What to Do When Your Website Is Hacked — Step-by-Step Guide

Phone call on Thursday evening: "Szymon, something's happening. The site froze, and now it's showing some weird page with Chinese text". I know that feeling. A hack. Every business owner goes through this eventually.

I'll admit — when it happens, panic is natural. But panic is enemy number one. If you know what to do, you can minimize losses. In a few hours, your site can be back online. Without panic.

I've worked with businesses across the region for years. Viruses, malware, injected content—I've seen more than I'd like. I'm sharing exactly what to do in the first minutes after discovering a hack.

First Thing: Decide Whether to Panic

No. It doesn't help.

A hack doesn't mean business bankruptcy. It means work. Work that I can do. Millions of sites are hacked every year—most are restored. Yours will be.

Take a breath. Get a coffee. Sit down.

Step 1: Confirm It's Really a Hack (3-5 minutes)

Sometimes it looks like a hack, but it's a bug, hosting problem, or something completely different.

What to do:

1. Open the site in incognito/private browser window (to avoid cache)

2. Check if problem shows on all devices (computer, phone)

3. Check hosting access logs (if you have access to panel)

4. Ask someone else to look at the site (might be local issue, might be your computer)

Signs that it's really a hack:

  • Site shows foreign content (ads, political posts, crypto scam, anything not yours)
  • Site is completely changed
  • Google alerts you that site contains malware (check: Google Search Console)
  • Messages from customers "What happened to your site?"
  • Weird emails from backups or systems (hacker deleted backups)

If you confirm it's a hack—move to step 2.

Step 2: Close Access—Right Now, Immediately (5 minutes)

Every minute the site is online with malware can be dangerous to your users. Also bad for SEO (Google sees malware).

Do this right now:

1. Disable database access or shut down the site completely. If you have hosting panel access (cPanel, Plesk), disable the site. If it's WordPress, change the .htaccess file and put 403 Forbidden on the entire site. If you can't — go to step 3.

2. If you can't shut down the entire site — at least disable the admin panel (/wp-admin for WordPress). Add a rule to .htaccess that blocks access to the wp-admin directory for everyone (Order allow,deny / Deny from all).

3. If possible, change all passwords. Password to hosting panel, password to FTP, password to WordPress, password to email connected to the site. Everything.

Why? The hacker who hacked your site probably has passwords. Can do whatever they want. Can add backdoor (hidden door) that lets them in even after we remove malware.

Step 3: Contact Your Hosting Provider (10-15 minutes)

Call. Don't email. Phone. Immediately.

Say:

  • Your site was hacked
  • You want to temporarily shut down the site or entire account (so hacker can't continue)
  • Can they check access logs (to find how they got in)
  • Can they restore a backup from before the hack

Hosting—if decent—has backups. That's your safety net. If you have a backup from 24 hours ago, you can restore the site to state before attack.

Questions worth asking:

  • When was the last backup made?
  • Can they identify from what IP/country the attack came?
  • Does the site have malware?
  • Can I temporarily shut down the site?

Good hosting will cooperate. Bad hosting will say "sorry, I don't see a problem"—if that happens, find new hosting, but now focus on rescue.

Step 4: Make Full Backup of Current State (if you can) (15-30 minutes)

Paradoxically—even though site is hacked, you want a backup of this state. Why? So a developer (me, or someone else) can examine it and find exactly what the hacker did. Helps in future.

How to backup hacked site:

1. SSH to server (if you have access) and use scp command to copy all files

2. Or log in via FTP and download all files locally

3. Download database (phpMyAdmin → Export)

Keep this backup on safe disk. It's evidence. It's what a developer will need.

Step 5: Restore from Backup OR Clean (1-4 hours)

You have two paths here.

Path A: Restore from clean backup (preferred)

If hosting has backup from 24-48 hours ago—tell them to restore it. This is the simplest way.

Gain: site returns to normal quickly.

