If your website gets hacked, take it offline or place it in maintenance mode, contact your host right away, change every password, restore from a clean backup, and scan the site before putting it back online.
A hacked site is not just a technical problem. It can cost you rankings, ad traffic, phone calls, forms, bookings, and trust. For a dental office, law firm, pest control company, or local service business, even one day of malware warnings or spam redirects can scare away people who were ready to call. Google may also flag unsafe pages, and paid ads can stop sending traffic if the landing page is compromised.
The first goal is containment. Do not keep sending SEO, PPC, email, or social traffic to a site that may infect users or redirect them to spam. Pause paid ads that point to affected pages, check your Google Business Profile website link, and tell your team not to log in until passwords are changed.
| Step | Why it matters | What to do |
|---|---|---|
| Take the site out of public view | Stops visitors from seeing malware, spam, or broken pages | Use maintenance mode, server rules, or your host’s emergency lock |
| Contact your host | They can check server logs, malware, file changes, and backups | Ask for the infection time, affected files, and last clean backup |
| Change access | Many hacks come from stolen logins or old admin accounts | Reset hosting, WordPress, FTP, database, email, and admin passwords |
| Restore clean files | Removing only visible spam can leave hidden backdoors | Restore from a backup dated before the hack, then update everything |
| Request review | Search engines and browsers may keep warnings after cleanup | Use Google Search Console after the site is clean |
For WordPress sites, check plugins, themes, admin users, uploads, redirects, and recently modified files. A common bad fix is deleting one suspicious plugin and assuming the problem is gone. A better fix is to compare files against a clean version, remove unknown admin accounts, update WordPress core, remove unused plugins, rotate salts, scan the database for spam links, and block weak login patterns.
Good example: A hacked law firm site is placed in maintenance mode, ads are paused, the host restores a clean backup, all admin passwords are reset, unused plugins are removed, WordPress is updated, and Google Search Console is checked for security issues before traffic is sent back.
Bad example: The site owner deletes a strange homepage banner, keeps the same passwords, leaves old plugins active, and turns ads back on without checking hidden pages or redirects.
Use this short checklist before reopening the site:
- Confirm the backup is from before the infection.
- Update WordPress core, plugins, themes, PHP, and server software where applicable.
- Remove unused plugins, themes, old users, and shared admin accounts.
- Turn on two-factor login for admin users.
- Scan with your host tools, Wordfence, Sucuri SiteCheck, or another trusted scanner.
- Check Google Search Console for Security Issues, Manual Actions, and indexed spam pages.
- Test key conversion paths: phone links, forms, booking buttons, checkout, and tracking.
After recovery, watch the numbers that affect revenue. In GA4, check whether forms, calls, bookings, and paid traffic returned to normal. In Google Search Console, look for sudden drops in indexed pages, crawl errors, or strange queries. For local businesses, also check that your Google Business Profile still links to the correct site and that no tracking links were changed.
The best defense is boring but effective: managed updates, clean backups, malware scanning, strong passwords, limited admin access, uptime monitoring, and hosting that responds fast when something breaks. If the hack came from theme bloat, weak server settings, old plugins, or poor maintenance, our WordPress hosting work can help reduce the risk and keep recovery from turning into a full marketing outage.
