Explore Our Digital Marketing Resources & Guides

My Website Was Hacked. What Do I Do? A DIY Recovery Guide

Finding out your website has been hacked is stressful. Maybe Google is warning visitors that your site is dangerous. Maybe your website redirects to spam. Maybe your WordPress dashboard has users you do not recognize. Or maybe a customer told you, “Your website has a virus.”

Step 1: Take a breath.

A hacked website can usually be cleaned up, but the most important thing is to move carefully. Deleting random files, installing five security plugins, or restoring an old backup without understanding the vulnerability can make the problem harder to fix.

This guide will walk you through how to check if your website is hacked, what to do first, what you may be able to fix yourself, and when it is time to contact a web developer or security professional.

Google’s Search Console documentation groups common website security issues into hacked content, malware or unwanted software, and social engineering, all of which can affect how your site appears in search results or whether browsers show warnings to visitors.

How you should handle a web hack depends entirely on the type of hack that occurred and what the source of the hack is.

First: Contact Your Web Developer Immediately

This one may feel obvious. If you already have a web developer, hosting partner, or website maintenance provider, contact them right away.

If you are here reading this, there is a good chance you do not have a dedicated web resource on call. That is common, especially for small businesses with older WordPress sites, inherited websites, or sites that have not been actively maintained.

A developer can help you evaluate the technical side of the issue without accidentally breaking the site. Malware cleanup often involves checking source code, server configuration files, database records, user accounts, plugins, themes, redirects, and hosting logs. Some of those checks are safe for a business owner to review. Others can take the site offline if handled incorrectly.

That is why this guide starts with less technical checks and gradually moves into more advanced troubleshooting.

Step 1: Confirm Whether Your Website Was Actually Hacked

Not every website issue is a hack. A broken plugin, expired SSL certificate, DNS issue, or hosting outage can look scary without being malware.

That said, you should treat the issue seriously if you notice any of these signs:

  • Your website redirects to spam, adult content, fake stores, gambling pages, or unrelated websites.
  • Google shows “This site may be hacked” or “This site may harm your computer.”
  • Chrome, Safari, Firefox, antivirus tools, or your hosting provider warn that your site has malware.
  • New pages appear in Google search that you did not create.
  • Your WordPress site has unknown admin users.
  • Your homepage has been defaced or replaced.
  • Your website sends visitors to a fake browser update page.
  • Your site is sending spam emails.
  • You cannot log in to WordPress.
  • Your site keeps getting hacked even after you “clean” it.

WordPress.org lists several clear indicators of compromise, including search engine blacklisting, malware warnings, unauthorized user creation, visible defacement, and reports that the website is being used to attack other sites.

Quick DIY checks

Start with these safer checks:

  1. Check Google Search Console.
    Look under Security & Manual Actions → Security Issues. Google may show examples of affected URLs and the type of issue detected.
  2. Check Google Safe Browsing.
    Use Google’s Safe Browsing site status tool to see whether Google considers your domain unsafe.
  3. Search Google for indexed spam pages.
    Try searches like:
    • site:yourdomain.com
    • site:yourdomain.com pharmacy
    • site:yourdomain.com casino
    • site:yourdomain.com "viagra"
    • site:yourdomain.com "cheap jerseys"
  4. Look at your WordPress users.
    In WordPress, go to Users and look for unfamiliar admin accounts.
  5. Review recent plugin and theme changes.
    Look for plugins you did not install, abandoned plugins, nulled themes, or recently added “utility” plugins with vague names.
  6. Ask your host if they detected malware.
    Hosts often have logs, malware scanner results, or abuse reports that the site owner cannot access.

Avoid repeatedly opening suspicious pages in your normal browser. Google’s malware guidance warns that opening infected pages directly can expose your computer to malicious content; safer diagnosis often uses tools like Search Console, URL Inspection, cURL, or Wget.Common Types of Malware

Step 2: Take a Snapshot Before You Start Cleaning

Before you delete anything, make a backup of the current site, even if it is infected.

