Chykalophia Docs
Risk & resilience

Recovering from a hacked website

A calm, thorough playbook for getting your hacked website cleaned, secured, and fully restored — with timelines and prevention steps.

resiliencesecuritywordpressmaintenancetroubleshooting

Discovering your website has been hacked is alarming. You may feel embarrassed, angry, or overwhelmed. That is completely understandable — and also completely normal. This happens to thousands of businesses every week, including large, professional ones.

Here is the thing: it is almost always fixable. You are not facing permanent damage. You are facing a cleanup job — and this guide walks you through every step of it.

Quick summary

Contact us immediately at support@chykalophia.com. Take the site offline if it's actively sending visitors to malicious content. Do not delete anything yet — preserve the evidence. We'll help you clean, restore, and harden the site so it doesn't happen again.

Signs that your site may have been hacked

You don't always get a dramatic warning. Look for:

  • Visitors are redirected to a different website (especially gambling, pharmaceutical, or adult sites)
  • Google shows a "This site may be hacked" warning in search results
  • Your browser flags the site as dangerous
  • Pages contain links or text you didn't write
  • Unfamiliar admin accounts have appeared in WordPress
  • Your hosting provider suspended your account
  • Google Search Console sent you a security alert
  • Your site is slower than usual or displays strange error messages

If you notice any of these signs, treat it as a confirmed hack and proceed below.

First 30 minutes

Contact us. Email support@chykalophia.com with a brief description and a screenshot of what you're seeing. We can assess the situation and start work immediately.

Take a screenshot of everything suspicious. Capture the defaced content, strange redirects, browser warnings, and any error messages. This is your evidence record.

Take the site offline if it is actively harming visitors. If your site is redirecting visitors to malicious content, put it in maintenance mode right now. Log in to your hosting dashboard and look for a "Disable site," "Maintenance mode," or "Suspend" option.

Do not delete files or restore a backup yet. It is tempting to wipe everything, but doing so destroys the forensic evidence that tells us how the attacker got in. Without knowing the entry point, you risk getting hacked again through the same vulnerability.

Change your WordPress admin password immediately. Use a strong, unique password via your password manager. See how to create strong passwords.

Change your hosting account password. Log in to your hosting dashboard and update your password there too.

First 24 hours

Audit WordPress admin users. Log in to WordPress, go to Users, and check for any accounts you don't recognize. Immediately delete any suspicious accounts. See WordPress user roles explained.

Check recent file changes. Your hosting dashboard or FTP access may show recently modified files. Files that changed on the day of the hack — especially in wp-content/themes/, wp-content/plugins/, or wp-content/uploads/ — are likely infected.

Run a malware scan. Use a security plugin like Wordfence or Sucuri, or your hosting provider's built-in malware scanner. Most managed WordPress hosts (WP Engine, Kinsta, Flywheel) include malware scanning in their plans.

Identify your most recent clean backup. Log in to your hosting dashboard and note the date of your last backup made before the hack. You'll need this for the restoration step. Do not delete any backups. See how backups work.

Check for Google Search Console alerts. If you have Google Search Console set up, log in and check the Security Issues section. Google often detects hacks and lists the specific pages affected. See what is Google Search Console.

Notify any affected customers if you believe their data may have been accessed. In many regions this is a legal requirement. Consult a lawyer if you're unsure what applies to your business.

Cleaning the site

This section is primarily for reference — we strongly recommend letting us handle the actual cleanup rather than doing it yourself. Incomplete cleanup leaves backdoors open.

How hacks typically work

Most WordPress hacks exploit one of three things:

  1. Outdated plugins or themes — the most common cause. Attackers scan the internet for sites running known-vulnerable versions.
  2. Weak or reused passwords — attackers try common passwords or ones from data breaches.
  3. Compromised hosting environments — rare but possible if your host has a security issue.

What a thorough cleanup involves

  • Replacing all core WordPress files with fresh copies from WordPress.org
  • Scanning every theme and plugin file for injected code
  • Checking the database for injected spam links, redirect scripts, and admin backdoors
  • Removing all unauthorized user accounts and application passwords
  • Updating all passwords (WordPress, hosting, FTP/SFTP, database)
  • Updating all plugins, themes, and WordPress core to current versions
  • Reviewing and hardening file permissions

DIY cleanup has a high failure rate

The most common reason sites get re-hacked is incomplete cleanup. Attackers often install multiple backdoors, so removing one visible infection while missing a hidden one means the attacker simply returns. Professional cleanup is worth it.

Restoring from a backup

If the damage is extensive, restoring from a clean backup is often faster than cleaning individual files.

Identify the last clean backup. This should be from before the hack started — not necessarily before you noticed it. Hacks are often present for days or weeks before they're detected.

Restore the backup to a staging environment first. Don't restore directly to the live site until you've verified the restored version is actually clean. Your hosting provider can help with this.

Scan the restored site for malware before going live. A backup made after the attacker gained access may contain infected files.

Restore to the live site once the staging version is confirmed clean. See restoring your site from a backup.

First week: hardening after recovery

Once the site is clean and live, these steps prevent a repeat.

Update everything. WordPress core, all plugins, and your theme should all be on their latest versions. See WordPress updates explained.

Enable two-factor authentication on all WordPress admin accounts. See turning on two-factor login.

Install a security plugin (if you don't have one). Wordfence and Sucuri both offer real-time firewall protection and ongoing malware scanning. See securing your WordPress site.

Enable automated daily backups if you weren't already running them. Weekly backups may mean losing seven days of content in a worst-case scenario.

Request a Google review. If Google flagged your site as dangerous in search results, you can request a review through Google Search Console once the site is clean. Google typically reviews within a few days.

Review all plugin and theme licenses. Nulled (pirated) plugins and themes are a leading source of WordPress infections. Remove any software that wasn't purchased from a legitimate source.

Write a brief incident record. Document what happened, when, how you found it, what the likely cause was, and what you've changed. This is useful for your team, for insurance, and for future reference.

What we do to help

When you contact us after a hack, here is what we do:

  • Triage and assess — we look at the site and identify the infection type and likely entry point.
  • Full malware cleanup — we remove all infected files, database injections, and backdoors.
  • Restore from backup if needed, with staging verification.
  • Update and harden — we update all software and apply security best practices.
  • Monitor for 30 days — we watch for any signs of re-infection.
  • Communicate with you at every step so you're never in the dark.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Recovering from an expired domain

Your domain has expired and your site or email is down — here's how to reclaim it and get back online quickly.

Onboarding a new staff member across all your systems

A complete checklist for giving a new team member the right access to WordPress, Google Workspace, Microsoft 365, hosting, passwords, and more.

On this page

Signs that your site may have been hackedFirst 30 minutesFirst 24 hoursCleaning the siteHow hacks typically workWhat a thorough cleanup involvesRestoring from a backupFirst week: hardening after recoveryWhat we do to helpCommon questionsRelated guidesLearn more
Recovering from a hacked website | Chykalophia Docs