Website hacked? Learn how to fix it and secure it properly

A hacked website can disrupt your online presence and compromise sensitive data, but you do not have to panic. Many website owners face similar challenges, and understanding the correct cleanup and protection process is key to recovering safely. This guide provides a clear, step-by-step plan to help website owners identify, fix, and secure a hacked website safely and efficiently, ensuring minimal downtime and maximum protection.

How hackers compromise websitesLink to heading

Websites can be compromised in many ways, often due to vulnerabilities that hackers can easily exploit. One common cause is poorly secured web hosting, such as weak server configurations or inadequate separation between multiple sites on the same server. Another frequent entry point is compromised login credentials, which may result from brute-force attacks, phishing, or passwords leaked in other breaches. 

Outdated WordPress cores, plugins, or themes also pose a significant risk, as known security flaws can be exploited quickly. Additionally, using extensions from untrustworthy sources, including nulled or unofficial plugins and themes, often introduces hidden malware or backdoors. 

Hackers can also use injection attacks to execute malicious scripts, access your database, or modify your website’s code, taking advantage of insufficient security measures.

Why websites become targets for hackersLink to heading

It is a common misconception that small or obscure websites are safe from attacks. In reality, most hacks are opportunistic rather than targeted. Automated bots continuously scan the internet for vulnerable sites, and any weaknesses can make your website an easy target.

Hackers pursue different objectives when compromising a site. Data theft is a frequent goal, with stolen emails, passwords, and customer information often sold or reused for further attacks. Some hackers install malware to infect visitors’ devices, while others redirect traffic to fraudulent or scam websites. Attackers may also hijack server resources for cryptocurrency mining, sending spam, or launching DDoS attacks. 

Phishing attacks create fake login or payment pages to steal credentials, and ransomware incidents lock site owners out until a ransom is paid. In other cases, hackers engage in hacktivism, defacing sites to promote political or ideological messages. Sometimes, hacking is simply for fun, practice, or testing, allowing attackers to refine skills or experiment with new techniques.

>>> See more: Why are WordPress Websites easily attacked

What occurs when hackers breach your siteLink to heading

Some attacks are immediately noticeable, such as a defaced homepage, spam content appearing across your site, unexpected redirects to other websites, or pages that you did not create. 

Other compromises are less obvious and may require closer inspection. Your website may become unavailable, displaying a blank page or the infamous “white screen of death.” Security warnings can appear from browsers, Google Search Console, or services like Google Transparency Report, Norton Safe Web, or your hosting provider, indicating that your site contains malware, is unsafe, or has been blocked. 

Changes in traffic patterns can also signal a problem, such as sudden drops in visitors or unexpected spikes from unfamiliar countries. Suspicious admin users, like new accounts you did not authorize or existing accounts with escalated privileges, are another red flag. Strange files or scripts in your webspace, particularly those containing unusual code, may indicate a breach. 

Additionally, unusual activity in your logs, such as unrecognized login attempts, edits to files, or plugin modifications can point to unauthorized access.

Beyond these visible symptoms, a hacked website can cause serious long-term damage to your business. It can lead to revenue loss, reduced traffic, and lower search rankings, while also damaging your brand’s reputation. Recovering from an attack can be time-consuming and expensive. You may face legal complications, lose valuable data, and incur higher costs for hosting and security services to prevent future incidents.

How to fix a hacked websiteLink to heading

Check site accessLink to heading

When your website has been hacked, the first step is to determine how much control you still have over it. Understanding your access level will guide the next steps in the recovery process.

1. Check if you can log in

Start by trying to log into your WordPress admin dashboard, typically found at yoursite.com/wp-admin. If the login screen does not appear or redirects you to another page, skip ahead to downloading and cleaning your website files first. Otherwise, enter your usual username and password. If that fails, attempt the password recovery process.

If these steps do not work, you can access your database, for example via phpMyAdmin, and check the wp_users table to see if your admin account still exists. If the account is present, you can reset the password directly in the database or create a new admin user to regain control. Additional options include resetting your password using FTP or WP-CLI, depending on your technical familiarity.

2. Switch your site to maintenance mode

Once you have regained backend access, it is wise to temporarily take your site offline. This prevents further harm to visitors and protects your website’s reputation while you perform the cleanup. The most effective method is to enable maintenance mode.

You can do this using a maintenance mode plugin or by setting up a simple HTML maintenance page. Some content delivery networks, such as Cloudflare, also offer built-in maintenance mode screens, allowing you to quickly display a safe notice to visitors while you secure your website.