That may sound backward, but an infected backup can be useful. It gives your developer a reference point, helps identify what changed, and gives you something to restore if cleanup efforts accidentally remove legitimate content.

At minimum, back up:

  • Website files
  • WordPress database
  • wp-content folder
  • Uploads/media library
  • Theme files
  • Plugin list
  • Server configuration files, such as .htaccess
  • Any logs your host can provide

Label this backup clearly as infected so no one restores it later by mistake.

Google’s cleanup guidance also recommends preserving copies when no clean backup exists, then cleaning from a controlled copy rather than randomly changing the live site.

Step 3: Put the Site in a Safer State

Your goal is to protect visitors while you diagnose the problem.

Depending on the severity, you may need to:

  • Put the site into maintenance mode.
  • Temporarily restrict access by IP address.
  • Ask your host to quarantine the site.
  • Disable suspicious plugins.
  • Pause ads that are sending traffic to the infected site.
  • Notify your team not to log in until passwords and devices are checked.

Do not simply add noindex to everything unless you understand the SEO impact. If Google has already flagged the site, your priority is to clean the site, correct the vulnerability, and request review after the site is safe and crawlable.

Google’s review guidance says that before requesting review, the site should be cleaned, the vulnerability corrected, and the clean site brought back online. It also notes that pages must be available to Googlebot so Google can verify they are clean.

Step 4: Change Passwords — But Do It in the Right Order

Change passwords early to stop obvious unauthorized access, but know this: if malware, backdoors, or stolen sessions are still present, attackers may regain access.

Start by changing:

  • WordPress admin passwords
  • Hosting control panel password
  • FTP/SFTP password
  • Database password
  • Domain registrar password
  • Email account passwords connected to the site
  • Any shared team passwords
  • Passwords reused anywhere else

Enable multi-factor authentication wherever possible.

For WordPress, also review all administrator accounts and remove any users you do not recognize. WordPress.org specifically recommends improving access controls, changing all access points such as FTP/SFTP, WP Admin, hosting control panels, and MySQL, and considering two-factor or multi-factor authentication.

After the site is clean, change the passwords again.

Why twice? If the attacker still has a backdoor during the first password reset, they may capture or bypass the new credentials. The second reset happens after cleanup and hardening.

Step 5: Scan Your Local Devices

This is easy to overlook.

Sometimes the website itself was not the original problem. The attacker may have stolen credentials from an infected computer used to log in to WordPress, hosting, FTP, or email.

Run malware scans on:

  • Your computer
  • Any employee computer used to update the website
  • Any contractor computer with admin access
  • Devices that store FTP, hosting, or WordPress passwords

Google’s vulnerability guidance notes that an infected administrator computer can allow attackers to capture site admin keystrokes, and it recommends scanning administrator systems and devices used to update or post to the site.

Also check whether your email address or reused passwords have appeared in known breaches. Have I Been Pwned’s Pwned Passwords tool explains that password reuse puts accounts at risk because exposed credentials can be used to access other accounts.

Step 6: Identify the Vulnerability

Cleaning malware without finding the entry point is like mopping up water while the pipe is still leaking.

Common ways websites get hacked include:

Outdated WordPress core, plugins, or themes

Old software is one of the most common issues we see. WordPress itself is actively maintained, but plugins and themes can become vulnerable if they are abandoned or not updated.

WordPress’s hardening documentation states that older WordPress versions are not maintained with security updates and that keeping WordPress up to date is one of the primary reasons sites remain secure.

Weak or reused passwords

If an admin password was reused from another breached account, an attacker may not need to “hack” the website at all. They can simply log in.

Unknown or abandoned plugins

Old contact form plugins, sliders, page builders, backup plugins, file managers, and custom theme tools are frequent suspects because they often have broad access to the site.

Insecure file permissions

Overly permissive file permissions can let attackers modify files they should not be able to touch. WordPress recommends locking file permissions down as much as possible and only loosening permissions when needed.

Compromised admin computer

If a computer with saved passwords is infected, attackers may steal credentials and log in normally.

Shared hosting issues

On some low-cost shared hosting setups, one compromised site can create risk for other sites on the same account or server.

