Finding out your website has been hacked is stressful — but the steps to recover are well-established. The worst thing you can do is panic and wipe everything: you'll lose the evidence you need to understand how they got in, and potentially restore to a state that's still vulnerable. Follow this sequence and you'll come out cleaner and harder to hit than before.
Step 1: Confirm the compromise and take stock
Before touching anything, confirm you're actually hacked and understand the scope:
- Check Google's Safe Browsing status for your domain (search "site:yourdomain.com" in Google and look for warnings, or check search.google.com/search-console for security issues).
- Look for symptoms: unexpected redirects to other sites, injected content or ads, login pages you didn't create, files you don't recognise, emails reported as spam from your domain.
- Check your hosting control panel for unfamiliar files, recently modified files, and unexpected cron jobs or user accounts.
- Pull server logs and note the timeframe — when did the first suspicious activity occur?
Step 2: Isolate the site
Take the site offline or into maintenance mode while you work on it. This stops the attack spreading, prevents visitors landing on malicious content, and stops the attacker continuing to use the compromised access. Options:
- Enable maintenance mode in your CMS
- Password-protect the directory at the server level
- Point DNS to a holding page while you work
- If the server is severely compromised, take it fully offline
Step 3: Change all credentials immediately
Before cleaning anything, rotate everything — the attacker may have copies:
- Hosting control panel and FTP/SFTP passwords
- Database passwords (update your config files accordingly)
- CMS admin passwords (WordPress, etc.) — all users, not just admin
- Email accounts associated with the domain
- SSH keys — revoke and reissue
- Any API keys stored in the codebase
Enable 2FA on everything, especially hosting and email, before proceeding.
Step 4: Identify the entry point
Cleaning without fixing the root cause means you'll be hacked again within days. Common entry points:
- Outdated plugin or theme — look for recently disclosed CVEs in software you run
- Stolen credentials — check for brute-force patterns in your access logs
- Compromised FTP/SSH credentials — look for logins from unexpected IPs
- File upload vulnerability — look for PHP shells in upload directories
- SQL injection — check logs for unusual query strings
- Vulnerable hosting — shared hosting can be compromised via other accounts
Most WordPress hacks come through a vulnerable plugin. Check which plugins had updates available around the time of compromise.
Step 5: Clean the site — or restore from a clean backup
Restore from backup (recommended if available)
A clean, dated backup is the fastest and most reliable recovery path. Restore to a point before the compromise — confirmed by checking logs. If the compromise was recent, this may be straightforward. After restoring, go straight to Step 6 to close the entry point before going back online.
Manual cleaning (if no clean backup)
If you have no backup or the backup is also compromised:
- Download a fresh copy of your CMS core files and compare checksums against your current installation. Replace any modified core files.
- Scan for malware using a server-side scanner (Wordfence, Sucuri, ImunifyAV). These look for known malicious code patterns in your files.
- Search for recently modified files:
find /var/www -mtime -14 -type fshows everything changed in the last two weeks. - Look for PHP shells — files with names like
shell.php,c99.php,r57.php, or legitimate-looking names with base64-encoded content inside. - Check the database for injected content: spam links in posts, new admin users you didn't create, malicious JavaScript in widgets or options tables.
- Reinstall all plugins and themes from official sources — don't trust files that were on the server.
Step 6: Patch the entry point
Once you know how they got in:
- Update the vulnerable plugin, theme or CMS version immediately
- Disable and delete any software you don't actively use
- Fix the configuration flaw if it was a misconfiguration (exposed admin panel, weak password, open file upload, etc.)
- Block the attacker's IP at the firewall if you can identify it — though this alone won't stop them
Step 7: Harden before going back online
Don't restore to the same security posture that got you hacked. Before taking the site live again:
- Enable a WAF — Cloudflare's free tier blocks most common attack patterns
- Add security headers to your responses
- Set correct file permissions (644 for files, 755 for directories)
- Check your DMARC policy — a hacked site is often used to send spam as your domain
- Set up automated daily offsite backups so you have a clean restore point next time
- Run a passive security scan on your domain to surface any remaining misconfigurations
Step 8: Request Google review
If Google flagged your site with malware warnings, submit a review request via Google Search Console (Security Issues → Request Review) after cleaning. Warnings usually lift within 24–72 hours once Google re-crawls and finds the site clean.
Step 9: Monitor for reinfection
Set up monitoring so you know immediately if it happens again:
- Enable file integrity monitoring (Wordfence, iThemes Security)
- Subscribe to uptime and malware monitoring (UptimeRobot, Sucuri SiteCheck)
- Watch your Google Search Console security alerts
- Monitor your email blacklist status — hacked sites are often used for spam
When to call a professional
If the compromise is severe (ransomware, full server access, database exfiltration, or you can't identify the entry point), consider engaging a professional incident response service. Cleaning by hand without experience risks missing backdoors or leaving the site vulnerable. We're developers — if you want a second set of eyes on your site or a clean-up done properly, reply to your Kalenfy report and we'll scope it.