching anything, take screenshots. Capture:
- Any warning messages from browsers or Google
- Your website as it currently appears
- Any suspicious files or changes in your admin area
- Error messages you're seeing
You'll need this evidence later, especially if you're claiming on cyber insurance.
Step 2: Change All Passwords Immediately
Start with these, in this order:
- Website hosting account password
- Website admin password (WordPress, etc.)
- FTP/cPanel passwords
- Email passwords (especially the one linked to your website)
- Any third-party service passwords (payment processors, analytics, etc.)
Don't use the same password twice. Use a password manager if you haven't already.
Step 3: Check for Obvious Malware
Log into your hosting account and look for:
- Files you didn't create
- Recently modified files (check dates)
- Suspicious file names (random characters, .php files where they shouldn't be)
- Files that are much larger than they should be
Common hiding spots include uploads folders, theme directories, and the root directory.
Step 4: Take Your Site Offline (If Necessary)
If your site is serving malware to visitors or completely defaced, take it offline temporarily. Most hosting providers offer a "maintenance mode" option.
This protects your visitors and stops search engines from indexing the hacked content.
Step 5: Contact Your Hosting Provider
Good hosting providers offer malware cleanup as part of their service. Even if they don't clean it for free, they can:
- Provide access to clean backups
- Help identify how the hack happened
- Restore from a clean backup point
- Scan for remaining malware
Professional hosting services often include security monitoring and cleanup assistance.
DIY Cleanup vs Professional Help
You Can Handle It Yourself If:
- It's a simple defacement (changed content, no file corruption)
- You have recent, clean backups
- You're comfortable with file management
- The hack is caught early
Call a Professional When:
- Malware is deeply embedded
- Customer data might be compromised
- You're seeing complex redirects or injection attacks
- Your hosting provider can't help
- You don't have clean backups
Step-by-Step DIY Recovery
1. Restore from Clean Backup
The fastest fix is restoring from a backup made before the hack. Check your backup dates carefully - some malware sits dormant for weeks.
2. Update Everything
Before bringing your site back online:
- Update your CMS (WordPress, etc.)
- Update all plugins and themes
- Remove any plugins you don't use
- Check for known vulnerabilities in your setup
3. Scan Thoroughly
Use security plugins like Wordfence (for WordPress) or have your hosting provider scan for remaining malware. Don't skip this step.
4. Harden Your Security
- Install a security plugin
- Enable two-factor authentication
- Set up automatic updates for security patches
- Limit login attempts
- Hide your admin login page
Preventing Future Hacks
Keep Everything Updated
Most hacks exploit known vulnerabilities. Keep your CMS, plugins, and themes updated. Enable automatic security updates where possible.
Use Strong, Unique Passwords
Every account should have its own password. Yes, it's a pain. Password managers make it manageable.
Regular Backups
Set up automatic daily backups stored off-site. Test them occasionally to make sure they work.
Security Monitoring
Consider website maintenance services that include security monitoring. They catch problems before they become disasters.
Choose Hosting Wisely
Cheap hosting often means poor security. Invest in a hosting provider that takes security seriously and offers malware cleanup.
What About SEO and Google Penalties?
Google might temporarily blacklist your site or show warnings to users. Once cleaned up:
- Submit a malware review request through Google Search Console
- Check for any manual penalties
- Monitor your search rankings for a few weeks
Most sites recover their rankings once Google confirms they're clean.
Recovery Checklist
- [ ] Document the hack with screenshots
- [ ] Change all passwords
- [ ] Contact hosting provider
- [ ] Take site offline if serving malware
- [ ] Restore from clean backup or remove malware
- [ ] Update all software
- [ ] Scan for remaining threats
- [ ] Strengthen security measures
- [ ] Submit for Google review
- [ ] Set up better monitoring
When to Get Professional Help
If you're dealing with:
- Customer payment data
- Sensitive business information
- Complex e-commerce systems
- Repeated attacks
Don't risk doing it yourself. The cost of professional cleanup is usually much less than the cost of a botched DIY job.
Frequently Asked Questions
How do I know if my website is hacked? Common signs include browser warnings, unexpected redirects, unfamiliar content, slow loading, or angry messages from Google Search Console.
Can I prevent all website hacks? Nothing's 100% secure, but regular updates, strong passwords, and good hosting dramatically reduce your risk.
How long does recovery take? Simple cleanups might take a few hours. Complex infections can take days, especially if you need to rebuild from scratch.
Will my search rankings recover? Usually, yes. Google's good at recognising hacked sites versus malicious ones. Clean up quickly and your rankings should bounce back.
Should I pay the ransom if my site's held hostage? Never. There's no guarantee they'll unlock your site, and you're funding more attacks. Restore from backups instead.
Getting hacked is stressful, but it's rarely the end of the world. Take it step by step, and don't be afraid to ask for help when you need it. Your website will recover, and you'll emerge with much better security than before.