My Site Got Hacked - What Do I Do?

You've discovered that your site has been hacked. Maybe Google showed the warning "This site may harm your computer", maybe visitors are being redirected to a strange page, or you noticed unknown files on the server. Whichever way you found out, panic is understandable - but it's important to react quickly and methodically. This guide walks you through every step from detection to full recovery and prevention of future attacks.

How to recognize that a site has been hacked?

There are several signs of a hack. A Google warning in search ("This site may be dangerous") is the most obvious sign. Visitors being redirected to other sites (usually to gambling or pharmaceutical sites) is a common consequence of a hack. Unknown content on the site - spam pages, links to suspicious sites, or changed appearance. Significantly slower site loading can indicate cryptocurrency mining (cryptojacking). Unknown users in the WordPress admin panel. Suspicious files on the server with strange names. An email from your hosting provider about suspicious activity. A drop in Google rankings with no obvious reason.

Step 1: Don't panic, but act immediately

First and most important - don't delete anything and don't change passwords on the hacked site before isolating it. The hacker may still have access and can see every action you take. Instead, write down everything you notice - which pages are affected, when you first noticed the problem, whether you received any notification. This information will be useful for analysis and cleanup.

Step 2: Put the site in maintenance mode

Take the site offline to protect visitors from malware and prevent further damage. In cPanel you can rename the public_html folder or set up a maintenance page. If you use WordPress, you can create a .maintenance file in the root folder. On BeoHosting, contact support and we'll help you quickly isolate the site without data loss. It's important that the site is inaccessible until cleaned - Google will keep marking it as dangerous as long as the malware exists.

Step 3: Change all passwords from another device

From ANOTHER device (not the computer you used to access the site, since it may be compromised), change the following passwords: cPanel access, FTP accounts, SSH keys, database (MySQL user), WordPress admin account, email accounts on the domain, and the hosting account. Use strong, unique passwords for each account - at least 16 characters with a mix of letters, numbers, and special characters. Use a password manager to store the passwords.

Step 4: Back up the hacked site

Before any cleanup, make a complete backup of the hacked site - files AND database. This sounds counterintuitive, but this backup is for forensic analysis. You can use it to identify how the hacker got in, which files they modified, and whether they left a backdoor. BeoHosting automatically keeps daily backups for up to 120 days back, which means you almost certainly have a clean version of the site from before the hack.

Step 5: Scan the site for malware

Use specialized malware scanning tools. For WordPress, Wordfence (free plugin) is an excellent choice - install it on a clean WordPress installation and scan all files. Sucuri SiteCheck (online tool) can scan the site externally without installation. ImunifyAV on the server (available on BeoHosting) scans all files on the hosting account. Manual review is also important - look for files with strange names, base64-encoded PHP code, and files modified at the time of the hack.

Step 6: Clean the malware

There are two cleanup approaches: manual cleaning and restore from backup. Restore from backup is the faster and more reliable approach. Find the last backup before the hack (check modification dates of suspicious files to determine when the hack started). On BeoHosting, you can restore any backup from the last 120 days through cPanel or by contacting support.

For manual cleanup: delete all unknown files, especially PHP files in upload folders, files with base64_decode, eval, or gzinflate functions, and files with names like "wp-config-sample.php.bak" or "about.php" in unexpected locations. Check the .htaccess file for unknown redirect rules. Check wp-config.php for unknown code at the start or end of the file. Check the database for unknown admin users and suspicious content in posts.

Step 7: Update everything

After cleaning, update absolutely everything: WordPress core to the latest version, all plugins (delete those you don't use), theme (delete inactive themes), PHP version to the latest stable (8.3 or 8.4). Outdated software is the number-one cause of WordPress site hacks. Over 50% of hacked sites used outdated plugins with known vulnerabilities.

Step 8: Strengthen security

Implement the following measures to prevent future attacks. Install a security plugin (Wordfence or Sucuri). Enable two-factor authentication (2FA) for all admin accounts. Change the WordPress database prefix if the default "wp_" is used. Disable PHP execution in the wp-content/uploads folder. Limit login attempts. Hide the wp-admin login page. Set proper file permissions (644 for files, 755 for folders, 600 for wp-config.php). Enable an SSL certificate if not already active.

Step 9: Request a review from Google

If Google has flagged your site as dangerous, you need to request a review after cleanup. Log in to Google Search Console, go to the "Security Issues" section, and click "Request a Review". Describe what you did to clean the site and what measures you took to prevent future attacks. Google usually reviews the request within 72 hours. While the review is in progress, your site will still be flagged as dangerous in search.

Step 10: Monitoring and prevention

After recovery, set up a monitoring system. Configure alerts for file changes on the server (file integrity monitoring). Regularly scan the site for malware (weekly). Monitor access logs for suspicious activity. Set up automatic backups (BeoHosting makes daily backups). Track Google Search Console for security warnings. Regularly update all site components. Consider using a WAF (Web Application Firewall) for additional protection.

Most common ways sites get hacked

Understanding how hackers get in helps with prevention. Outdated plugins with known vulnerabilities are the cause in over 50% of cases. Weak passwords (brute force attacks) are the second most common cause. Outdated themes with code vulnerabilities. Insecure FTP access without encryption. Cross-site scripting (XSS) through forms and comments. SQL injection through insecure plugins. Phishing attacks on site administrators who reveal their passwords. File inclusion vulnerabilities in bad PHP code.

Prevention: Security checklist

Use this list as a monthly check of your site's security. Are all plugins updated to the latest versions? Is the WordPress core updated? Are all passwords strong and unique? Is 2FA enabled for admin accounts? Is the security plugin working and scanning regularly? Are backups functional (try restoring at least once a quarter)? Are unused plugins and themes deleted? Is the PHP version up to date? Are file permissions correct? Is the SSL certificate valid?

When to call a professional?

If the hack is serious (ransomware, compromised database, multiple sites on the same account affected), we recommend hiring a security professional. BeoHosting offers free cleanup assistance for clients on business plans, including forensic analysis, manual malware cleaning, and implementation of security measures. For smaller plans, our support team can help with basic recovery steps.

Conclusion

A site hack is a stressful experience, but with the right approach it can be resolved within a few hours. The key is to act quickly, methodically follow the steps, and after recovery implement prevention measures so it doesn't happen again. On BeoHosting, the combination of daily backups (120 days), ImunifyAV scanning, ModSecurity WAF, and our support team provides multi-layered protection for your site. Read our complete site security guide. If you suspect your site has been hacked, contact our support immediately - quick response is critical.