Emergency checklist — read this first

My website was hacked. What do I do?

Stop scrolling forums. Here is the calm, in-order checklist for the first 60 minutes after you discover your site is compromised — what to do, what not to touch, and exactly when to bring in a human.

My website was hacked, what do I do? Don’t panic and don’t delete files yet. First put the site into maintenance mode (or take it fully offline if it’s actively harming visitors). Second, change every password tied to it — hosting, CMS admin, FTP/SFTP, database — from a clean device. Third, contact your host and tell them what you found. Fourth, preserve a backup of the compromised state as evidence before cleaning anything. Fifth, decide whether to fix it yourself or bring in a professional, based on how deep the damage looks.

Step 1: Confirm it’s actually hacked (not just broken)

A slow site, a weird plugin error, or one strange email is not proof of a hack — sites break for boring reasons all the time. Before you treat this as an incident, look for concrete signs that point specifically to compromise:

  • Your browser, Google, or Google Search Console shows a “Deceptive site ahead” or “This site may be hacked” warning — see our dedicated guide on that exact warning if that’s what brought you here.
  • Search results for your own site show spam text, pharmacy ads, or foreign-language pages you never published.
  • An admin user, plugin, or theme exists in your CMS that nobody on your team added.
  • Visitors report being redirected to a different site, or your host emails you about an abuse complaint.
  • Your site suddenly sends outbound spam email, or your server load spikes with no traffic increase to explain it.
  • Files have modified timestamps you can’t account for, especially in upload folders that shouldn’t contain code.

One item on its own can have an innocent explanation. Two or more together, especially the search-warning and spam-content signs, mean you should treat this as a real incident and move to Step 2.

Step 2: The first 5 things to do, in order

Once you’re confident it’s real, order matters. Doing these out of sequence — especially deleting files before preserving evidence — is the single most common mistake that turns a one-day fix into a week-long mess.

1. Don’t panic, and don’t make it worse

Resist the urge to start clicking “delete” on anything that looks suspicious. Malicious code is often a symptom, not the whole story — if you remove the visible part without finding how it got there, whatever let the attacker in is still open, and they can walk right back in. Take five minutes to breathe and read this list before you touch anything.

2. Take the site to maintenance mode (or offline)

If the site is actively serving malware, spam redirects, or defaced content to visitors, get it out of the public eye immediately — most hosts and CMS platforms have a one-click maintenance mode, or you can point DNS at a static “back soon” page. This protects your visitors and stops search engines from crawling the compromised content while you work. If the damage looks contained (a single odd file, no visible spam), you may be able to leave it live while you investigate — use judgment, but when in doubt, take it down.

3. Change every password — from a clean device

Change your hosting account password, CMS admin password (WordPress, Shopify staff accounts, etc.), FTP/SFTP credentials, and database password. Do this from a device and network you trust, not the computer you normally use to manage the site — if that machine is itself infected with malware that logged your keystrokes, changing passwords on it just hands the attacker your new ones too. While you’re at it, revoke and reissue any API keys or third-party integration tokens the site uses.

4. Contact your host and tell them plainly

Hosts deal with compromised sites constantly and often have tools you don’t: server-level access logs, the ability to isolate your account from others on shared hosting, and sometimes a malware-scanning service included in your plan. Tell them exactly what you observed and when you first noticed it — don’t downplay it. Many hosting abuse teams will temporarily suspend a badly compromised site to protect their network; better to hear that from them proactively than get surprised by a suspension notice.

5. Preserve evidence before you clean anything

Before deleting or modifying a single file, take a full backup of the site exactly as it currently is — files and database both — and, if your host allows it, export the access and error logs covering the last few weeks. This copy is what lets you (or whoever you hire) actually find the entry point instead of guessing. Store it somewhere separate from the live site. Only after this backup exists should cleanup begin.

What NOT to do

A few reactions feel productive in the moment but usually make recovery slower, more expensive, or both. Avoid these:

  • Don’t delete files blindly. Removing suspicious code without understanding how it got there destroys your best evidence and leaves the actual entry point open for a repeat infection.
  • Don’t restore an old backup and assume you’re done. If the backup predates the breach it may be clean, but if the vulnerability that let attackers in is still present, restoring just buys you a few days before it happens again. Fix the hole, then restore.
  • Don’t log in to the compromised admin panel from a possibly-infected device to “take a quick look.” If your own computer has malware, you can hand over fresh credentials the moment you type them.
  • Don’t stay quiet if customer data may be involved. Delaying notification when personal data was exposed can turn a technical incident into a legal and trust problem on top of it.
  • Don’t assume one plugin update fixes it. If attackers got in, they often leave a backdoor (a hidden file granting future access) that a simple update won’t remove. A proper cleanup checks for backdoors, not just the original hole.
  • Don’t pay a ransom or “unlock fee” demanded through the defaced site or a threatening email without independent verification — these are frequently bluffs, and paying doesn’t guarantee the attacker actually leaves.