SQL injection or unsafe custom code

Poorly protected forms, search fields, URL parameters, or custom scripts can allow attackers to inject malicious commands or content into the site’s database. Google’s hacked-site guidance lists SQL injection, open redirects, weak passwords, infected admin devices, and outdated software as vulnerabilities to investigate.

Possible entry pointHow it leads to injected JavaScript
Compromised WordPress admin accountAttacker logs in, edits theme files, adds a malicious plugin, changes widgets/theme options, or inserts script into page/post content.
Vulnerable plugin or themeA plugin/theme bug allows file upload, option modification, remote code execution, or admin-user creation. Then the attacker adds the JS loader.
Fake or malicious pluginAttacker installs a plugin that looks harmless but hooks into WordPress output and injects JS into every page. Proofpoint specifically observed a fake WordPress plugin used this way in 2026. (Proofpoint)
Modified theme filesMalicious code is placed in header.php, footer.php, functions.php, or theme include files so it appears in page output.
Must-use plugin / hidden loaderIn WordPress, malware can hide under wp-content/mu-plugins/ and auto-load without looking like a normal plugin.
FTP/SFTP/cPanel/hosting compromiseStolen hosting credentials let the attacker directly edit PHP/JS files.
Database injectionThe script is stored in wp_options, theme options, page builder content, widgets, or posts, so cleaning files alone does not remove it.
Shared hosting contaminationAnother compromised site on the same hosting account/server writes into this site’s files.
Server-level compromiseLess common, but an attacker with deeper server access can inject through Apache/Nginx/PHP configuration, cache files, or auto_prepend_file.

Step 7: Understand Common Types of Website Malware

The cleanup process depends on what kind of hack you are dealing with.

Malicious redirects

This is when your website redirects visitors to spam, scam, malware, or fake update pages. Sometimes it only happens on mobile. Sometimes it only happens when visitors come from Google. Sometimes it does not happen when you are logged into WordPress, which makes it harder to detect.

Google’s malware documentation notes that attackers may use redirects in server configuration files such as .htaccess or httpd.conf.

Code injection

Attackers may inject malicious JavaScript, iframes, PHP, or obfuscated code into theme files, plugin files, database content, or WordPress core files.

Suspicious terms developers often search for include:

  • eval
  • base64_decode
  • unescape
  • iframe
  • suspicious < script > tags
  • long unreadable encoded strings
  • unknown external JavaScript files

Google’s documentation lists code injection examples such as hidden iframes, malicious JavaScript, redirect scripts, and obfuscated code.

Spam page injection

Hackers may create hundreds or thousands of spam pages on your domain. These pages often target keywords related to pharmaceuticals, gambling, counterfeit goods, fake support, or adult content.

Backdoors

A backdoor is hidden code that lets an attacker regain access after you remove the obvious malware. Backdoors are a major reason a WordPress site keeps getting hacked after cleanup.

Fake browser update malware

This is where your website shows visitors a fake Chrome, Edge, Firefox, or browser update prompt. The visitor thinks they are updating software, but they are actually downloading malware.

Phishing pages

Attackers may add fake login pages to collect usernames, passwords, credit card numbers, or personal information.

Malicious downloads

Your website may be used to host or link to harmful downloads, even if you never intended to offer downloads.

A Note on SocGholish / FakeUpdates Malware

One malware chain worth knowing about is SocGholish, also called FakeUpdates.

SocGholish is known for using compromised legitimate websites, often WordPress sites, to show fake browser or software update prompts. MITRE describes SocGholish as JavaScript-based loader malware used for initial access, commonly through drive-by downloads disguised as software updates.

This matters because your site may not look hacked at first glance. Instead, visitors may see a fake update prompt, click it, and unknowingly install malware. That can damage your reputation and expose your visitors to risk.

In June 2026, reporting on Operation Endgame said authorities and partners disrupted SocGholish infrastructure and cleaned 14,971 infected WordPress sites. Malwarebytes reported that Dutch authorities urged affected site owners to update WordPress, enable MFA, and change passwords.

