What To Do First When Your Website Is Hacked

Finding out your website has been hacked is stressful, especially when customers are seeing warnings, redirects, or broken pages. The first few actions matter.

The goal is to contain the damage, preserve enough information to understand what happened, and bring the site back cleanly.

1. Do not blindly restore the newest backup

Restoring a backup can help, but it can also bring the infection back if the backup was made after the compromise.

Before restoring, identify when the problem likely started. Look at file modification dates, suspicious admin logins, hosting alerts, search console warnings, and customer reports.

2. Put the site in a controlled state

If the website is redirecting visitors, serving malware, or leaking data, temporarily restrict public access while recovery begins. This protects visitors and reduces reputational damage.

For ecommerce or membership websites, be careful with maintenance mode. You may need to preserve orders, form entries, and customer activity before making large changes.

3. Change access credentials

Rotate passwords for hosting, CMS administrators, FTP/SFTP, SSH, databases, email accounts connected to the site, and any third-party services used for deployment.

If possible, add multi-factor authentication. Remove unfamiliar administrator accounts immediately.

4. Clean files and database entries

Malware can hide in theme files, plugin files, uploads, cron jobs, database content, mu-plugins, cache folders, and server config files.

A complete cleanup checks all of these places. Removing only the visible defacement often leaves the backdoor behind.

5. Patch the entry point

A clean website can be reinfected if the original weakness remains. Common entry points include outdated plugins, weak passwords, exposed admin panels, nulled themes, vulnerable form handlers, and insecure file permissions.

Recovery should always include root cause analysis and hardening.

6. Request review after cleanup

If browsers, Google, security vendors, or hosting providers flagged the site, request a review after the site is clean. Submitting too early can delay removal of warnings.

Recovery is more than getting online

The real finish line is not “the homepage loads again.” It is a clean site, patched entry points, verified backups, and monitoring that can catch suspicious behavior early.