Add Website Hosts UK to your device
Install for quick access to hosting, tools, billing and support.
A practical guide explaining what to do if your website is hacked, how to reduce damage and how to recover safely.
If your website has been hacked, act quickly but carefully. The goal is to protect visitors, stop further damage, clean the website and prevent the same issue happening again.
If your website gets hacked, take it seriously and follow a clear process: restrict access if needed, take a backup for investigation, scan for malware, identify the entry point, remove malicious files, check users and databases, update software, change passwords, restore from a clean backup if suitable, test the website and monitor for reinfection.
Do not simply delete one suspicious file and assume the problem is fixed. A proper cleanup should also close the security weakness that allowed the hack.
A hacked website can feel stressful, especially if visitors are seeing warnings, redirects or strange content. But random changes can make recovery harder. Deleting files without understanding the infection may break the website and leave hidden backdoors behind.
Start by gathering evidence. Note what happened, when it started, what pages are affected, whether customers reported it, and whether the issue appears on all devices or only certain browsers.
If the website is actively harming visitors, redirecting people or showing phishing content, you may need to temporarily restrict access while cleanup happens.
Do not restore an old backup, change random files or delete suspicious code until you understand what happened. If the backup is infected or the entry point remains open, the website may be hacked again.
Some hacks are obvious. Your website may redirect to another site, show spam content, display a browser warning or stop loading. Other hacks are hidden and may only appear in search results, server logs or security scans.
Malware can also behave differently depending on the visitor. The site may look normal to you but redirect first-time visitors, mobile users or search engine traffic.
If customers report strange behaviour, take it seriously even if you cannot reproduce it immediately.
| Warning sign | What it may mean | First thing to check |
|---|---|---|
| Website redirects to another site | Malicious redirect or injected script. | Files, database, plugins, redirects and .htaccess rules. |
| Browser security warning | Site may be flagged for malware or phishing. | Malware scan, blacklist status and recent changes. |
| Unknown pages in Google | Spam pages may have been injected. | Indexed pages, sitemap, database and suspicious files. |
| New admin users appear | Unauthorised account creation. | Website users, hosting users and access logs. |
| Emails send unexpectedly | Compromised script, form or mailbox. | Mail logs, form plugins, SMTP settings and malware scan. |
| Website suddenly slows down | Malware, bot traffic or resource abuse. | Server load, logs, file changes and security scans. |
If the hacked website is redirecting visitors, serving malware, showing phishing pages or exposing sensitive information, the first priority is to reduce harm.
Depending on the issue, you may temporarily place the website in maintenance mode, restrict public access, disable affected forms, pause checkout, or ask your hosting provider for help isolating the site.
If you run an ecommerce, membership or booking website, handle this carefully. Taking the site offline may affect sales, but leaving a harmful site online can damage trust even more.
Choose the action that matches the seriousness of the incident.
It may sound strange to back up a hacked website, but it can be useful. A current backup preserves evidence and gives you something to compare against clean versions.
This backup should not be treated as a clean restore point. It is an investigation copy. Keep it separate and clearly label it as infected or suspicious.
Then look for older backups that were taken before the hack began. If a clean backup exists, it may help restore the site after the entry point has been fixed.
Keep both an investigation backup and potential clean restore points. Do not overwrite your only backup while trying to fix a hacked website.
Run malware scans to identify suspicious files, injected code, redirects, hidden spam pages, backdoors, phishing files and database changes.
External scans can show what visitors or search engines may see. Server-side scans can inspect files inside the hosting account. Database checks can find injected scripts or spam hidden inside content and settings.
For WordPress websites, check core files, plugins, themes, uploads, database options and admin users.
Checks visible pages, redirects, warnings and suspicious public behaviour.
Checks hosting files, scripts, plugins, themes and uploads for malware.
Looks for injected content, spam links, scripts and suspicious settings.
Cleaning the website is only part of the job. You also need to understand how attackers got in. If the entry point remains open, the website may be reinfected.
