Security
Malware
Intermediate
How to recover from a hacked website
Step-by-step guide to recovering from a website hack or compromise: contain the damage, identify the attack vector, clean the infection, restore security,
UnderHost NOC
Network Operations
On this page
A hacked website can take many forms-injected spam links, redirects to malicious sites, defacement, data theft, or your server sending spam. Quick action limits the damage. Stay calm, work through this guide step by step.
Signs your site was hacked
- Your site redirects visitors to a different URL
- Google Search Console shows "Deceptive site ahead" or malware warning
- Google search results show spam content for your domain
- Visitors report seeing ads, popups, or strange content you didn't add
- Your site is suspended by UnderHost for sending spam or hosting malware
- You see unfamiliar admin accounts or files you didn't create
- Your hosting disk usage suddenly increased without explanation
Step 1: Contain the damage
- Change all passwords immediately: cPanel password, all WordPress admin passwords, database passwords, FTP passwords, and CustomerPanel password
- Revoke unknown admin accounts: WordPress Admin → Users-delete any users you don't recognize
- Take the site offline temporarily if it's actively harming visitors-add a maintenance page via .htaccess to prevent further exposure while you clean it
- Take a snapshot/backup of the current state before cleaning-you may need the evidence to understand how the attack happened
Step 2: Assess the damage
- Check Google Search Console for any security alerts or manual actions
- Use cPanel → Error Logs to look for suspicious script activity
- Scan with Sucuri SiteCheck to identify malware signatures
- Check file modification times: in cPanel File Manager, sort by Date Modified-files modified recently may be infected
- Look for unknown files in
public_html, especially PHP files with names likewp-options.php,adminer.php, or random strings
Step 3: Clean and restore
Option A: Restore from a clean backup (fastest and most reliable)
- Identify a backup from before the compromise (using Backuply or your own downloaded backups)
- Restore the backup
- Immediately change all passwords after restoring
- Check whether the backup itself is clean-if the site was compromised months ago, old backups may also be infected
Option B: Manual cleanup
- Reinstall WordPress core from a fresh download (don't restore wp-config.php, plugins, or themes from the infected site)
- Reinstall each plugin from the official repository-don't restore plugin files from the infected installation
- Scan all uploaded files (wp-content/uploads) with a malware scanner
- Remove any injected code found in theme files
Step 4: Close the entry point
Understanding how the attacker got in prevents re-infection:
| Common entry point | How to close it |
|---|---|
| Vulnerable plugin or theme | Update or delete the vulnerable plugin/theme; check CVE databases |
| Weak/stolen admin password | Use a strong unique password; enable 2FA |
| Nulled/pirated plugin or theme | Remove immediately; never use nulled software-it usually contains backdoors |
| Compromised FTP/SSH credentials | Change credentials; check for keyloggers on your local machine |
| File upload vulnerability | Restrict file upload types; update the vulnerable plugin |
Step 5: Prevent recurrence
- Enable automatic WordPress core and plugin updates-see Keeping WordPress updated
- Install a security plugin (Wordfence or Sucuri)-it monitors files and blocks attacks
- Enable two-factor authentication on WordPress admin-see 2FA guide
- Take regular backups-daily database + weekly full backup
- Review and remove inactive plugins and themes-fewer attack surfaces
- Request Google to re-crawl your site after cleaning-in Google Search Console → URL Inspection → Request Indexing
Was this article helpful?
Need expert help?
Our security team offers hacked site recovery and malware cleanup services.
