Your website has been compromised.
Don't panic—but don't wait either. Here's your step-by-step recovery plan.
You just discovered the worst: your business website has been hacked.
Maybe a customer called to tell you the site is showing strange content. Maybe Google sent you a warning. Maybe you tried to log in and found yourself locked out. Or maybe your site is now redirecting visitors to a pharmacy in another country.
Whatever the sign, the reality is the same: your website, your main source of leads serving customers across San Bernardino, Riverside, Fontana, Ontario, and the entire Inland Empire, has been compromised.
Take a deep breath. This is fixable. But the next few hours are critical. What you do can make or break your website recovery.
This guide will walk you through exactly what to do right now, how to recover your site, and how to make sure this never happens again.
First: Confirm You've Actually Been Hacked
Before you panic, make sure you're actually dealing with a hack and not a different issue. Here are the most common signs of a compromised website:
Definite Signs of a Hack (If You See These, You're Hacked)
If you see any of the following, stop reading and skip to Step 2—you've been compromised:
Defacement: Your homepage has been replaced with a message from a hacker, or content that looks completely unrelated to your business.
Redirects: Visitors are being sent to strange sites (like spam, pharmaceuticals, or adult content) instead of your intended pages.
Google Warning: You see "This site may be hacked" or "This site may harm your computer" warnings directly in Google's search results.
Browser Warning: Visitors are getting a scary red screen from their browser (like Chrome or Firefox) before they can even access your site.
Spam Content: Mysterious new pages are appearing on your site, often filled with nonsensical or foreign language text you didn't create.
Locked Out: Your admin password has been changed, and you can't access your WordPress dashboard.
Email Spam: Your domain is suddenly sending out thousands of spam emails.
Malware Alerts: Your security software (or a visitor's) is flagging your site as dangerous.
Signs That Might NOT Be a Hack
Site is down (could be hosting issue)
Site looks different (could be failed update)
Can't log in (could be forgotten password)
Site is slow (could be performance issue)
If you're seeing any of the definite signs above, you've been hacked. Let's fix it.
Step 1: Don't Make It Worse (What NOT to Do)
When you first discover a hack, your adrenaline spikes, and it's easy to make a panicked mistake that complicates recovery. Here’s what you absolutely shouldn't do:
❌ Don't Delete Everything
Your instinct might be to delete the entire site and start over. Don't do it. You may destroy evidence needed to understand the attack, and you'll definitely lose any chance of restoring from backup.
❌ Don't Leave the Door Open
Every minute your hacked site stays online, it's potentially:
Infecting visitor computers with malware
Damaging your Google rankings
Sending spam from your domain
Collecting customer data for hackers
❌ Don't Just Change Your Password
Changing your WordPress password is necessary, but not enough. If hackers installed a backdoor, they'll get right back in. Password changes alone don't fix the underlying vulnerability.
❌ Don't Ignore It and Hope It Goes Away
Hacks don't resolve themselves. They get worse. The longer you wait, the more damage occurs and the harder recovery becomes.
❌ Don't Blame Your Hosting Company (Yet)
While hosting security matters, most WordPress hacks occur through outdated plugins, weak passwords, or compromised themes—not hosting vulnerabilities. Focus on recovery first, root cause analysis later.
Step 2: Take Your Site Offline ASAP
Priority: Protect your visitors and stop the bleeding.
Option A: Enable Maintenance Mode (If You Can Access WordPress)
If you can still log into your WordPress dashboard:
Install a maintenance mode plugin (if not already installed)
Activate maintenance mode now
This shows visitors a "Site Under Maintenance" message instead of hacked content
Option B: Contact Your Hosting Provider
If you can't access WordPress:
Call your hosting company's support line (don't email—call)
Tell them: "My website has been hacked and I need to take it offline immediately"
They can suspend the site or put up a maintenance page for you
Option C: Modify .htaccess (Technical)
If you have FTP or file manager access:
Add this to the top of your .htaccess file:
Order Deny,Allow
Deny from all
Allow from YOUR.IP.ADDRESS.HEREThis blocks everyone except you from accessing the site.
Document the time you took the site offline. You'll need this for your recovery timeline.
Step 3: Document Everything
Before you start cleaning, document the current state. This helps with:
Understanding how the hack occurred
Ensuring complete cleanup
Potential legal or insurance claims
Preventing future attacks
What to Document
Our team always starts here. Before you start cleaning, you need to capture the critical evidence and timeline. This is crucial for cleanup, legal protection, and preventing future attacks.