DIY cleanup vs. bringing in a human

Whether you can safely clean this up yourself depends on how deep the compromise goes, not on how confident you feel with a keyboard. Here’s a rough guide:

When to DIY a hacked-website cleanup vs. hire a professional
SituationReasonable to DIY?Why
One flagged file, no admin changes, small brochure siteOften yes, carefullyContained scope, low risk if you follow the evidence-first order above and verify against a clean backup.
Search-warning shown, spam content in search results, unknown admin usersBring in a humanSigns of a real foothold — likely a backdoor or persistent access that a surface cleanup won’t remove.
E-commerce or any site handling payments/customer loginsBring in a humanLegal notification duties and payment-data risk make a documented, professional response worth the cost.
You’ve cleaned it once already and it came backBring in a humanA repeat infection almost always means the entry point was never actually closed the first time.
You’re not sure how it happened at allBring in a humanCleanup without a root-cause investigation is a guess, and guesses come back.

If you land in “bring in a human,” that’s exactly what a manual security audit is for — a real engineer looks at your actual site, finds how the attacker got in, and tells you precisely what to fix. Bug Circuit runs this as a $49 one-time audit with a full written report, or $299 for the audit plus we fix the high and critical issues ourselves and cover you for 3 months after — currently 55% off as a launch offer. See a sample report before you decide, and compare full pricing — no quote calls, no sales pressure.

What we mean by authorized testing

Everything Bug Circuit does is authorized, consent-based testing — not a stranger poking at your live site. Before any hands-on work, we verify you own or control the domain and record a signed Authorization to Test. We productize this for small websites — WordPress, Shopify, small SaaS — and we say plainly what we are not: a five- or six-figure enterprise penetration-testing engagement. If your situation needs that (regulatory mandate, large custom platform, cyber-insurance requirement), we’ll tell you honestly rather than oversell.

Common causes worth checking (by platform)

Once the immediate incident is contained, understanding how you got hit prevents a repeat. The most common root causes we see are platform-specific:

  • WordPress — an outdated plugin or theme with a known vulnerability, a weak or reused admin password, or a nulled/pirated plugin with malware baked in. If this keeps happening on the same site, read why WordPress sites keep getting hacked for the specific patterns and permanent fixes.
  • Search results full of Japanese, Chinese, or foreign-language spam pages — this has a name, the Japanese keyword hack, and it’s one of the most common WordPress-specific infections. It generates thousands of spam pages search engines index under your domain, usually invisible to normal visitors.
  • Shopify / hosted platforms — usually a compromised staff account (reused password, no two-factor) or a malicious third-party app with excessive permissions, rather than a platform vulnerability itself.
  • Small SaaS / custom apps — most often a business-logic or access-control flaw (one user can reach another user’s data by changing an ID in the URL, for example) rather than a missing security patch.

Common questions

My website was hacked, what do I do first?
Do not panic and do not start deleting files. First, take the site into maintenance mode or take it offline if it’s actively harming visitors (malware downloads, spam redirects). Second, change every password tied to the site — hosting, admin/CMS, FTP/SFTP, and database — from a device you trust, not the possibly-compromised computer you normally use. Third, contact your host and tell them plainly. Then move to evidence preservation before any cleanup. The full order is in the checklist above.
How do I know for sure my website is actually hacked?
Look for concrete signs: your browser or Google Search Console shows a “Deceptive site ahead” / “This site may be hacked” warning, unfamiliar admin users or plugins appear, search results show spam text you never wrote, your host emails you about abuse complaints, or the site redirects visitors to another domain. One odd symptom alone (a slow page, one weird email) isn’t proof. Two or more of the signs above, together, usually is.
Should I just delete the hacked files and reinstall?
Not immediately, and not blindly. Deleting first destroys the evidence you need to find out how attackers got in — if you clean up without closing the entry point, they simply come back through the same hole within days. Preserve a copy first (full file and database backup, plus your host’s access logs if you can pull them), then remove malicious code, then find and fix the actual entry point. Reinstalling a clean copy of your CMS core is fine and often recommended — deleting everything with no backup and no root-cause check is the mistake.
Will I lose my Google rankings if my site was hacked?
Usually only temporarily, and only if it goes unaddressed. Search engines that detect hacked content (spam pages, malware, cloaked redirects) will show warnings and can drop rankings while the site is flagged. Clean the site, fix the entry point, then request a review in Google Search Console under Security Issues. Rankings typically recover once the review clears — the damage compounds mainly when a hacked site sits unfixed for weeks.
Do I need to tell my customers if my website was hacked?
If any personal data (names, emails, passwords, payment details) may have been accessed, most places require you to notify affected users and, in many jurisdictions, a regulator — timelines are often measured in days, not weeks. If it was purely defacement or spam content with no data exposure, disclosure obligations are usually lighter, but transparency with customers is still the safer call. This isn’t legal advice — check requirements for your jurisdiction, or ask a lawyer, once the immediate fire is out.
How much does it cost to fix a hacked website?
It ranges widely by how deep the compromise goes and who fixes it — from a few hundred dollars for a contained WordPress infection cleaned by a freelancer, up to several thousand for a deep compromise with backdoors and a full security overhaul. See our full cost breakdown by scenario for realistic ranges before you hire anyone.

The full hacked-website series

Not sure how bad it is? Start with the free check

Run the free passive security check on your domain — no login, no impact on your site, results in seconds. It won’t clean an active hack, but it tells you what’s visible from the outside right now.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →