What to Do if Your Website Gets Hacked (10 Step-by-Step Guide)

If your website gets hacked, act fast: take the site offline, capture a full backup for forensics, reset all passwords and API keys, scan and remove malware, patch vulnerabilities, restore clean files or a safe backup, re-enable the site, and harden security.

Document each step, notify affected users if data was exposed, and monitor continuously. As a senior technical SEO and hosting specialist, here’s a clear, beginner-friendly guide on what to do if your website gets hacked.

Follow these 10 steps to recover quickly, reduce damage, and prevent future attacks. This process aligns with modern security best practices and is optimized to help you rank while solving the problem.

Quick 10 Step Incident Response Checklist

• Confirm the hack; switch to maintenance mode.
• Take forensic backups (files, database, and logs).
• Reset all credentials and revoke tokens.
• Scan and isolate malware.
• Clean/replace core, themes, and plugins.
• Audit users, cron jobs, and backdoors.
• Patch and update everything.
• Restore a safe backup if needed (staging first).
• Re-enable, request blacklist reviews, and communicate.
• Harden settings and enable continuous monitoring.

Step 1: Confirm the Hack and Enable Maintenance Mode

Common signs your site is hacked: unexpected redirects, unknown admin users, spam pages, strange spikes in traffic, defaced pages, flagged by Google Safe Browsing, or email blacklisting. If any are present, treat it as an incident.

Put the site into maintenance mode to protect visitors and reduce further damage. For WordPress, use a maintenance plugin or a temporary 503 page. Restrict access to your IP when possible.

# Apache: limit access by IP (in .htaccess)
Require all denied
Require ip 203.0.113.10

# Nginx: server block
allow 203.0.113.10;
deny all;

Step 2: Take Forensic Backups and Notes

Before cleaning anything, capture the current state. This preserves evidence and helps understand the entry point. Save timestamps and keep a change log of everything you do.

# Tar your web root (replace path)
tar -czf hacked-site-files-$(date +%F).tar.gz /var/www/html

# Dump your database (replace credentials/db)
mysqldump -u dbuser -p dbname > hacked-site-db-$(date +%F).sql

# Copy recent logs for analysis
cp /var/log/nginx/access.log ./access-$(date +%F).log
cp /var/log/nginx/error.log  ./error-$(date +%F).log

If you’re hosted with YouStable, open a ticket to snapshot the instance and pull server-level logs; our team can assist with safe imaging and staging.

Step 3: Reset Credentials Everywhere

Assume credentials are compromised. Reset all passwords with unique, long passphrases and enable 2FA where available.

• Hosting panel (cPanel/Plesk), SSH/SFTP, and database users
• CMS admin accounts (WordPress), all editor/contributor accounts
• API keys and tokens (payment, CDN, SMTP, analytics)
• Email accounts and SMTP credentials used by the site
• WordPress salts and keys to invalidate sessions

# WordPress: update salts (wp-config.php)
# Generate new keys at https://api.wordpress.org/secret-key/1.1/salt/
# Replace the existing AUTH_KEY, SECURE_AUTH_KEY, etc.

# WP-CLI: force all users to reset passwords and log out
wp user list
wp user update <ID> --user_pass=<StrongRandomPassword>
wp cache flush
wp transient delete --all

Step 4: Scan and Isolate Malware

Use multiple scanners to reduce false negatives. For WordPress, run plugins like Wordfence or Sucuri Security. On the server, use ClamAV or Maldet. Quarantine suspicious files rather than deleting immediately.

• Look for recent files in wp-content/uploads, unknown PHP files, or modified core files.
• Search patterns: base64_decode, eval, gzinflate, system, assert in PHP.
• Check .htaccess for rewrite rules or PHP execution in uploads.

# Find suspicious code (quick heuristics)
grep -R --line-number --color -E "base64_decode|eval\(|gzinflate|shell_exec|system\(" /var/www/html

# List recently changed files
find /var/www/html -type f -mtime -7 -ls

Step 5: Clean and Replace Core, Themes, and Plugins

Replace, don’t edit, when possible. Reinstall the CMS core and trusted extensions from official sources. Remove anything you don’t recognize or no longer use.

• Delete and re-upload core WordPress files from a fresh download.
• Reinstall themes/plugins; avoid nulled or abandoned items.
• Remove unknown files in root and wp-content (except legit uploads).
• Review wp-config.php and .htaccess for injected directives.

