Website Hacked? Here's What to Do Right Now

Take a breath. Finding out your website has been hacked is scary, but you can fix this. Thousands of small business owners deal with it every year, and most get back online within days. What matters now is acting quickly and methodically.

This guide walks you through it step by step.

Signs your website has been hacked

Sometimes it's obvious. Sometimes it's subtle. Here are the most common red flags.

Your site redirects somewhere else. Visitors click your URL and end up on a gambling site, a pharmacy spam page or a phishing page. This is one of the clearest signs. You might not notice it yourself because some redirect malware only triggers for visitors coming from Google, not for people typing the URL directly.

Google shows a warning. Search results display "This site may be hacked" or "This site may harm your computer" under your listing. Browsers may block access entirely with a big red screen.

Unknown files or code appeared. You see PHP files you didn't upload, JavaScript injected into your theme files, or new pages you never created. Check your file manager or FTP and look for recently modified files.

Your admin password stopped working. If you can't log into your CMS and you didn't change the password, someone else probably did.

Customers are complaining. They're getting spam from your email address, seeing pop-ups on your site, or their antivirus software flags your pages.

Your hosting provider sent a warning. Many hosts scan for malware and will notify you or even suspend your account when they find something.

Unusual server activity. Your bandwidth spiked, your site is suddenly slow, or your server is sending emails you didn't authorize.

If any of these sound familiar, start with step one below.

Step 1: Don't panic, but document everything

Before you change anything, take screenshots. Capture the redirect behavior, the Google warning, the unknown files, the weird code. If this turns out to be a data breach, you'll need evidence of what happened and when you discovered it.

Open a text file and start a timeline. Write down:

• When you first noticed the problem
• What symptoms you saw
• Who reported it
• What the site looks like right now

This documentation matters for your hosting provider, for Google's review process, and potentially for data protection authorities.

Step 2: Change all passwords immediately

Every single one. Don't skip any.

• CMS admin account (WordPress, Joomla, Shopify, whatever you use)
• Hosting control panel (cPanel, Plesk, or your provider's dashboard)
• FTP and SFTP accounts
• Database passwords (MySQL, PostgreSQL)
• Email accounts connected to your domain
• Any API keys or tokens used by your website

Use strong, unique passwords for each. At least 16 characters. A password manager makes this manageable.

If your CMS supports two-factor authentication, turn it on right now. WordPress users can add it with a plugin like WP 2FA or Wordfence. This alone would have prevented many attacks.

Also check for admin accounts you don't recognize. Attackers often create a new admin user so they can get back in even after you change your password.

Step 3: Contact your hosting provider

Call or open a support ticket. Tell them your site has been compromised. Good hosting providers deal with this regularly and can help with:

• Identifying when the breach happened through server logs
• Scanning for malware on their end
• Providing access logs showing suspicious logins
• Restoring from their backup system

Some hosts offer malware removal as part of their support. Ask about it. Even if it's a paid service, it might be faster than doing it yourself.

Step 4: Take the site offline if it's distributing malware

This is a judgment call. If your hacked site is:

• Redirecting visitors to phishing pages
• Distributing malware downloads
• Sending spam emails
• Showing fake login pages designed to steal credentials

Then take it offline. Put up a simple maintenance page. Your business loses some traffic, but you protect your visitors and your reputation.

If the hack is limited to defacement or SEO spam injected into hidden pages, you can often keep the site running while you clean it. But don't take that risk if you're unsure.

Your hosting provider can help you set up a temporary maintenance page.

Step 5: Check your GDPR breach notification obligations

This step is easy to overlook in the chaos, but it has legal deadlines.

Under GDPR Article 33, if personal data was affected by the breach, you have 72 hours from the moment you became aware to notify your data protection authority. Not 72 business hours. 72 actual hours.

Ask yourself: did your website store personal data that the attacker could have accessed?

• Contact form submissions with names, emails, phone numbers
• Customer accounts with addresses or payment details
• Newsletter subscriber lists
• Order history or booking records

If the answer is yes, or even "maybe," you should report it. The notification doesn't have to be complete right away. You can provide initial details and follow up as you learn more.

Find your national data protection authority at edpb.europa.eu. In the Netherlands, it's the Autoriteit Persoonsgegevens. In Belgium, the Gegevensbeschermingsautoriteit.

If personal data was exposed and there's a high risk to the affected people, you also have to notify them directly. Our guide on GDPR and website security explains the full requirements.

Step 6: Scan for malware and backdoors

Changing passwords is not enough. Attackers plant backdoors so they can get back in even after you've cleaned the obvious malware.

For WordPress sites:

• Install Wordfence or Sucuri Security and run a full scan
• Check your theme's functions.php and header.php for injected code
• Look in your wp-content/uploads folder for PHP files (there shouldn't be any)
• Review your .htaccess file for redirect rules you didn't add
• Check wp-config.php for modified database credentials or added code

For any CMS:

• Compare your files against a fresh installation of the same version
• Look for recently modified files (especially in the last 30 days)
• Search for common backdoor patterns: eval(), base64_decode(), gzinflate(), str_rot13()
• Check your database for injected content, especially in post content and widget areas

External scanning tools:

• Sucuri SiteCheck (free online scan)
• Google Safe Browsing status check
• Your hosting provider's built-in scanner

Don't skip the backdoor hunt. If you clean the visible malware but miss a backdoor, you'll be hacked again within days.