Common causes include outdated plugins, weak passwords, compromised admin accounts, insecure file uploads, old themes, exposed scripts, unsafe file permissions or stolen FTP/SFTP details.
Check recent changes, login logs, plugin versions, admin users, file timestamps and any newly created accounts.
| Entry point | What to check | How to reduce risk |
|---|---|---|
| Outdated plugin or theme | Version history, known vulnerabilities and file changes. | Update, replace or remove vulnerable software. |
| Weak admin password | Login attempts and admin account history. | Use strong passwords and two-factor authentication. |
| Compromised FTP/SFTP account | File modification times and access logs. | Change credentials and remove unused accounts. |
| Insecure upload form | Uploaded files, form plugins and validation settings. | Restrict file types and update form tools. |
| Old custom script | Legacy folders, unused apps and abandoned code. | Remove unused scripts and patch custom code. |
Malware cleanup should remove the visible infection and hidden access points. This may involve deleting malicious files, cleaning injected code, removing spam pages, fixing redirects, checking database content and replacing modified core files with clean versions.
Be careful when editing files manually. Some suspicious-looking code may be part of a legitimate plugin or theme, while some malware is deliberately hidden inside normal-looking files.
If the website is business-critical, uses ecommerce, stores customer data or has a complex custom setup, professional cleanup may be safer than guessing.
After a hack, assume passwords may be compromised. Change passwords for hosting control panel, website admin users, FTP/SFTP, SSH, database users, email accounts and domain registrar access where relevant.
Review all user accounts. Remove unknown users, old staff accounts, unused developer access and unnecessary admin permissions.
Enable two-factor authentication where possible, especially for hosting, website admin, email and domain registrar accounts.
Once the site is stable enough to work on, update website software, plugins, themes, ecommerce extensions and custom scripts. Remove anything unused, abandoned or no longer trusted.
For WordPress websites, this means checking WordPress core, plugins, themes, upload folders, admin users and plugin settings.
Do not leave old plugins installed βjust in caseβ. Unused software can still create risk if it remains on the server.
Remove what you do not use. A smaller, cleaner website setup is usually easier to secure, maintain and recover.
A clean backup can be useful if the website is badly damaged. However, restoring a backup is not always the full solution.
If the backup was taken after the hack began, it may contain malware. If the original vulnerability still exists, the restored site may be hacked again.
Restore only after checking whether the backup is clean and after fixing the entry point where possible.
Some website hacks involve more than website files. Attackers may change DNS records, add redirects, create email accounts, send spam or affect SSL behaviour.
Check that your domain still points to the correct hosting, MX records are correct, SPF/DKIM/DMARC are still present, and SSL is active for the right domain.
Use our DNS Lookup, DNS Propagation Checker and SSL Checker tools to inspect key settings.
After cleanup, test the full website. Check the homepage, key service pages, blog posts, contact forms, checkout, booking forms, logins, redirects, mobile layout and admin area.
Test from more than one browser or network if possible. Some malware only shows for certain visitors, devices or referral sources.
If forms or checkout were disabled during containment, turn them back on carefully and test that notifications arrive.
If search engines, browsers or security tools flagged your website as unsafe, warnings may not disappear instantly after cleanup.
Once the website is clean, you may need to request a review from the relevant service or wait for rescanning. Make sure the infection is fully removed before doing this.
If you request review too early and malware remains, the site may continue to be flagged.
After a hacked website is cleaned, monitor it closely. Reinfection can happen if a backdoor was missed, a vulnerable plugin remains, or credentials were still compromised.
Watch for new suspicious files, strange redirects, unknown users, spam emails, unusual traffic, browser warnings and unexpected changes.
Use our Website Status Checker and Website Page Speed tools to help monitor website health after recovery.
The first few days after cleanup are important. If the same suspicious files return, the original backdoor or vulnerability may still exist.
WordPress websites are often targeted because they are popular and commonly use plugins and themes. If a WordPress website is hacked, check more than the visible pages.
Malware can hide in plugins, themes, uploads, database options, unknown admin users, modified core files and scheduled tasks.
