Your Website Got Hacked. Here Is What to Do Right Now.
If you are reading this, something has gone wrong. Your website is defaced, redirecting to spam, flagged by Google, or your hosting provider sent a malware notification at 2 AM. Take a breath. Thousands of websites get hacked every day, and most of them recover fully. But what you do in the next 60 minutes matters more than anything else. This is your step-by-step recovery checklist, written for the person who needs answers immediately.
The First 60 Minutes: Stop the Bleeding
The single most important thing right now is to stop the attacker from doing more damage. Do not skip these steps, and do not start cleaning files before you have contained the breach.
Take your site offline immediately. If you have access to your hosting control panel, put up a maintenance page or enable maintenance mode. In WordPress, you can drop a .maintenance file in the root directory. If you cannot access the admin panel, ask your hosting provider to suspend the site temporarily. A suspended site is better than a site actively distributing malware to your visitors.
Do not delete anything yet. Your instinct will be to start deleting suspicious files. Resist it. You need evidence of what happened to prevent it from happening again. If you delete the attack vector before understanding it, the attacker will simply use the same exploit to get back in.
Preserve a full backup of the compromised state. Download a complete copy of your site files and database as they are right now. Label it clearly as “compromised” so you never accidentally restore it. This backup is your forensic evidence. If you later need a professional to investigate, they will need this snapshot.
Change every password immediately. This means your hosting control panel password, FTP/SFTP credentials, database passwords, CMS admin passwords, and SSH keys. Change them all before you do anything else. If the attacker has your credentials, none of your cleanup work matters because they will simply log back in.
Revoke all active sessions. In WordPress, go to the database and clear the session token entries in the usermeta table, or use WP-CLI: wp user session destroy --all. For other platforms, check your session management settings. If you cannot access the admin panel, clear the sessions table directly in the database.
Notify your hosting provider. Call or submit an emergency ticket. Reputable hosting companies have incident response procedures and may be able to provide server-level logs showing when and how the breach occurred. They may also have clean backups from before the compromise.
Identify How the Breach Happened
Before you clean anything, you need to understand the attack vector. Cleaning malware without closing the entry point is like mopping the floor while the tap is still running.
Check your CMS and plugin versions. Outdated WordPress installations, themes, and plugins are the number one attack vector for small and mid-size websites. Run wp core verify-checksums and wp plugin verify-checksums --all to check if any core files or plugin files have been modified. Any modified file is a red flag.
Look at recently modified files. On the server, run this command to find files changed in the last 7 days:
find /path/to/your/site -type f -mtime -7 -lsPay special attention to PHP files in upload directories, unexpected files in your root directory, and any file with an obfuscated name like wp-tmp.php or class-db.php that does not belong to your CMS.
Review your .htaccess file. Attackers frequently inject redirect rules into .htaccess to send your visitors to spam or phishing sites. Open the file and look for base64-encoded strings, unfamiliar RewriteRules, or blocks of code you did not add. Compare it against a clean default version for your CMS.
Check for unauthorized admin users. Query your database for users with administrator privileges. If you see usernames you do not recognize, the attacker created backdoor accounts. In WordPress, check the users table joined with usermeta where the capabilities meta value includes “administrator.” Remove any accounts you did not create.
Examine server access logs. Look for POST requests to unusual URLs, high-frequency requests from single IP addresses, and requests to files that should not exist. Your hosting provider can help you access these logs if you are not sure where they are stored.
Common attack vectors you are likely dealing with: Outdated plugins or themes with known vulnerabilities account for roughly 50 percent of WordPress compromises. Weak or reused passwords account for another 20 to 25 percent. The rest split between SQL injection, cross-site scripting on custom code, compromised third-party themes from unofficial sources, and server-level exploits on unpatched hosting environments.
Clean and Recover: Step by Step
Now that you understand the attack vector, it is time to clean up. This process will take anywhere from two hours to a full day depending on the severity.