Step 7: Restore from a clean backup

If you have a backup from before the hack, restoring it is often the fastest path.

But be careful. You need to know when the hack happened. If the attacker got in three weeks ago and your oldest backup is two weeks old, that backup is already infected.

Check with your hosting provider about backup retention. Some keep 30 days, others only 7.

After restoring:

• Change all passwords again (the backup contains the old passwords)
• Update everything immediately (the backup probably has the same vulnerability the attacker used)
• Scan the restored site for malware just to be safe

If you don't have a clean backup, you'll need to clean the infection manually or hire someone to do it. This is harder but not impossible. The malware scan from step 6 is your starting point.

Step 8: Update all software

Outdated software is how most small business websites get hacked. After you've cleaned up:

• Update your CMS to the latest version
• Update every plugin and extension
• Update your theme
• Update PHP to a supported version (8.2 or newer)
• Remove plugins and themes you're not using (deactivated plugins are still vulnerable)

WordPress sites are particularly at risk from vulnerable plugins. If you're running any plugin that hasn't been updated in over a year, replace it or remove it.

Step 9: Check Google Search Console

If Google flagged your site, you need to address it there.

Log into Google Search Console. Go to the Security & Manual Actions section. You'll see:

• Any security issues Google detected
• Sample URLs that triggered the warning
• The type of malware or hack detected

This information also helps you understand what the attacker did. If Google says "content injection" you know they modified your pages. If it says "URL injection" they created new pages.

Fix every issue listed before requesting a review.

Step 10: Request a review from Google

Once you've cleaned everything and confirmed the malware is gone:

1. Go to Security Issues in Google Search Console
2. Click "Request a review"
3. Describe what happened and what you did to fix it
4. Submit

Google typically reviews within a few days, though it can take up to two weeks. During this time, the warning may still appear in search results.

Be honest in your review request. Google rejects vague descriptions. Tell them specifically what type of malware you found, how the attacker got in and what you did to prevent it from happening again.

What NOT to do

A few common mistakes that make things worse.

Don't just revert the homepage and call it done. If the attacker changed your homepage, they almost certainly did more than that. The visible damage is just what they wanted you to see. The backdoors and hidden malware are what they didn't want you to find.

Don't ignore it and hope it goes away. Hacks get worse over time, not better. The attacker will use your server for more spam, inject more malware, and your Google rankings will tank. Your hosting provider may suspend your account.

Don't pay a ransom. Some attackers leave messages demanding payment. There's no guarantee they'll fix anything if you pay, and you'll mark yourself as someone willing to pay.

Don't blame your web designer and do nothing. Even if they built a poorly secured site, the problem exists now and needs fixing now. Sort out responsibility later.

Don't reinstall the same vulnerable software. If you restore a backup and don't update everything, you'll get hacked again through the same vulnerability. Sometimes within hours.

How to prevent it from happening again

Once you're back online and clean, take these steps so you don't end up back here.

Keep everything updated. Set a monthly reminder to check for CMS, plugin and theme updates. Or enable automatic updates for minor releases.

Use strong, unique passwords everywhere. Get a password manager. Stop reusing passwords across services.

Enable two-factor authentication on every account that supports it. Your hosting, CMS admin, email, domain registrar.

Install a security plugin. For WordPress, Wordfence or Sucuri offer free tiers that include a firewall, login protection and malware scanning.

Set up automated backups. Daily backups with at least 30 days of retention. Store them somewhere separate from your hosting account. If your host gets compromised, your backups on the same server are useless.

Limit admin accounts. Only give admin access to people who actually need it. Remove accounts for old employees, freelancers or agencies you no longer work with.

Monitor your site. Regular scans catch problems before they become crises. You can run a free security scan to see where your website stands right now.

For a full prevention plan, read our security checklist for small businesses.

FAQ

Do I have to report a hack to the data protection authority?

Only if personal data was affected. If your website stores contact form submissions, customer accounts or order data, and the attacker could have accessed that data, then yes. GDPR Article 33 gives you 72 hours from the moment you became aware. When in doubt, report it. Under-reporting carries bigger fines than over-reporting.

How long does it take to recover from a website hack?

It depends on the severity. A simple malware injection with a clean backup available? You can be back in a few hours. A deep compromise with no backup and Google warnings? That can take one to two weeks. The Google review process alone takes several days.

Will my Google rankings recover after a hack?

Usually yes, but it takes time. Once Google removes the security warning, your rankings should start coming back within a few weeks. The longer the warning stays up, the longer recovery takes. Acting fast matters.

Can I clean a hacked website myself or do I need a professional?

For a straightforward WordPress malware infection, most technically comfortable site owners can handle it with a security plugin scan and a clean backup restore. For more complex attacks involving database compromises, multiple backdoors or custom-built websites, consider hiring a professional. The cost of a security cleanup service is usually between €200 and €500.

How do hackers get into small business websites?

The most common ways: outdated plugins with known vulnerabilities, weak passwords, stolen FTP credentials, and compromised hosting accounts. WordPress plugins are the number one entry point. Keep them updated and remove any you don't actively use. Our guide on vulnerable WordPress plugins covers the highest-risk ones.

Take action now

If you're reading this because your site has been hacked, start at step one and work through the list. Don't skip steps. The cleanup process matters as much as the recovery.

If you're reading this to prepare, good. Run a free security scan to check your website for common vulnerabilities before an attacker finds them first.