Securing your websiteLink to heading

After assessing access, the next step is to regain control and secure your site from further harm.

3. Contact your hosting provider

Your hosting provider should be one of your first points of contact and can be your strongest ally in recovering a hacked website. For instance, on platforms like WordPress.com, security measures are in place to automatically remove hacks if a site becomes compromised - simply reaching out to support allows you to get immediate assistance.

Even if your website is hosted elsewhere, contacting your provider is crucial. On shared hosting, for example, the hack could have originated from another site on the same server, which means your site might remain at risk until the issue is addressed. 

Speaking with your host can also clarify what recovery assistance they provide, alert you to any temporary account restrictions, and help you understand when and how the hack occurred through access and error logs.

4. Back up your site in its current state

Even if the website is compromised, saving a backup is essential. It preserves recent content, provides evidence to analyze the source of the hack, and allows you to restore the site if something goes wrong during cleanup.

Be sure to back up both your site files and the database. This can be done using your hosting control panel, SFTP, or a dedicated backup plugin. Managed hosting providers often offer automatic backups. You can also copy the site to a local development environment to analyze and clean it safely without affecting the live site.

5. Restore from a recent clean backup (if available)

If you previously set up an automatic backup system, restoring a clean, recent copy of your website is often the simplest way to recover from a hack. Ensure that the backup predates the attack or any suspicious activity. Ideally, first load the backup on a staging environment to perform diagnostics before applying it to your live site.

Keep in mind that restoring a backup does not fix the original vulnerability that allowed the hack. You will still need to investigate the cause and implement security measures to prevent the website from being compromised again.

Locking down your websiteLink to heading

This phase focuses on securing your site by closing off the common entry points hackers use.

6. Review all user accounts

Hackers often create hidden admin accounts to regain access to a compromised website. These accounts are usually disguised to avoid detection. To prevent this, check all accounts in your WordPress User menu and your database.

Look for unfamiliar usernames, especially those with admin privileges, and either delete or downgrade them. Document any changes you make. Do the same for other accounts connected to your site, including hosting, FTP, email, CDN, and third-party tool logins.

7. Change all passwords

After removing unauthorized accounts, update the passwords for all legitimate users. WordPress allows you to reset passwords site-wide, and plugins like Emergency Password Reset or Password Policy Manager can enforce strong password rules.

Implement multi-factor authentication (MFA) so that users must verify logins with a code sent to their email or phone. Apply the same process to all associated accounts outside WordPress.

For extra security, reset your database username and password, and update your wp-config.php file to match the new credentials; failing to do so will break your site. Also, replace the SALTs in wp-config.php, which encrypt login sessions and cookies. These keys look like:

define( 'AUTH_KEY', 'your unique phrase' );

define( 'SECURE_AUTH_KEY', 'your unique phrase' );

define( 'LOGGED_IN_KEY', 'your unique phrase' );

define( 'NONCE_KEY', 'your unique phrase' );

define( 'AUTH_SALT', 'your unique phrase' );

define( 'SECURE_AUTH_SALT', 'your unique phrase' );

define( 'LOGGED_IN_SALT', 'your unique phrase' );

define( 'NONCE_SALT', 'your unique phrase' );

Use the official SALTs generator to create a new set, replace the old ones, save, and re-upload the file. This forces all users, including any hacker accounts, to be logged out immediately. The Emergency Password Reset plugin can automate this process as well.

8. Update all software

A website hack often occurs because files are outdated or vulnerable. Hackers may also alter core files to make it easier to reinfect your site.

To properly secure your website, updating all software to the latest version is essential. This includes the WordPress core, plugins, and themes. If you cannot access the admin dashboard or automatic updates fail, download the latest files from WordPress.org and install them manually via FTP. Be careful to preserve the wp-content folder and avoid overwriting wp-config.php.

Additionally, remove any unused, outdated, or unsupported plugins and themes, and consider updating server software, such as Apache or your PHP version. Managed platforms like WordPress.com automatically keep WordPress updated, and similar automatic updates can be activated for plugins and themes.

Remove hidden threatsLink to heading

After updating your software, it’s crucial to dig deeper and find hidden malware or backdoors. Hackers often leave these behind so they can regain access even after cleanup.

9. Check your website files

Malicious code can hide in many parts of your site. The wp-content folder is a common location because it is not replaced during updates. Inspect this folder for hidden PHP files, especially in uploads, child themes, inactive themes, and plugins. If you cannot access the site normally, try renaming folders such as the plugins directory.

