My website was hacked: a step-by-step recovery guide

Discovering your website has been hacked is alarming. Here is exactly what to do in the first hour, the first day, and the first week — in order, with the commands.

Signs your site has been hacked

• Google shows "This site may be hacked" or "Deceptive site ahead" in search results
• Your hosting company has suspended your account citing malware
• Visitors see a different website or are redirected elsewhere
• Your contact form is sending spam
• New admin users appeared in WordPress that you did not create
• Unexpected files appeared in your hosting directories
• Your email is suddenly on spam blacklists

Immediate steps (first 30 minutes)

1. Do not panic, and do not delete anything yet

You need to understand what happened before you can fix it permanently. Deleting files without knowing the attack vector means you will get hacked again in the same way.

2. Take the site offline if it is actively harmful

If your site is redirecting visitors to malware or phishing pages, take it offline immediately:

In cPanel → .htaccess, add at the top:

RewriteEngine On
RewriteRule ^ - [R=503,L]

Or redirect all traffic to a maintenance page.

3. Change all passwords

Change immediately, from a device not on the same network as when you were hacked:

• WordPress admin password
• cPanel password
• FTP/SFTP password
• Database password (then update wp-config.php)
• Email accounts associated with the domain
• Your registrar account

If you use the same password anywhere else, change those too.

4. Take a backup of the current (compromised) state

Before cleaning, take a complete backup. This preserves evidence and gives you something to compare against:

# Via SSH — compress entire home directory
tar -czf ~/compromised-backup-$(date +%Y%m%d).tar.gz ~/public_html

Or use cPanel Backup Wizard → Full Backup.

Identifying the attack vector (first hour)

Understanding how they got in prevents a repeat attack.

Check cPanel access logs

1. cPanel → Logs → Access Log (or /home/username/access-logs/)
2. Search for suspicious activity: POST requests to strange files, access to wp-login.php at unusual times, requests to xmlrpc.php

Check for file modification times

Files modified recently (especially .php files) that you did not change are suspicious:

# Files modified in the last 10 days
find ~/public_html -name "*.php" -newer ~/public_html/wp-config.php -ls

# Files modified in the last 7 days anywhere in home dir
find ~/ -name "*.php" -mtime -7 -ls | grep -v "backup"

Check for known backdoor patterns

# Common backdoor signatures
grep -r "eval(base64_decode" ~/public_html --include="*.php"
grep -r "system(" ~/public_html --include="*.php"
grep -r "exec(" ~/public_html --include="*.php"
grep -r "preg_replace.*\/e" ~/public_html --include="*.php"

Any file containing eval(base64_decode is almost certainly malicious (unless it is a known obfuscation tool you installed deliberately).

Common attack vectors

1. Vulnerable plugin or theme: Check Wordfence's vulnerability database for plugins you have installed. A single unpatched vulnerability is the most common entry point.

2. Weak admin password: Check cPanel access logs for brute-force attempts against wp-login.php.

3. Compromised FTP/SFTP credentials: If files were uploaded that you did not upload, check your FTP access logs.

4. Compromised computer: If your local machine has malware, it may have stolen your FTP or cPanel passwords. Scan your local computer.

5. Shared hosting "cross-contamination": On shared hosting without proper isolation, a compromised account on the same server can write to your directories. On quality shared hosting with CloudLinux, this should not be possible.

Cleaning the malware

Option A: Restore from a clean backup (fastest and safest)

If you have a backup from before the hack:

1. Restore the backup to a staging environment first
2. Test that it works and the malware is not present
3. Restore to production
4. Immediately apply all security measures (below) before going live

The risk: If your backup is also compromised, you restore the malware. Check the restoration date — pick a backup from clearly before the hack.

Option B: Manual cleaning

If you do not have a clean backup or the backup is too old:

For WordPress:

1. Download fresh copies of WordPress core, your theme, and your plugins from WordPress.org

2. Replace all core files:

# Download fresh WordPress
wp core download --version=6.6 --force

# Verify checksums of core files
wp core verify-checksums

3. Replace your theme files with fresh copies from the original developer

4. Check each plugin for modifications (compare against fresh downloads)

5. Search for and remove malicious files:

# Files that should not be in uploads (PHP in uploads is almost always malicious)
find ~/public_html/wp-content/uploads -name "*.php" -delete

6. Clean the database:

# Check for malicious content in posts and options
wp db search '<script' --all-tables
wp db search 'eval(' --all-tables

Malware in the database is usually in:

• wp_options table — often in active_plugins, siteurl, or home values
• wp_posts — injected script tags in post content
• wp_users — admin users you did not create

Option C: Professional malware removal

If this is beyond your comfort level, contact your host. VillageHosting's security team handles malware removal — WhatsApp us with your cPanel credentials and we will clean the site and provide a written report.

After cleaning: security hardening

1. Update everything immediately

• WordPress core to the latest version
• All plugins to the latest versions
• Theme to the latest version

2. Remove unused plugins and themes

Every inactive plugin is a potential attack surface. Delete — not just deactivate — anything you are not actively using.

3. Install a security plugin

Wordfence (free) provides:

• File integrity monitoring (alerts you when files change)
• Login protection (rate limiting, 2FA)
• Malware scanner
• Firewall rules

Install it and run a scan after cleaning.

4. Enable two-factor authentication

WordPress Admin → Wordfence → Login Security → Two-Factor Authentication. Force 2FA for all admin users.

5. Change the default admin username

If your admin username is admin, change it. The username admin is the first thing brute-force scripts try.

6. Harden wp-config.php

Add these security keys (get fresh ones from api.wordpress.org/secret-key/1.1/salt/):

define('DISALLOW_FILE_EDIT', true);  // Disables theme/plugin editor from dashboard
define('DISALLOW_FILE_MODS', true);  // Prevents plugin/theme installation from dashboard

7. Protect wp-login.php

Add IP whitelisting to .htaccess if you have a static IP:

<Files wp-login.php>
  Order deny,allow
  Deny from all
  Allow from YOUR.IP.ADDRESS.HERE
</Files>

8. Request Google to re-review

If Google flagged your site in Safe Browsing:

1. Google Search Console → Security Issues → Request Review
2. Describe what you did to clean the site
3. Google typically takes 1–3 days to remove the warning

9. Remove from spam blacklists

Check MXToolbox Blacklist Lookup for your IP and domain. If listed, request removal from each blacklist individually.

Preventing future hacks

• Keep everything updated — set WordPress core to update automatically, and review plugin updates weekly
• Run a malware scan monthly — Wordfence free does this
• Use a strong, unique admin password — 20+ characters, in a password manager
• Enable 2FA on all admin accounts
• Delete unused plugins — even inactive plugins are attack surfaces
• Monitor your site — Wordfence or your host's monitoring alerts you when something changes

If you were hacked on shared hosting, the compromise may have come from a neighbouring account. Consider moving to managed hosting with CloudLinux isolation or a VPS where you are the only tenant.