Visual Evidence (Screenshots): Capture the hacked homepage, any strange spam pages or content, all Google Search Console warnings, and any error messages or security screens your visitors see.
The Timeline and Access: Record the exact date and time you discovered the hack, the moment you took the site offline, how you found out (was it a customer report or a Google alert?), any recent site changes (like plugin updates or new users), a list of everyone with admin access, and the date of your last known clean backup.
Safeguard the Evidence: Store all documentation in a secure, off-site location (like Google Drive, Dropbox, or a secure email) separate from the compromised website, as you will need this for cleanup and prevention.
Step 4: Assess the Damage
Now it's time to understand what happened and how bad it is.
Check Google Search Console
If you have Google Search Console set up (you should):
Log in to Google Search Console
Check the Security Issues report
Look for manual actions or penalties
Review the Coverage report for unusual pages
Google often detects hacks before site owners do and provides specific information about the type of compromise.
Scan Your Site for Malware
Use these free scanning tools:
Sucuri SiteCheck: sitecheck.sucuri.net
VirusTotal: virustotal.com
Google Safe Browsing: transparencyreport.google.com/safe-browsing
These scans will identify:
Known malware signatures
Blacklist status
Spam injections
Suspicious redirects
Check Your Hosting Account
Log into your hosting control panel and look for:
Unfamiliar files or folders
Recently modified files (especially in the last 30 days)
Unknown FTP accounts
Unfamiliar email accounts
Unusual database activity
Review WordPress Users
If you can access your database or a backup:
Look for admin users you didn't create
Check for users with suspicious email addresses
Note any recently created accounts
Step 5: Restore from Backup (The Fastest Path)
If you have a clean backup from before the hack, this is your fastest recovery option.
Determine Your Backup Situation
Backup Source | How to Access |
|---|---|
Hosting provider | Contact support or check control panel |
Backup plugin (UpdraftPlus, BackupBuddy, etc.) | Check plugin settings for storage location |
Professional management service | Contact your provider |
Manual backups | Check your local files or cloud storage |
Before Restoring
Identify when the hack occurred — Restore to a backup from BEFORE this date
Download the hacked site — Keep a copy for analysis (store it safely, don't run it)
Verify the backup is clean — Scan it with security tools before restoring
Restoration Process
Delete all current WordPress files (but keep the backup of the hacked version)
Restore files from your clean backup
Restore the database from the same backup date
Your first step is to update all passwords (see Step 6)
Update WordPress, themes, and plugins to latest versions
Scan the restored site for any remaining malware
If You Don't Have a Clean Backup
This is unfortunately common. You'll need to clean the site manually (see Step 7) or hire a professional.
This is why you must invest in good backups. After recovery, setting up proper backups should be your top priority.
Step 6: Change ALL Credentials
Even if you restore from backup, you must change every password associated with your site. Hackers may have captured credentials that would let them right back in.
Your Password Checklist
WordPress:
All admin user passwords
All editor and author passwords
Delete any users you don't recognize
Hosting:
Control panel password (cPanel, Plesk, etc.)
FTP/SFTP passwords
SSH keys (if applicable)
Database:
MySQL database password
Update wp-config.php with new database password
Email:
Email accounts associated with your domain
Email accounts used for WordPress admin
Third-Party Services:
Google Analytics
Google Search Console
Social media accounts linked to website
Payment processors
Any API keys stored in your site
Password Requirements
For each new password:
Minimum 16 characters
Mix of uppercase, lowercase, numbers, symbols
Unique (not used anywhere else)
Use a password manager to generate and store
Enable Two-Factor Authentication
After changing passwords, enable 2FA on:
WordPress admin accounts
Hosting account
Google accounts
Any service that offers it
Step 7: Manual Cleanup (If No Clean Backup)
If you don't have a clean backup, you'll need to clean the infected site manually. This process is complex and time-consuming. Consider hiring a professional if you're not technically confident.