# WP-CLI re-install core without touching wp-content
wp core download --force
wp plugin list
wp plugin update --all
wp theme update --all

Step 6: Audit Users, Cron Jobs, and Backdoors

Attackers often leave backdoors to regain access. Hunt for persistence mechanisms.

• Delete unknown admin users; review user roles and capabilities.
• Check wp_cron for suspicious events; inspect real system cron jobs.
• Scan uploads for PHP; block execution in uploads and cache folders.
• Look for mailer scripts or web shells in writable directories.

# WP-CLI: list admin users
wp user list --role=administrator

# System cron
crontab -l
ls -la /etc/cron.*

# .htaccess: disable PHP in uploads (Apache)
<Directory "/var/www/html/wp-content/uploads">
  php_admin_flag engine off
  RemoveHandler .php .phtml .php3 .php4 .php5 .php7
</Directory>

Step 7: Patch and Update Everything

Outdated software is a top cause of hacks. Update core, plugins, themes, PHP, web server packages, and dependencies. Replace abandoned extensions with actively maintained alternatives. Enforce least-privilege file permissions.

• File permissions: 644 for files, 755 for directories; wp-config.php 600 when possible.
• Disable direct file editing in wp-admin.
• Rotate database and SMTP credentials after patching.

# wp-config hardening
define('DISALLOW_FILE_EDIT', true);

# Permissions (Linux)
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
chmod 600 /var/www/html/wp-config.php

Step 8: Restore a Safe Backup (If Needed)

If cleaning is complex or integrity is uncertain, restore from a known-good backup. Verify the backup predates the compromise, then patch it before going live. Always restore to staging first to validate functionality and security.

YouStable hosting includes automated backups and optional on-demand snapshots, making test restores simple. Our team can help you stage, scan, and validate before production cutover.

Step 9: Re-enable, Request Reviews, and Rebuild Trust

When the site is clean and patched, remove maintenance mode. If your site was flagged, open Google Search Console and check Security Issues, then request a review. Do the same for any blocklists (antivirus, email RBLs, hosting abuse desks).

• Rotate all sessions; force password resets for users if data was exposed.
• Disclose the incident to affected users as required by law (e.g., GDPR/CCPA).
• Monitor analytics and logs for anomalies after going live.

Step 10: Harden, Monitor, and Prevent Recurrence

Security is a process. Add layered defenses, monitoring, and recovery capabilities to prevent future incidents.

• Web Application Firewall (WAF) and rate limiting (e.g., host-level or plugin-based).
• 2FA for all admin accounts; implement IP allowlists for panel and SSH.
• Regular malware scans, file integrity monitoring, and log review.
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
• Automated, tested backups with offsite retention and staging restores.

# Example security headers (Nginx)
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

How Long Recovery Takes and When to Call a Pro

Minor infections can be cleaned in a few hours. Complex compromises with lateral movement or database injection may take days. If you see repeated reinfections, spam pharma pages, or payment skimmers, bring in professionals immediately to avoid revenue loss and SEO damage.

YouStable’s security aware hosting, daily backups, proactive patching, and support can reduce downtime and risk. We don’t just host; we help you recover and harden smartly.

Proactive Security Checklist (Save This)

• Maintain a staging environment to test updates.
• Update core, plugins, themes weekly; remove unused software.
• Enforce 2FA and least-privilege roles; review admins monthly.
• Block PHP execution in uploads; configure a WAF/CDN.
• Automate offsite backups; test restore quarterly.
• Set security headers and HTTPS sitewide; renew TLS early.
• Monitor server logs and enable file integrity monitoring.
• Run monthly malware scans; subscribe to vendor security advisories.

Why Hacks Hurt SEO—and How to Recover Rankings

Malware can inject spam pages, redirects, and cloaked content, causing deindexing or manual actions. After cleanup, submit sitemaps, fetch important pages, and monitor Search Console coverage and Security Issues. Fix soft 404s, remove injected URLs, and rebuild trust with faster performance and stronger Core Web Vitals.

Tools You Can Use (Free and Paid)

• Scanning: Wordfence, Sucuri Security (plugin), ClamAV, Maldet
• Hardening: iThemes Security, WP-CLI, server firewall/WAF
• Monitoring: UptimeRobot, log analyzers, Search Console
• Backups: Native host backups, plugins (UpdraftPlus), or snapshots

FAQ’s