Also, review your active theme’s files for unfamiliar code. Download a clean copy of your theme from the WordPress directory or vendor (matching the same version as your site) and use tools like Diffchecker to compare files. File comparisons can also be done via SSH.

Hackers often hide malicious code at the top or bottom of files, using encoding or obfuscation techniques such as:

• base64_decode()
• eval()
• gzinflate()
• preg_replace()
• str_rot13()

Tools like Base64 Decode, UnPHP, or UnPacker can help decode suspicious code.

Pay special attention to critical files like:

• functions.php
• header.php
• footer.php
• index.php
• wp-config.php
• wp-load.php

Also watch for oddly named or slightly misspelled files such as wp-logon.php or wp-config1.php. Check the .htaccess file for suspicious redirects or code, and look for additional .htaccess files in wp-content or its subdirectories. File permissions should also be reviewed.

If this process is beyond your technical skills, seek professional help or use a security plugin or malware scanner, such as Jetpack, WordFence, MalCare, or Sucuri Security, to identify and remove hidden threats.

10. Clean up the database

After a website hack, the WordPress database must also be carefully examined. Cleaning it manually can be time-consuming, particularly for large databases, so using a security plugin like those mentioned earlier is usually the easiest approach.

Alternatively, you can access your database via phpMyAdmin or a similar tool to inspect it manually. Look for hidden spam in the wp_posts table, suspicious keywords such as eval, base64, gzinflate, preg_replace, or assert, and common spam phrases like “gambling.” Always back up your database before making any changes. If uncertain, export the database and compare it to a clean backup to ensure no malicious entries remain.

Recover and relaunchLink to heading

Once your website is cleaned, it’s time to bring it back online.

11. Re-upload clean site files

Upload your files and database from your local copy or staging site, unless you already completed repairs directly on the live site. After uploading, test the website’s key features, including navigation, forms, checkout, and login functionality. Check that all content, such as images and pages, displays correctly. Use an incognito browser window to confirm the site appears properly for visitors.

If maintenance mode is still active, disable it. Clear your site cache to prevent loading cached malware or outdated content. For added security, rescan your live site files and database tables to ensure no hidden threats remain. Use malware scanners both from within WordPress and externally to verify that your site is fully safe.

12. Handle the aftermath

After your website is fully cleaned, it’s important to address the consequences of the hack.

Communicate with your customers

If the attack affected your users - through downtime, unusual site behavior, or a potential data breach - be transparent. Inform them about what happened, the steps you took to fix it, and the measures you are implementing to prevent future incidents. Clear communication helps maintain trust and reduces frustration.

Remove your website from blocklists

If Google Search Console or other services flagged your site as unsafe, request a review after completing the cleanup. In Google Search Console, navigate to Security & Manual Actions → Security issues to submit your site for re-evaluation. Doing so restores search visibility and removes browser warnings. Repeat this process for any other blocklists where your site may appear.

Restore lost content

Recover any pages, images, or posts that were deleted or damaged using your latest clean backup. Before republishing, verify that everything is free of malicious code to avoid reinfection.

Analyze the hack

Document the attack thoroughly: note how the site was compromised, what actions you took to clean it, and the steps you plan to implement for stronger future security. This record can help prevent similar incidents and improve your response if problems arise again.

Maintain ongoing monitoring

Set up continuous monitoring tools to track user logins, site changes, and system events. Regularly scan files for malware, monitor unusual activity, and remain vigilant for any signs of potential attacks.

Prevent future hacksLink to heading

Finally, take steps to ensure your site stays secure and avoids repeated attacks. Follow essential security best practices:

• Use strong, regularly updated passwords.
• Enable multi-factor authentication for all critical accounts.
• Assign user roles with only the privileges necessary for their tasks.
• Also, strengthen your website with additional protective measures:
• Use SSL encryption.
• Keep WordPress core, plugins, and themes up to date.
• Implement a reliable backup solution.
• Enable automatic malware scans and protection against brute-force attacks or DDoS.
• Add a firewall to filter malicious traffic and protect your site from future attacks.

>>> Protect your WordPress website before it’s too late! Activate W7SFW – WordPress Firewall today to block hackers, prevent malware, and keep your site secure 24/7. 

ConclusionLink to heading

A hacked website can lead to serious consequences. However, if handled and secured correctly, you can fully restore and protect your site effectively. Start by checking access permissions, backing up data, and cleaning both files and databases, then update your software, close vulnerabilities, and implement long-term security measures. 

At the same time, maintaining regular monitoring and using robust security tools will help you prevent potential risks in the future.