How to Fix a Hacked Website: A Step-by-Step Recovery Guide
Are you dealing with a website that's been infiltrated by a hacker? Do you know how to tell if your website has been compromised and what can you do to prevent it from happening again in the future? This guide will cover each of these questions in detail, so if you're currently dealing with a hacked website, you'll know exactly what to do about it by the end of this article.
How Do Website Hacks Happen?
Website hacks happen for various reasons. Sometimes, hackers target small and unknown sites as a matter of opportunity. Automated bots scan the internet for potential targets, and if your site is vulnerable, it may become subject to an attack. In other cases, hackers might do this for financial gain or as a form of vandalism.
Why Do Hackers Do This?
Hackers may target websites for various reasons, including financial gain, personal satisfaction, or to disrupt the operation of a website. Some hackers may also engage in this activity as part of a larger scheme to compromise multiple sites at once.
What Happens When Your Site Gets Hacked?
Sometimes attacks are obvious, like finding your homepage vandalized, your site filled with spam content, redirects to other websites, or pages you didn’t create. Other times the signs of a hack are more subtle, such as unusual traffic patterns, strange errors, or a sudden drop in performance.
Cleanup Can Be Time and Cost-Intensive
A hacked website can have serious, long-term consequences for your business, site, and bottom line. It can result in a loss of revenue, traffic, and search rankings, as well as harm your brand reputation. Cleanup can be time and cost-intensive, and you may run into legal issues, lose important data, and have to pay higher hosting and security fees in the future.
Phase 1: Check Site Access
When dealing with a hacked website, the first step is to find out what level of access you still have to it. Here are the steps to take:
- See if you can log in Try logging in to your WordPress admin dashboard. It’s usually located under yoursite.com/wp-admin. If the login screen doesn’t appear or redirects elsewhere, skip ahead to downloading and cleaning up your website files first. Otherwise, try your normal username and password. Should that not work, try the password recovery. In case neither of these steps is successful, you can access your database (e.g., via phpMyAdmin) and check the wp_users table to confirm your admin account still exists. If it does, you can reset your password directly in the database or even create a new admin user to regain access. It’s also possible to reset your password using FTP and WP-CLI.
- Switch your site to maintenance mode Once you can access your backend, it’s best to make your site temporarily unavailable. This helps you protect your site visitors and reputation from further harm while you fix the hacked website. The best option for that is to put it into maintenance mode. You can use a maintenance mode plugin or set up an HTML file for that. Some CDN providers also let you put up a maintenance mode screen, such as Cloudflare.
Phase 2: Talk to Your Hosting Provider
Your host should be one of your first ports of call and also your strongest ally in case of a website hack. Contacting your hosting provider can help you get support for fixing the hacked website, such as temporary account restrictions or suspensions.
Phase 3: Back Up Your Site
Saving a copy of your site — even if it’s compromised — lets you preserve recent content, conserve evidence to analyze the source of the hack, and allows you to restore your site should something go wrong during recovery. Make sure to back up both your site files and database.
Phase 4: Restore from a Recent Clean Backup (if possible)
If you had the foresight to set up an automatic backup solution, restoring from a recent clean site copy is often the easiest way to fix your hacked website. Make sure the backup predates the hack or suspicious activity. If possible, first load it on a staging site to run diagnostics before restoring.
Phase 5: Go Through Your User Accounts
Hackers who gain access to a website frequently create an admin user account for themselves. Reviewing all accounts in your WordPress User menu and/or database can help you identify these accounts and take steps to secure them.
Phase 6: Lock Down the Accounts You’ll Keep
Review and update all user accounts associated with your site, including hosting, FTP, email, CDN, and third-party tool credentials. Enforce strong passwords, implement multi-factor authentication, and consider resetting database username and password as well.
Phase 7: Update All Software
Website hacks often happen via outdated and vulnerable files or modified core files to make reinfection easier. Updating all software to the latest version is an important step in fixing your website after it’s been hacked. This includes WordPress core, plugins, themes, server software like Apache, and PHP version.
Phase 8: Dig Deeper
After updating your site’s software, examine files for hidden code snippets and backdoors. These are entry points hackers like to leave behind so they can regain access to your site even after you cleaned it up. Check the wp-content folder for PHP files, theme files, or plugins, and look for suspicious code in .htaccess files.
Phase 9: Fix Your Database
Cleaning up a hacked website's database manually can be time-consuming, especially with larger databases. The easiest way to fix your hacked website is often to scan the database with a plugin or access it via phpMyAdmin and perform manual edits.
Phase 10: Bring Your Site Back Online
Once you've fixed your site's files and database, upload them from your local install or staging site and test your site’s main features. Clear out any cached malware or outdated pages and rescan for remaining threats to ensure no further issues.
The Final Step: Prevent Website Hacks Before You Have To Fix Them
Finally, the final step is to make sure you never have to be in this situation again. Follow security best practices, and take steps to harden your website security. On WordPress.com, all of these are included with every plan, together with additional security features.