Chykalophia Docs
Security

What to do if your site is hacked

A calm, step-by-step guide to recovering your website after a hack — what to do first, how to clean up, and how to prevent it happening again.

securitywordpresstroubleshootingintermediate

Discovering your website has been hacked is alarming. Please take a breath. This happens to businesses of all sizes, and it is almost always recoverable. The most important thing right now is to act calmly and methodically — rushing causes mistakes.

This guide walks you through exactly what to do, in order.

Quick summary

First: don't panic, and don't make random changes. Take your site offline if possible, gather information about what happened, restore from a clean backup if you have one, or get professional help to clean the malware. Then change every password that could have been involved, and figure out how the attacker got in so you can close that door.

How to know if your site has been hacked

Common signs include:

  • Visitors are redirected to a different website
  • Your browser or Google shows a security warning
  • You see pages, posts, or files you didn't create
  • Your hosting provider or security plugin sent an alert
  • Google Search Console shows a "This site may be hacked" message
  • Customers report seeing unusual content or being redirected
  • Your site is suddenly running very slowly or sending spam

Step 1: Stay calm and don't make random changes

When you're stressed, it's tempting to start clicking around, deleting things, or trying multiple fixes at once. Resist this. Random changes can make it harder to diagnose what happened and may erase evidence.

Write down what you observed and when. This information helps you or a professional understand the scope of the breach.

Step 2: Take your site offline temporarily

Putting your site into maintenance mode prevents visitors from being exposed to malicious content while you work on a fix.

  • In WordPress: many security plugins have a "maintenance mode" option, or you can use a dedicated maintenance plugin
  • Through your hosting control panel: your host may allow you to suspend or take your site offline
  • Ask us and we can do this for you

Step 3: Don't change passwords yet (do this at the right time)

Wait until after you have secured the site before changing passwords. If malware is still present and has a backdoor, changing passwords doesn't help — the attacker still has access via the malware.

Password changes come after cleanup.

Step 4: Restore from a clean backup if you have one

This is the fastest recovery path. If your hosting provider keeps daily backups (most managed WordPress hosts do), restoring to a backup from before the hack is often the cleanest solution.

Identify the approximate date the hack occurred. Look at when unusual files appeared, when your traffic changed, or when the first complaints came in.

Choose a backup from before that date. You want a clean backup — one made before the malware was introduced.

Restore the backup in a staging environment first, if your host supports this. Confirm the restored site is clean before pushing it live.

After restoring, immediately change all passwords (see Step 7 below) and apply all pending updates.

See Why backups are your safety net for why maintaining recent backups is so important.

Step 5: If you don't have a clean backup, get professional help

Manually cleaning a hacked WordPress site requires expertise. Attempting it without that expertise often results in missing hidden backdoors — and the site gets hacked again within days.

Contact us immediately. We can coordinate professional malware removal. Services like Sucuri and Wordfence also offer malware removal services.

Don't try to patch around it

Deleting files you find suspicious but not doing a full scan often leaves backdoors in place. A thorough scan and clean is the only reliable approach.

Step 6: Identify and close the entry point

After your site is clean, you need to understand how the attacker got in — otherwise they (or someone else) will get in again the same way.

Common entry points:

  • Outdated plugin or theme with a known vulnerability — the most common cause
  • Weak or reused password on an admin account
  • Compromised web hosting credentials
  • Abandoned plugin that is no longer maintained
  • File upload vulnerability in a form or plugin

Your hosting provider's security logs, or a security plugin's log, may show the attack path. A professional cleanup service will typically identify this as part of their work.

Once the site is confirmed clean:

Change your WordPress admin password for every admin account.

Change your hosting account password.

Change your FTP/SFTP password if you use it.

Change your database password (your host or developer can help with this).

If your email was involved: change that too. Check for any forwarding rules or access grants you didn't create.

Enable two-factor authentication on everything that supports it.

Step 8: Remove and review user accounts

In WordPress, go to Users → All Users and review every account. Delete any you didn't create. Change the roles of any that have more access than they need.

Step 9: Update everything

Update WordPress core, all themes, and all plugins to their latest versions. Deactivate and delete any plugins or themes you are not actively using.

Step 10: Submit for review if Google flagged your site

If Google marked your site as dangerous, visitors will see a warning in search results and in their browser. Once your site is clean, you need to request a review:

Log into Google Search Console for your site.

Go to the Security Issues report.

Review the issues listed, confirm they are resolved, and click Request Review.

Google typically responds within a few days. The warning is removed once they confirm the site is clean.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Securing your WordPress site

The key security settings every WordPress site owner should check — from keeping software up to date to limiting login attempts.

What to do if an account is compromised

A calm, step-by-step guide to recovering a hacked email, social media, hosting, or other business account — and locking down everything else.

On this page

How to know if your site has been hackedStep 1: Stay calm and don't make random changesStep 2: Take your site offline temporarilyStep 3: Don't change passwords yet (do this at the right time)Step 4: Restore from a clean backup if you have oneStep 5: If you don't have a clean backup, get professional helpStep 6: Identify and close the entry pointStep 7: Change all related passwordsStep 8: Remove and review user accountsStep 9: Update everythingStep 10: Submit for review if Google flagged your siteCommon questionsRelated guidesLearn more
What to do if your site is hacked | Chykalophia Docs