Finding out your website has been hacked is stressful, but panic leads to mistakes that make things worse. There's a right order to handle this, and following it protects your data, your customers, and your search rankings.
Here's exactly what to do, in order.
1. Confirm It's Actually a Hack
Before reacting, verify what you're seeing. Common signs your site has been compromised:
- Strange redirects to unfamiliar websites
- A Google search warning saying "This site may be hacked"
- Unfamiliar admin accounts or files you didn't create
- Spam content appearing on pages you didn't write
- Your hosting provider emailing you about suspicious activity
Check: Search your domain in Google. If you see a "This site may harm your computer" or "hacked" warning in the results, that confirms it.
2. Take the Site Offline or Enable Maintenance Mode
The first priority is stopping active damage, whether that's malware spreading to visitors, spam content hurting your reputation, or data continuing to leak.
Action: Put your site into maintenance mode or take it fully offline through your hosting control panel while you investigate. This limits exposure while you work through the remaining steps.
3. Contact Your Hosting Provider Immediately
Most hosting companies deal with hacked sites regularly and can help identify the scope of the problem, sometimes with tools you don't have direct access to.
Action: Call or open a support ticket right away. Ask specifically whether they've detected malware, unauthorized file changes, or unusual server activity tied to your account.
4. Restore From a Clean Backup
If you have a recent backup from before the hack, restoring it is usually faster and safer than trying to manually clean an infected site, where hidden backdoors can easily be missed.
Action: Restore from the most recent backup you're confident predates the compromise. If you don't have a backup, this is exactly the gap a managed hosting or security plan is meant to prevent going forward.
5. Change Every Password and Access Key
Assume every credential connected to your website has been exposed. This includes more than just your CMS login.
Change passwords for:
- Your CMS admin account (WordPress, Shopify, etc.)
- Hosting control panel
- Domain registrar
- FTP and database access
- Any API keys or third-party integrations connected to the site
Use unique, strong passwords for each, and enable two-factor authentication everywhere it's available.
6. Scan for Backdoors and Hidden Files
Hackers frequently leave hidden backdoor files behind so they can regain access even after you've cleaned the visible damage. Restoring a backup doesn't always catch these if the backup itself was taken after the initial compromise.
Action: Run a full malware scan with a tool like Sucuri or Wordfence. For WordPress sites specifically, compare your file structure against a clean install to spot anything that doesn't belong.
7. Request a Google Security Review
If Google flagged your site as hacked or unsafe, that warning stays visible to searchers even after you've fixed the problem, until you request a review.
Action: Use Google Search Console's Security Issues section to request a review once you've confirmed the site is clean. This typically takes a few days to a couple of weeks to clear.
8. Notify Customers If Any Data Was Exposed
If the hack involved a database with customer information, emails, passwords, or payment details, you have both an ethical and often legal obligation to notify affected customers.
Action: Be direct and clear about what happened and what customers should do, such as changing reused passwords. Transparency here protects trust far more than silence does.
9. Harden Your Site to Prevent a Repeat
A site that got hacked once without addressing the underlying weakness is likely to get hacked again. Before considering this resolved, work through the basics:
- Update the CMS, all plugins, and themes to current versions
- Remove any plugins or themes you're not actively using
- Enable automated, off-site backups going forward
- Add brute force login protection
- Set up ongoing malware monitoring rather than waiting to notice symptoms
Why Speed and Order Both Matter
Acting fast limits the damage. Acting in the right order prevents you from making it worse, like restoring a backup that still contains the vulnerability, or bringing the site back online before confirming it's actually clean. If this process feels like more than you can handle alone, that's a normal reaction. Most business owners aren't equipped to do forensic security work on short notice, and that's exactly why ongoing monitoring exists in the first place.
Dealing with a hacked website right now, or want to make sure you're protected before it happens? Get a free website audit and we'll help you sort it out.
Want help applying this to your business?
Get a free website audit and a personalized action plan. No pressure, no sales pitch.