If someone reports that your site is showing fake browser updates, treat it as urgent. We have seen this particular web hack more frequently recently so wanted to spotlight it.

Step 8: Clean the Website

Cleanup depends on your access level, your platform, and whether you have a clean backup.

If you have a clean, recent backup

A clean backup is usually the fastest path, but only if it was created before the hack.

Do not restore the backup and stop there. You still need to:

  • Update WordPress core.
  • Update all plugins and themes.
  • Remove unused plugins and themes.
  • Replace compromised passwords.
  • Remove unknown users.
  • Check for backdoors.
  • Patch the vulnerability that allowed the hack.
  • Scan the restored site.
  • Confirm the site is clean in Search Console.

Google’s cleanup guidance says that when restoring a clean current backup, you should also install upgrades, remove unused software, correct the vulnerability, address all known issues, and change passwords again.

If your backup is old

You may be able to restore the backup, then carefully bring over clean content created after that backup date. This is more complex because blog posts, orders, form entries, customer records, or media files may have changed.

If you do not have a backup

A developer may need to manually clean the site by:

  • Comparing files against known-good WordPress core files.
  • Reinstalling WordPress core.
  • Replacing plugin and theme files from trusted sources.
  • Searching for malicious code.
  • Cleaning database records.
  • Removing unknown admin users.
  • Reviewing .htaccess, wp-config.php, index.php, functions.php, header.php, and footer files.
  • Checking uploads folders for executable files.
  • Removing hidden backdoors.
  • Reviewing file modification dates.
  • Checking server logs.

This is where many DIY cleanups stall. If you are uncomfortable reading PHP, JavaScript, server configuration, or database records, it is safer to ask for help.

Step 9: Update and Harden the Site

Once the malware is removed, the job is not done. You need to reduce the chance that the site gets hacked again.

At minimum:

  • Update WordPress core.
  • Update all plugins and themes.
  • Delete unused plugins and themes.
  • Replace abandoned plugins.
  • Use strong, unique passwords.
  • Enable MFA for administrators.
  • Limit admin access to people who truly need it.
  • Disable file editing inside WordPress.
  • Use secure hosting.
  • Use SFTP instead of FTP.
  • Set appropriate file permissions.
  • Add a web application firewall if appropriate.
  • Set up uptime monitoring.
  • Set up malware monitoring.
  • Set up file change monitoring.
  • Schedule automated backups.
  • Store backups off-server.
  • Test backups regularly.

WordPress’s hardening guide frames security as risk reduction, not risk elimination, and emphasizes limiting access, containment, preparation, backups, logging, and monitoring.

Step 10: Request a Review From Google

If Google flagged your website, cleaning the site does not automatically remove the warning immediately.

After the site is clean:

  1. Open Google Search Console.
  2. Go to Security Issues.
  3. Confirm all listed issues have been fixed.
  4. Click Request Review.
  5. Explain what happened, what you removed, what vulnerability you fixed, and what you changed to prevent reinfection.

Google says a strong review request explains the exact issue, describes the steps taken to fix it, and documents the outcome.

Review timing varies. Google says malware reviews may take a few days, while hacked spam reviews can take up to several weeks.

Why Your Website Keeps Getting Hacked

If your website keeps getting hacked, it usually means one of these is still true:

  • The original vulnerability was never fixed.
  • A backdoor was missed.
  • An admin password is still compromised.
  • A plugin or theme is still vulnerable.
  • The site is running outdated software.
  • File permissions are too loose.
  • Another site on the hosting account is infected.
  • A developer, vendor, or employee account is compromised.
  • Monitoring is not in place, so reinfections are discovered late.

This is the point where a professional diagnosis can save time. A surface-level cleanup may remove the visible spam or redirect, but a deeper diagnosis looks for how the attacker got in and how to prevent it from happening again.

When to Hire a Professional

You may be able to fix a hacked website yourself if the issue is simple, you have a clean backup, and you are comfortable working with hosting, WordPress, files, and databases.