If you run WordPress, suitable hosting and regular maintenance help reduce risk. See our WordPress Hosting options.
| WordPress area | What to check | Why it matters |
|---|---|---|
| Core files | Modified or unexpected WordPress core files. | Core files may be changed to hide malware. |
| Plugins | Outdated, abandoned or unknown plugins. | Vulnerable plugins are a common entry point. |
| Themes | Unused themes and modified template files. | Malware can hide in theme files. |
| Uploads | Executable files or strange scripts in uploads. | Upload folders should not usually contain PHP scripts. |
| Users | Unknown admin users or changed permissions. | Attackers may create accounts for later access. |
| Database | Injected scripts, spam links or suspicious options. | Malware can live inside database content. |
If an ecommerce website is hacked, act carefully. Online shops may contain customer accounts, orders, payment integrations, stock data and checkout settings.
If checkout is affected, pause transactions until the issue is understood. Check order data, admin users, payment gateway settings, email notifications and plugin integrity.
Restoring an old backup on a busy shop can overwrite recent orders, so ecommerce recovery should be handled with extra care. If you run WooCommerce, see our WooCommerce Hosting options.
Whether you need to inform customers depends on what happened. If the hack affected public pages only, the response may be different from a situation involving customer data, accounts, orders or personal information.
If customer data may have been accessed, take the issue seriously and seek proper guidance. You may need to follow legal or regulatory requirements depending on the type of data and your business location.
Even when no customer data is affected, clear communication may help if visitors saw warnings, redirects or downtime.
If personal data, payment information, accounts or customer records may have been exposed, treat it as more than a technical cleanup. Get appropriate legal or compliance advice.
After cleanup, improve security before returning to normal. This includes updates, strong passwords, limited access, malware scanning, backups, two-factor authentication and possibly a Web Application Firewall.
Prevention is not a one-time task. Websites need ongoing maintenance, especially WordPress, WooCommerce and sites with plugins, forms or user accounts.
Choose hosting that suits the importance of the website. A business-critical site may need stronger hosting, better monitoring and more careful update processes.
One common mistake is deleting the obvious infected file but missing the backdoor that created it. The website looks fixed for a while, then the malware returns.
Another mistake is restoring a backup without checking whether it is clean or whether the original vulnerability still exists.
It is also common to forget password resets. If attacker access came through stolen credentials, the website may remain at risk until passwords and user accounts are reviewed.
First, reduce harm to visitors if needed, take an investigation backup, scan the website, check access logs and identify the likely entry point before cleaning or restoring files.
Only if the backup is clean and the entry point has been fixed. Restoring an infected backup or leaving the vulnerability open can lead to reinfection.
Malware often returns when a backdoor remains, passwords were not changed, vulnerable software was not updated, or the original entry point was not closed.
Yes. A compromised website or hosting account can be used to send spam, affect domain reputation or interfere with website form notifications.
Run scans, check files and databases, review users and logs, test for redirects, confirm warnings are gone and monitor for reinfection after cleanup.
Yes. Change hosting, website admin, FTP/SFTP, database, email and domain registrar passwords where relevant, and remove unknown users.
A hacked website is a clear sign to review hosting, backups, updates, passwords and monitoring. Compare our UK Web Hosting, WordPress Hosting, Small Business Hosting and Business Hosting options.
Running an online shop? See WooCommerce Hosting. Need domain or email checks too? Visit Domain Services and Business Email Hosting.
You can also use our website tools to check status, speed, SSL, DNS and propagation while recovering from an incident.
Protect visitors and preserve evidence.
Remove malware and close the entry point.
Update, secure, back up and monitor.
If your website gets hacked, act quickly but do not rush blindly. Protect visitors, preserve evidence, scan the website, identify the entry point, clean the infection and secure the account before returning to normal.
A proper recovery should include password resets, software updates, user reviews, malware scanning, backup checks, DNS and SSL checks, and close monitoring for reinfection.
The best outcome is not only getting the website back online. It is bringing it back cleaner, safer and better protected than before.
Add Website Hosts UK to your device
Install for quick access to hosting, tools, billing and support.