My Website Was Hacked! What Now? (And How to Stop It Happening Again)

It’s the nightmare scenario: you visit your website, and something’s not right.

Maybe your home page has disappeared. Maybe you’re redirected to some dodgy site. Maybe your inbox is full of strange emails, or worse – your customers are asking what’s going on.

Your website’s been hacked.

First: don’t panic. It happens more often than you think, especially with sites that haven’t had regular updates or security checks. And yes – it can be fixed.

Here’s exactly what to do if your site’s been hacked, in plain English – and how to make sure it doesn’t happen again.

Step 1: Confirm It’s Really a Hack

Sometimes what looks like a hack is actually something else – a plugin conflict, expired hosting account, or a misconfigured setting.

But if you’re seeing any of the following, it’s likely a hack:

Your site redirects to another website
Your pages show strange or offensive content
You can’t log in to your WordPress dashboard
Google is warning users your site is dangerous
You see random users or admins in your WordPress users list
Your hosting provider has taken the site offline

If you’re not sure, get in touch – I can take a quick look and let you know what’s going on.

Step 2: Take the Site Offline (If Possible)

If your site is actively spreading malware or redirecting users, take it offline to prevent damage to your reputation or Google rankings.

You can usually do this via your hosting control panel – many providers let you suspend your site temporarily. Or your web developer (like me!) can do it for you.

Don’t delete anything yet – we’ll need the files to clean things properly.

Step 3: Reset Passwords Immediately

Change your:

WordPress admin password
Hosting control panel password
FTP or file manager access
Email and domain logins if connected

Use strong, unique passwords. If the hacker got in via a weak or reused password, this step alone might stop further damage.

Step 4: Run a Malware Scan

If you have access to your WordPress dashboard, install a plugin like:

Wordfence
Sucuri Security
iThemes Security

These tools scan your site for malicious code and files – and in some cases, offer automatic cleanup.

If you can’t access your site, your hosting provider may have built-in malware detection. Or I can run a manual scan and clean the files for you.

Step 5: Restore from Backup (If You Have One)

If you have a clean backup from before the hack, restoring it is often the fastest way to fix your site.

Most good hosting providers offer automatic daily backups – check your control panel or support area. If you’re on one of my care plans, we’ll have a backup ready to go.

Important: after restoring, update everything and scan for vulnerabilities – otherwise the same thing could happen again.

Step 6: Update WordPress, Plugins and Themes

Outdated software is one of the most common ways hackers get in.

As soon as your site is clean and accessible, update everything to the latest versions:

WordPress core
All plugins
All themes

And delete anything you’re not using. Every inactive plugin or theme is another potential entry point.

Step 7: Remove Suspicious Users

Go to the WordPress Users section and look for anything unfamiliar – especially accounts with Admin access.

Delete them immediately.

Also consider installing a plugin to limit login attempts or require two-factor authentication (2FA) to tighten security further.

Step 8: Submit to Google for Review (If You Got Flagged)

If your site was showing malware warnings in Google Chrome or your search results, you’ll need to ask Google to review your site after it’s cleaned up.

Log into Google Search Console, find the security issues section, and follow the steps to request a review.

It can take a few days – but it’s important to regain trust and visibility.

How to Stop It Happening Again

Once your site’s been hacked, you’ll want to make sure it never happens again. Here’s how:

Set Up a Website Firewall

Use a security plugin with firewall protection to block dodgy traffic before it hits your site.

Enable Daily Backups

So you can always roll back quickly if needed.

Keep Everything Updated

Set a schedule to log in weekly and check for updates – or better yet, get a maintenance plan that handles it for you.

Use Quality Hosting

Cheap hosting often lacks basic protection. I only use providers I trust to keep my clients’ sites safe.

Don’t Reuse Passwords

A strong password policy is your first line of defence.

Get Expert Support

If you’re not technical – or just don’t want the hassle – get someone (like me) to manage your site and keep it secure.

What You Can Do Next

If your site’s been hacked – or you’re worried about vulnerabilities – I’m here to help.

Whether you need a fast cleanup, ongoing protection, or just someone to take a look and give honest feedback, I’ll guide you through it in plain English. No panic. No tech speak. Just solid help.

It’s not your fault your site got hacked. But let’s make sure it doesn’t happen again.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.