What to Do If Your Website Gets Hacked

Discovering that your website has been hacked is a stomach-dropping moment. The pages you carefully built are defaced, redirecting elsewhere, or quietly serving malware to your visitors; customers may be seeing warnings; and your first instinct is likely to panic. Yet the businesses that come through a security incident with the least damage are almost never the ones that reacted fastest in fear — they are the ones who responded calmly and methodically, following a clear plan.

This guide gives you that plan. It walks through what to do if your website gets hacked, step by step, from the first moments of containment through cleaning, restoring and securing the site, to preventing a repeat. It is written for business owners rather than security engineers, so the steps are practical and explained plainly. It complements our guides to website security basics and the wider website maintenance guide.

First, recognise the signs

Sometimes a hack is obvious — your homepage is replaced with someone else's message. Often, though, it is subtle. Tell-tale signs include unexpected redirects to unfamiliar sites, strange new pages or pop-ups, a sudden drop in traffic, warnings from your browser or search console that the site may be harmful, unfamiliar user accounts, or your host suspending the site for sending spam. If something feels wrong, treat the possibility seriously rather than hoping it resolves itself.

30,000
websites are estimated to be hacked every day worldwide — so a clear recovery plan matters for every business, not just large ones
Source: Astra Security

The single most important mindset is to act quickly but not rashly. Every hour a compromised site stays live, it may be harming visitors, damaging your reputation with search engines, and giving the attacker more time. But hasty, panicked changes can also destroy evidence of how the breach happened or make recovery harder. The steps below balance speed with care, in roughly the order you should follow them.

Step one: contain the damage

Your first priority is to stop the bleeding. If the site is actively harming visitors — serving malware, redirecting them, or stealing data — take it offline or put it into maintenance mode immediately. A temporary holding page is far less damaging than a live site spreading malware to your customers and to anyone search engines warn away.

At the same time, contact your hosting provider. Hosts deal with compromised sites routinely, can often see what is happening at the server level, and may already have detected the issue. They can advise on immediate containment and, in some cases, assist with the cleanup. Do not be embarrassed to ask; this is a normal part of running websites, and your host is your ally here.

Step two: lock down access

Once the immediate harm is contained, cut off the attacker's access. Change the passwords for everything connected to the site: your hosting account, your content management system, your database, FTP or file access, and any connected email or third-party services. Use new, strong, unique passwords for each, and where multi-factor authentication is available, enable it now.

Review the list of user accounts with access to your site and remove anything unfamiliar — attackers often create new administrator accounts to maintain a way back in. Revoking access comprehensively is essential, because cleaning the site is pointless if the attacker can simply walk back in through a credential or account you missed.

The recovery sequence at a glance
Step What it achieves
Contain Take the site offline and stop it harming visitors
Lock down Change all passwords and remove unfamiliar accounts
Clean or restore Restore a clean backup or remove all malicious code
Close the gap Patch the vulnerability so it cannot recur

Step three: clean or restore the site

Now comes the actual recovery, and here you generally have two paths. The first and usually cleanest is to restore from a backup taken before the compromise. If you have a recent, clean backup, restoring it returns the site to a known-good state without the painstaking work of hunting down every piece of malicious code. This is precisely why reliable backups matter so much — our guide on backing up your website explains how to keep them ready for exactly this moment.

The second path, if you have no usable backup, is to clean the site in place: identify and remove the malicious code, delete any files the attacker added, and repair what was changed. This is more difficult and error-prone, because missing even a single hidden backdoor allows the attacker straight back in. For a serious or stubborn compromise, this is the point at which bringing in professional help is wise — security specialists can identify and remove threats more reliably than a non-expert working under pressure. Whichever path you take, scan the cleaned or restored site thoroughly before considering it safe.

Step four: close the gap that let them in

Restoring a clean site is only half the job. If you do not fix the weakness that allowed the breach, you are simply waiting to be hacked again — often within days, by the same automated attack. Identify how the attacker got in, which usually comes down to a known set of culprits: outdated software with an unpatched vulnerability, a weak or reused password, or a compromised plugin or theme.