You should contact a professional if:

  • Your website redirects to spam.
  • Google or browsers show malware warnings.
  • Your WordPress site keeps getting hacked.
  • You cannot access the WordPress dashboard.
  • Unknown admin users keep coming back.
  • You found suspicious PHP or JavaScript.
  • You do not know which backup is clean.
  • You run ecommerce, bookings, memberships, or collect customer data.
  • Your site is old, heavily customized, or no longer maintained.
  • You cleaned it once and the malware returned.

A hacked site is often a symptom of a larger maintenance problem. In our experience, many hacked websites are running on old themes, outdated plugins, weak hosting, missing backups, and no active monitoring.

In some cases, cleanup and hardening are enough. In other cases, the smarter long-term move is a rebuild on a modern, maintainable foundation.

Should You Rebuild After a Website Hack?

Not always.

A rebuild may be worth considering if:

  • Your site is several years old.
  • The theme is abandoned.
  • Key plugins are no longer maintained.
  • The site has been hacked more than once.
  • The site is slow, unstable, or hard to update.
  • No one knows how the site was built.
  • The original developer is no longer available.
  • You rely on the website for leads, sales, or customer trust.
  • Cleanup would cost nearly as much as rebuilding properly.

A rebuild should not be a scare tactic. It should be a practical recommendation when the current site is too fragile, outdated, or expensive to maintain safely.

Need Help Diagnosing a Hacked Website?

If your website was hacked and you are not sure what to do next, we can help.

Start with the DIY checks in this guide. If you are able to confirm the issue and clean it safely, great. If you get stuck, if the malware comes back, or if you are worried about breaking the site, contact us for a hacked website diagnosis.

We can help identify the issue, determine how the site was compromised, clean up what we can, and recommend the best next step — whether that is hardening the current site or rebuilding on a safer, more maintainable platform.

Need help with a hacked website? Contact First Call Digital for a website malware diagnosis.

FAQ: Hacked Website Questions

How do I know if my website was hacked?

Common signs include unexpected redirects, Google warnings, browser malware warnings, unknown WordPress admin users, spam pages in search results, changed homepage content, suspicious popups, or reports from visitors that your website has a virus.

How do I check if my website has malware?

Start with Google Search Console’s Security Issues report, Google Safe Browsing, your hosting provider’s malware scanner, and a review of your website files, database, users, plugins, and redirects. If you are not technical, ask a developer to help before editing files.

My WordPress site was hacked. What should I do first?

Document the symptoms, back up the current site, contact your host or developer, change key passwords, check Google Search Console, review admin users, and identify whether the problem is malware, spam pages, redirects, phishing, or code injection.

Why does my website redirect to spam?

Spam redirects are often caused by malicious code injected into WordPress files, plugins, themes, the database, or server configuration files like .htaccess. Some redirects only trigger for mobile users or visitors coming from Google, which makes them harder to detect.

Can I fix a hacked WordPress site myself?

Sometimes. If you have a clean backup, basic WordPress knowledge, and the issue is simple, you may be able to restore, update, and harden the site. If the site keeps getting hacked, has hidden redirects, contains suspicious PHP, or affects customer data, it is safer to hire a professional.

Why does my WordPress site keep getting hacked?

Usually, the original vulnerability was not fixed, a backdoor was missed, a plugin or theme is still vulnerable, passwords are compromised, or the hosting environment has a larger issue.

How long does it take Google to remove a hacked site warning?

Google says malware reviews can take a few days, while hacked spam reviews may take up to several weeks. After approval, warnings are typically removed after Google verifies the site is clean, though there can be delays while systems update.

Should I rebuild my website after it was hacked?

You do not always need a rebuild. But if your site is old, unmonitored, built on abandoned plugins or themes, repeatedly infected, or difficult to maintain safely, a rebuild may be the best long-term solution.

Ready to Stop Guessing and Start Winning?

Our team is ready to help your business get SWOL. Don’t just sit around waiting for change to happen. 

Make it happen.

First Call Digital Agency

First Call Digital Agency provides comprehensive marketing solutions that include presence audits, web builds, targeted advertising, social media management, and complete branding and campaign strategies.