.svg)
Last week a new client reached out to me in panic. Their website had been hacked.
Worse, the website was receiving millions of attacks every hour and they didn’t know how to stop them.
So I wanted to write an article sharing what you can do when your website is hacked.
When your website gets hacked, you’re obviously in panic. You’re afraid content gets lost and that the security of data has been violated.
This article will help you with a set of actions you can put in place to try to recover your website when it has been hacked.
But a word of caution: it’s not always possible to recover a website that has been hacked.
This article will help you figure out what you can do when your website is hacked, and I will also share the tips for three kinds of plugins that should help you keep your website safe, so you make sure hacking won’t happen again.
What is a hack
Let’s start with a basic question. A website hack is when someone gains unauthorized access to your website to alter its behavior, steal information, or exploit its resources. This can range from visible defacement (think weird messages or shady links on your homepage) to more subtle manipulations like injecting spam content, redirecting users to scam sites, or installing malware that compromises your visitors’ devices.
In more technical terms, hackers usually exploit weak passwords, outdated plugins or themes, poor server security, or unpatched vulnerabilities in your CMS (like WordPress or Joomla). Once inside, they can wreak havoc silently or loudly—either way, your business takes the hit.
Step-by-step recovery plan for a hacked website
Now let’s assess the situation in which your website has been hacked. We’ll start from the example of this new client of ours. The first important thing to do here is to stop the bleeding, so to say. Make sure your website is brought offline. When your website has been compromised, speed is key. You want to isolate the problem and limit the damage, fast.
Here’s what you should do:
- Take the website offline. Either put it in maintenance mode using a plugin or ask your host to temporarily suspend it. This prevents further damage and stops visitors from landing on a compromised site.
- Notify your hosting provider. Most hosts offer some level of support or tools to help you identify and fix the issue. Some even provide malware removal services.
- Scan your site. Use tools like Sucuri SiteCheck or the Wordfence Scanner to detect infections, malware, and suspicious file changes.
- Restore a backup. Ideally, you have a clean backup from before the hack. Restore it only after confirming it’s safe and unaffected.
- Reset all passwords. And I mean all of them: admin accounts, FTP, database, hosting. Also check for and remove any unauthorized users that might have been created.
- Audit plugins, themes, and files. Look for unknown plugins, modified files, or unexpected code. Hackers often leave backdoors to regain access later.
When to take your website offline (and when not to)
Taking your site offline isn’t always necessary, but it’s often the safest move if you're unsure. If your site is displaying spammy content, redirecting users, or triggering malware warnings, you should absolutely take it offline.
However, if you have a technical team in place and the attack is contained to a specific area of the site, it might make more sense to isolate the affected parts and fix things without going completely dark. For ecommerce or high-traffic sites, downtime can be costly, so weigh the risks carefully.
If in doubt, put up a maintenance page explaining you're resolving an issue—it protects your visitors and your brand.
How to restore a backup of a hacked website
Restoring a backup is often the fastest way to bring your site back from the dead—if you’ve actually been backing up regularly.
Most hosting providers (like SiteGround, Kinsta, or WP Engine) offer automated daily backups you can restore with a click from your hosting dashboard.
If you’ve been using a plugin like UpdraftPlus, log in to your WordPress dashboard (if it’s still accessible), head to the plugin’s settings, and restore the most recent clean version. Make sure to restore both files and database.
No backups? Then you’re in for a longer recovery process involving manual cleanup or starting from scratch.
Why websites get hacked and what you might have missed
There’s a number of reasons why websites get hacked (no I’m not talking about mindreading what’s in the head of people who do it...).
Websites mainly get hacked because:
- Weak passwords or outdated software. Brute force attacks are still a thing. If your admin password is “123admin”, you’re asking for it.
- Poor hosting security. Cheap hosting often means shared resources and limited firewalls.
- Null (pirated) plugins/themes. These often contain malicious code and serve as easy entry points.
- Lack of regular updates. Outdated themes and plugins can contain unpatched vulnerabilities that hackers exploit.
- In many cases, the hack happens silently and stays undetected for weeks or months—by the time you notice, the damage has already been done.
When it’s not possible to recover your website
Sometimes, a website is so badly compromised that recovering it is either impossible or not worth the time and money.
If your backups are infected, the malware is deeply embedded, or your content has been deleted and there’s no off-site record, your best bet may be to rebuild from scratch.
This is especially true if the hack affected core files and your security hygiene was poor to begin with. In those cases, a fresh install with new plugins, a cleaned database, and stronger security measures is your clean slate.
It sounds dramatic, but rebuilding is often faster and safer than spending days trying to clean up something you don’t fully understand.
How to avoid a website hack: 3 plugins you can use
Prevention is always cheaper than recovery. If your website is live and matters to your business, you need a basic security setup in place. There are mainly three kinds of security plugins you want to have.
1. Plugins that protect your website from external attacks
This is one of the most comprehensive WordPress security plugins out there. It includes:
- A web application firewall (WAF) to block malicious traffic
- Malware scanner to detect threats
- Real-time monitoring of login attempts and file changes
- Rate-limiting to prevent brute force attacks
Wordfence also lets you block entire countries or IP ranges and provides email alerts when it detects something fishy. Personally, I find it ideal for SMEs because it combines multiple tools into one, and the free version is more than enough for most basic needs.
2. Plugins that check the safety of other plugins
Plugin Security Scanner by Wordfence (separate from the main Wordfence plugin) or WPScan
These tools monitor known vulnerabilities in plugins and themes. They regularly compare your installed extensions with a database of reported issues.
If one of your plugins has a security flaw (even one you’re not using on the front end), you’ll get an alert. That gives you the chance to update or deactivate it before something bad happens.
I find these plugins very useful especially if you’ve installed a bunch of plugins and don’t have the time to check their update logs one by one.
3. Plugins that help you if things go wrong
UpdraftPlus is the gold standard for WordPress backups. It allows you to:
- Schedule automatic backups (daily, weekly, etc.)
- Store backups in remote locations like Google Drive, Dropbox, or Amazon S3
- Restore your site in one click
This isn’t strictly a security plugin, but it’s arguably the most important tool in your security stack. If all else fails, your backup is your parachute.
Ongoing maintenance of your website
Good security is not a one-time job. It’s a habit. I know you want to make sure a website hacking never happens again, so here are a few simple things you can do regularly to reduce your risk of being hacked.
- Update plugins/themes weekly. Or enable auto-updates if you don’t want to deal with it.
- Use strong passwords and two-factor authentication. Avoid reusing passwords across tools or accounts.
- Limit admin access. Only give admin privileges to people who need them. Use editor or contributor roles when possible.
- Monitor uptime and security. Use free tools like Uptime Robot, or install activity log plugins to track who does what on your site.
- Work with someone who actually checks this stuff regularly.
Sometimes, as a business owner, you don't have the time or skill to continuously update your website and check for security. For this reason we offer a solution of continuous maintenance and security check. If you want to know more, feel free to reach out.
Website hacked and not sure what to do?
If your website has been hacked and you’re not sure of the best way forward, you can reach out to us for a free consultation. We’ll help you assess the damage, clean it up if possible, and set you up with the tools and habits you need to avoid it happening again.
.png)
.png)