Whatever the cause, address it now. Update everything to the latest versions, strengthen authentication, remove any software you do not need, and apply the security fundamentals described in our security basics guide and the widely respected OWASP recommendations. Closing the specific gap is what turns a one-off incident into a genuine recovery rather than a recurring nightmare.

Step five: restore service and monitor closely

With the site cleaned, secured and the vulnerability patched, you can bring it back online. But the job is not quite finished. For a period afterwards, monitor the site closely for any sign of re-infection or unusual activity, because attackers sometimes leave dormant backdoors that activate later. Keep a particularly close eye on new user accounts, file changes and traffic patterns in the weeks following the incident.

It is also worth requesting a review from search engines if your site was flagged or blacklisted, so that any warnings shown to visitors are lifted once the site is confirmed clean. Restoring not just the site but its reputation — with both customers and search engines — is part of a complete recovery, and it protects the search visibility you have worked to build.

Preventing the next incident

Every hack carries the same underlying lesson: prevention is vastly cheaper and less stressful than recovery. The businesses that recover quickly are overwhelmingly those that had current backups and up-to-date software in place beforehand, and the way to be one of them is to maintain the basic disciplines consistently rather than after a crisis.

That means keeping software updated promptly, maintaining strong authentication, taking regular tested backups, and following a steady maintenance routine like the one in our maintenance checklist. These habits prevent the great majority of incidents and ensure that the rare one that slips through is quick to recover from. A hack is frightening, but with preparation it is survivable; without it, it can be devastating. The asymmetry between the small cost of prevention and the large cost of recovery is the strongest argument there is for taking maintenance seriously before anything goes wrong.

Frequently asked questions

What is the very first thing to do if my site is hacked?+
Contain the damage. If the site is actively harming visitors, take it offline or into maintenance mode immediately, then contact your hosting provider. Stopping further harm comes before cleanup, because every hour a compromised site stays live it damages your visitors and your reputation.
Can I just restore a backup and be done?+
Restoring a clean backup is the cleanest way to recover the site, but it is not the whole job. You must also identify and close the vulnerability that allowed the breach, or you will likely be hacked again. Restore, then patch the gap and change all passwords.
What if I don't have a backup to restore?+
Then the site must be cleaned in place — identifying and removing every piece of malicious code and any files the attacker added. This is difficult and error-prone, and for a serious compromise it is wise to bring in a security professional. The experience is also a strong reason to set up reliable backups going forward.
How do I stop it happening again?+
Close the specific gap that let the attacker in — usually outdated software, a weak password, or a vulnerable plugin — then maintain the basics consistently: prompt updates, strong authentication, tested backups and regular monitoring. These habits prevent the great majority of incidents and contain the rest.
Should I tell my customers if my site was hacked?+
If customer data may have been exposed, you generally have both an ethical and, often, a legal obligation to inform those affected. Even where data was not exposed, honest communication tends to preserve trust better than silence. Check the data-protection requirements that apply to your situation.

Key takeaways

  • Act quickly but calmly. A methodical response limits damage far better than panic; the sequence is contain, lock down, clean, close the gap.
  • Contain first. Take a harmful site offline and call your host before attempting any cleanup.
  • Restore beats repair. A clean, recent backup is the fastest route back; without one, cleaning in place is harder and may need professional help.
  • Always close the gap. Patching the vulnerability that caused the breach is what prevents an immediate repeat.
  • Prevention is far cheaper. Current backups and up-to-date software turn a potential catastrophe into a manageable incident.

The bottom line

A hacked website is alarming, but it is rarely the end of the story when you respond well. Contain the damage, lock down access, restore from a clean backup or clean the site thoroughly, close the gap that let the attacker in, and monitor closely afterwards. Follow that sequence and most sites recover fully. The deeper lesson, though, is that preparation beforehand — backups, updates and a steady maintenance routine — is what makes recovery quick rather than ruinous. Treat this guide as a plan you hope never to need, and the maintenance habits as the insurance that makes needing it far less likely.

If you would rather have protection and rapid recovery handled for you, you can see what an ongoing maintenance plan covers or ask what your site would need.

References

  1. Astra Security. "Small Business Cyber Attack Statistics." getastra.com.
  2. OWASP Foundation. "OWASP Top Ten Web Application Security Risks." owasp.org.
Back to blog