Risk: if backup has wrong data (e.g. you changed product prices yesterday, backup is from day before)—you lose changes. So restoring backup is always a business decision—what hurts more, that a hacker controls the site or that you lose 24 hours of data?

Path B: Manual cleaning (time-consuming, but precise)

If you don't have a backup, or prefer not to restore—you must manually find and remove malware. This is work for a developer.

Signs where to look:

  • Recently modified files (check timestamp in FTP)
  • PHP files in places where PHP shouldn't be (media folder, etc)
  • Weird files (shell.php, backdoor.php, x7x.php)—definitely a hack
  • In source code—eval(), base64_decode(), assert()—common malware hiding techniques
  • Theme files (in WordPress)—hacker modifies them

If you can't do this—time to call developer. Don't risk it. Cleaning can be difficult—if you mess something up, site becomes more broken.

In WordPress—special steps:

1. Install plugin like Wordfence or Sucuri—they scan for malware

2. Change all passwords (WordPress admin, database, FTP)

3. Delete all old plugins and themes

4. Update WordPress to latest version

5. Remove unused plugins

Step 6: Change ALL Passwords (10 minutes)

This is the solution everyone skips. Don't skip it.

What to change:

  • WordPress admin password
  • Database password
  • FTP/SFTP password
  • Email connected to the site password
  • Hosting panel password
  • Domain password (whois contact email)

The hacker who hacked your site probably has at least one password. New passwords should be:

  • Minimum 16 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Not "qwerty123" or other common patterns
  • Stored in password manager (LastPass, 1Password)

Step 7: Notify Google (24 hours)

After your site is clean and online:

1. Google Search Console → Security Issues. Tell Google the problem is removed and ask for review.

2. Google Safe Browsing → Report form. Say site no longer contains malware.

3. If customers were exposed (e.g. hacker sent phishing emails)—consider notifying them. Always better to be transparent.

Google takes time to trust the site is clean. Sometimes days. Sometimes a week. Be patient.

Step 8: Learn How It Happened (next day)

After the site is restored, analyze what happened.

Questions to ask:

  • What plugin/theme was vulnerable?
  • Were there old versions of software?
  • Were passwords weak?
  • Was backup being made regularly?
  • Were security updates regular?

If it's WordPress—check which plugins were recently updated. Hackers attack old plugins that aren't patched.

Step 9: Security for the Future (this hour if possible)

Now that the site is secure—you don't want this to happen again.

Required:

1. Security plugins (WordPress): Wordfence, Sucuri, iThemes Security

2. Regular backups—daily or at minimum weekly. On different server than hosting. Google Drive, S3, cloud solution.

3. Regular updates—plugins, themes, WordPress itself. Check weekly minimum for updates.

4. Strong passwords—for every account. Password manager.

5. Two-factor authentication—for WordPress, FTP, hosting.

If you run something more critical (e-commerce, customer data):

  • Web Application Firewall (WAF)—Cloudflare, Sucuri, Wordfence
  • Regular security audits (once a year)
  • SSL certificate (https)—should always be there
  • Update dependencies (if custom code)

My Experience-Based Advice

Everyone who runs a website should be prepared for a hack. It's not if, it's when.

So:

1. Have regular backup. Off-site. Not on same server as site. If server burns, backup burns with it.

2. Update everything. Plugins, themes, operating system, libraries. Don't ignore updates because "the site might change". Updates contain security patches.

3. Use strong passwords. And don't reuse passwords between services.

4. If your site touches finances (payments, card data)—take security seriously. Have WAF. Have regular audits.

5. If you're on WordPress—this CMS is popular. That means it's attacked. But it also means the security community is active. Take advantage of that.

Emergency Support at Szympanstudio

If your site is hacked and you need immediate help—I can mobilize it. I work with businesses across the world so I can take emergency cases for any site.

If you're panicking right now—write to email or call. We'll help restore the site to normal state.

A hack isn't the end of the world. It's an incident. An incident that can be fixed. And that you can learn from.

Be prepared. Have backups. Update. Don't panic. And don't wait for a hacker to secure yourself. Do it now.