If your website gets hacked, take it offline, lock down every login, and restore from a clean backup while you track how the attacker got in.
Start by containing the damage: put the site in maintenance mode (or temporarily block public access at the host), then contact your hosting provider so they can review server logs, isolate the account if needed, and confirm whether it’s a site-level issue or a server issue. In Orlando, we see a lot of hacks come from old WordPress plugins, reused passwords, and exposed FTP or cPanel credentials, so treat every access point as compromised until proven clean.
What to do, in order
| When | Do this | What it prevents |
|---|---|---|
| First 30 minutes | Take the site offline, notify your host, and capture evidence (screenshots of redirects, spam pages, and warnings). | More visitors getting infected and the attacker changing more files. |
| Next 2 to 4 hours | Reset passwords for hosting, email, CMS admin users, FTP/SFTP, database users, and any API keys; remove unknown admin accounts; turn on 2FA where available. | Repeat break-ins using stolen credentials and hidden admin users. |
| Same day | Restore from a known-clean backup (before the infection), then update WordPress core, themes, and plugins; delete anything unused. | Reinfecting the site from the same outdated entry point. |
| Next 48 hours | Scan for malware, check for injected code in theme files, mu-plugins, cron jobs, .htaccess, and wp-config; verify DNS records and CDN settings were not changed. | Silent redirects, spam SEO pages, and ongoing data theft. |
| Next 30 days | Review whether personal data could have been accessed; document what happened and what you fixed; prepare notifications if required. | Compliance and customer-trust problems after the technical cleanup. |
Once the site is back, do a quick “trust check” in your browser: confirm there are no redirects, no new pages you didn’t publish, no extra users, and no unexpected JavaScript in the header or footer. If Google is showing a “deceptive site ahead” or malware warning, you’ll usually need to clean the site first, then request a review in Google Search Console so warnings can clear after recheck.
If your site takes payments, has patient forms, or stores logins, assume the risk is higher and loop in your legal or compliance help early. Florida’s data breach law generally uses a 30-day deadline after you determine a breach occurred or you have reason to believe it occurred, and larger breaches can trigger notice to the Florida Department of Legal Affairs, so don’t sit on the paperwork while you fix the tech.
For WordPress sites, the fastest long-term fix is often better hosting hygiene: daily offsite backups, limited admin access, a firewall layer, and updates handled on a schedule. If you want that handled for you, our managed WordPress hosting is built around uptime, backups, and security monitoring so a hack doesn’t turn into a week-long fire drill.
After a cleanup, HTTPS configuration also matters because browsers and search results treat security signals seriously. If you want a plain-English explanation, our FAQ on whether HTTPS affects SEO breaks down what changes when a site is secure again.
If the hack came through a brittle theme, a pile of abandoned plugins, or a custom codebase nobody wants to touch, rebuilding on a clean foundation can be faster than patching forever. That’s when our web design service is the practical option, because we can move content, tighten access, and relaunch with a simpler stack.
If you’re not sure where the entry point is, focus on three things first: containment, credential resets, and a clean restore. Those steps stop most active infections quickly, and they give you breathing room to harden the site so it stays clean.