Step 1: Start from a clean foundation. If you have a clean backup from before the compromise, restoring it is the fastest and most reliable path. Check with your hosting provider for automatic backups. Many managed hosting plans include daily backups with 7 to 30 day retention. If you restore a backup, make sure to also change all passwords and update all software before bringing the site back online, because the vulnerability that was exploited in the first place still exists in the backup.
Step 2: If no clean backup exists, clean files manually. Download fresh copies of your CMS core files from the official source. For WordPress, download the latest version from wordpress.org. Replace all core files and directories except your content directory and configuration file. For your theme and plugins, delete them entirely and reinstall from official repositories. Do not try to clean infected plugin files. Replace them.
Step 3: Clean the uploads directory. Your uploads directory should only contain media files: images, PDFs, videos. Any PHP file in this directory is almost certainly malware. Search for PHP files inside your uploads folder and delete every one you find. Legitimate uploads are never PHP files.
find /path/to/site/wp-content/uploads -name "*.php" -type fStep 4: Clean the database. Look for injected content in your posts and pages. Attackers commonly inject hidden iframes, JavaScript redirects, or spam links into post content. Search your database for suspicious patterns like iframe tags, base64_decode calls, or script injections in post content fields. Also check your options table for modified site URL, home URL, or active plugins values.
Step 5: Scan for remaining malware. Use a server-side malware scanner to catch anything you missed. Tools like Maldet (Linux Malware Detect) or ClamAV can scan your entire site directory. If you are on WordPress, Wordfence or Sucuri plugins provide malware scanning after reinstallation.
Step 6: Update everything. Update your CMS core, every plugin, and every theme to the latest versions. Remove any plugins or themes you are not actively using. Every installed but inactive plugin is still an attack surface.
Step 7: Verify and bring the site back online. Before removing maintenance mode, check your site on Google Safe Browsing at transparencyreport.google.com to see if it has been flagged. If Google has blacklisted your site, you will need to request a review through Google Search Console after cleanup. Test every critical function: forms, checkout, login, and page loads.
Harden Against Future Attacks
Recovery without hardening is wasted effort. Implement these measures before you consider the job done.
Install a Web Application Firewall (WAF). A WAF sits between your visitors and your server, filtering malicious requests before they reach your application. Cloudflare, Sucuri, and server-level options like ModSecurity all work. A WAF would have blocked most common attack patterns that led to your compromise.
Enable file integrity monitoring. Tools like OSSEC, Wazuh, or WordPress plugins like Wordfence monitor your files for unauthorized changes and alert you immediately. If someone modifies a core file or uploads a PHP shell, you will know within minutes instead of discovering the breach weeks later.
Implement a strict update policy. Enable automatic minor updates for your CMS. Schedule weekly checks for plugin and theme updates. Subscribe to security mailing lists for your platform so you hear about critical vulnerabilities the day they are disclosed, not after your site is already compromised.
Enforce strong authentication everywhere. Use unique, complex passwords for every account. Enable two-factor authentication for all admin users without exception. Limit login attempts and consider changing the default admin URL. Use SSH keys instead of passwords for server access.
Set correct file permissions. On Linux servers, directories should be 755 and files should be 644. Your configuration file should be 600 or 640. No file or directory should ever be 777. Incorrect permissions are an open invitation.
Schedule automated backups. Daily backups with 30-day retention, stored offsite. Test your restore process at least once a quarter. A backup you have never tested is not a backup. Make sure backups are stored separately from your web server so a server-level compromise does not also destroy your backups.
Remove unnecessary attack surface. Delete unused themes, plugins, and test installations. Remove directory listing by adding Options -Indexes to your .htaccess. Disable PHP execution in upload directories. Hide your CMS version number. Every piece of information or unused code you expose is leverage for an attacker.
When to DIY vs. Call a Professional
Not every hack requires professional intervention, but some absolutely do. Here is how to decide.
Handle it yourself if: Your hosting provider has a clean backup from the last 24 to 48 hours and you can restore it. The hack was limited to a defacement or spam injection with a clear source like an outdated plugin. You are comfortable with SSH, database queries, and file management. You have the time to methodically work through every step above.
Call a professional if: You cannot identify the attack vector after investigation. The attacker created backdoor accounts or modified server configurations. Your site handles sensitive customer data, payment information, or health records. The compromise involves multiple sites on the same server. Malware keeps returning after you clean it, which indicates a persistent backdoor you have not found. You are losing significant revenue for every hour the site is down.
Get help immediately if: You have evidence of data exfiltration affecting customer information. You operate in a regulated industry with breach notification requirements. The attacker is actively inside your server making changes in real time.
The honest truth is that professional recovery is not about technical skill alone. It is about speed, thoroughness, and the experience to know where attackers hide backdoors that you would never think to look. A professional can typically recover a site in hours where a first-timer might spend days and still miss a persistent access point.
What Recovery Actually Costs
If you are wondering whether paying for professional recovery is worth it, here is what the market looks like. We see this question constantly in web development communities, with site owners unsure whether quoted prices are reasonable or inflated.
Basic recovery (single-site compromise with available backups): Expect to pay between 15,000 and 30,000 INR. This covers backup restoration, password resets, software updates, and basic hardening. If a clean backup exists and the attack vector is obvious, this is a straightforward job.
Standard recovery (no clean backup, manual malware removal required): This runs between 25,000 and 50,000 INR. It includes forensic analysis to identify the attack vector, manual file and database cleaning, backdoor removal, hardening, and post-recovery monitoring. Most hacked sites fall into this category.
Complex recovery (multiple sites, server-level compromise, or persistent reinfection): Budget 50,000 to 75,000 INR or more. These cases involve deep server-level investigation, cleaning across multiple applications, potential data breach assessment, and comprehensive security overhaul. If malware keeps returning despite cleanup attempts, you are in this category.
Ongoing monitoring and protection plans: Many providers offer monthly security monitoring starting at 5,000 to 15,000 INR per month, which includes WAF management, regular scanning, update management, and priority incident response. Given that the average cost of a breach in downtime, lost revenue, and damaged reputation far exceeds the cost of prevention, this is worth serious consideration.
Do not accept quotes that do not include a post-recovery check. Any reputable recovery service should verify the site is clean, monitor it for at least 7 days after recovery, and provide a report explaining what happened and what was done to prevent recurrence.
Your Website Is Not a Lost Cause
Getting hacked feels terrible. It feels like a personal violation, especially if you have built your site from the ground up. But the reality is that the vast majority of hacked websites recover completely. The breach itself is not the catastrophe. Ignoring it, cleaning it poorly, or failing to harden afterward is what turns a bad day into a recurring nightmare.
Work through this checklist methodically. Do not rush, do not skip steps, and do not assume the first piece of malware you find is the only one. Attackers frequently plant multiple backdoors precisely because they expect you to stop looking after you find the first one.
If you are in over your head, or if your site is business-critical and you cannot afford to get this wrong, get professional help now rather than after three failed cleanup attempts.
Emergency Incident Response from ZenoCloud
The ZenoCloud security team handles hacked site recovery around the clock. We manage over 1,000 servers and have dealt with every type of compromise from simple defacements to sophisticated supply chain attacks.
What you get with ZenoCloud incident response:
- Initial triage and containment within 60 minutes of engagement
- Full forensic analysis identifying the exact attack vector
- Complete malware removal and verification
- Security hardening to prevent reinfection
- 7-day post-recovery monitoring
- Detailed incident report for your records
Hacked site recovery starts at 25,000 INR. If your site is down right now and you need immediate help, contact our emergency response team. We are available 24/7, including weekends and holidays.
If you are already a ZenoCloud managed hosting customer, your plan includes priority incident response at no additional cost. Our proactive monitoring with Wazuh security information and event management catches most threats before they become breaches, but when something does slip through, your recovery is covered.
Do not wait for the attacker to do more damage. Every hour a compromised site stays online is an hour it is potentially harming your visitors, your search rankings, and your reputation.