Core File Replacement
Download fresh WordPress core files from wordpress.org
Delete all existing core files (NOT wp-content folder or wp-config.php)
Upload fresh core files
Compare your wp-config.php against a clean version—look for suspicious code
Theme Cleanup
If using a commercial theme, download a fresh copy from the vendor
If using a free theme, download fresh from WordPress.org
Replace all theme files with clean versions
Check for any customizations you need to re-apply
Plugin Cleanup
Make a list of all plugins you actually use
Delete ALL plugins
Download fresh copies from original sources
Reinstall only the plugins you need
Delete any plugins you don't recognize or no longer use
Database Cleanup
This is the most technical part. Look for:
Suspicious admin users (delete them)
Spam posts or pages (delete them)
Malicious code in post content (search for <script>, eval(, base64_decode)
Modified options (especially siteurl and home)
File System Scan
Search your entire WordPress installation for:
Files with recent modification dates you didn't make
PHP files in the uploads folder (there shouldn't be any)
Files with suspicious names (random characters, misspellings)
Hidden files (starting with a dot)
Files with encoded content (base64)
Common Malware Locations
Hackers typically hide malicious code in:
wp-includes/ folder (disguised as core files)
wp-content/uploads/ (PHP files don't belong here)
Theme files (especially functions.php, header.php, footer.php)
Plugin files (especially inactive plugins)
.htaccess file
wp-config.php
Step 8: Harden Your Security
Once your site is clean, implement these security measures to prevent future attacks.
Immediate Security Measures
Update Everything:
WordPress core to latest version
All themes to latest versions
All plugins to latest versions
PHP version (ask your host)
Remove Unnecessary Components:
Delete unused themes (keep only your active theme and one default)
Delete unused plugins
Remove inactive user accounts
Delete old backups stored on the server
Secure wp-config.php:
Add these security keys (get fresh ones from WordPress.org):
define('AUTH_KEY', 'unique phrase here');
define('SECURE_AUTH_KEY', 'unique phrase here');
define('LOGGED_IN_KEY', 'unique phrase here');
define('NONCE_KEY', 'unique phrase here');
define('AUTH_SALT', 'unique phrase here');
define('SECURE_AUTH_SALT', 'unique phrase here');
define('LOGGED_IN_SALT', 'unique phrase here');
define('NONCE_SALT', 'unique phrase here');Disable File Editing:
Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);Install Security Plugin
Choose one comprehensive security plugin:
Wordfence — Firewall, malware scanner, login security
Sucuri Security — Monitoring, malware scanning, hardening
iThemes Security — Brute force protection, file change detection
Configure it to:
Limit login attempts
Block suspicious IPs
Scan for malware regularly
Alert you to file changes
Enforce strong passwords
Implement Web Application Firewall (WAF)
A WAF blocks malicious traffic before it reaches your site:
Cloudflare (free tier available)
Sucuri Firewall (paid)
Wordfence Premium (paid)
Secure Your Hosting
Contact your hosting provider about:
Enabling automatic WordPress updates
Server-level security measures
Malware scanning services
Backup frequency and retention
Step 9: Request Google Review
If Google flagged your site as hacked or dangerous, you need to request a review after cleanup.
In Google Search Console:
Log into Google Search Console
Go to Security Issues
Click "Request Review"
Describe the steps you took to clean the site
Submit the request
Review Timeline:
Malware reviews: Usually 1-3 days
Manual action reviews: Can take 1-2 weeks
Phishing reviews: Usually 1-3 days
While Waiting:
Monitor Search Console for updates
Continue scanning your site for any remaining issues
Don't make major changes to the site
Step 10: Communicate with Customers
Depending on the nature of the hack, you may need to notify customers.
When Customer Notification Is Required:
Customer data may have been accessed
Payment information was potentially compromised
Login credentials may have been stolen
Malware may have been distributed to visitors
How to Communicate:
Email to Customers:
Subject: Important Security Notice from [Your Business Name]
Dear [Customer],
We recently discovered that our website experienced a security incident. We have taken immediate action to secure our systems and protect your information.
[Describe what happened in simple terms]
[Describe what you've done to fix it]
[Describe what customers should do - change passwords, monitor accounts, etc.]
We take the security of your information seriously and apologize for any concern this may cause. If you have questions, please contact us at [phone/email].
Sincerely,
[Your Name]
[Your Business]
Social Media:
Brief acknowledgment of the issue
Assurance that it's been resolved
Contact information for questions
Legal Considerations:
California law (CCPA) may require notification if personal information was compromised. Consult with a legal professional if you believe customer data was accessed.
The Cost of Recovery: What to Expect
Let's be realistic about what hack recovery costs:
DIY Recovery
Item | Cost | Time |
|---|---|---|
Your time | Opportunity cost | 10-40 hours |
Security plugin (premium) | $99-299/year | — |
Potential lost business | Varies | Days to weeks |
Total | $99-299 + time + lost revenue | 10-40 hours |
Professional Recovery
Service | Cost Range |
|---|---|
Basic malware removal | $150-300 |
Comprehensive cleanup | $300-500 |
Complex hack recovery | $500-1,500 |
Emergency/rush service | +50-100% |
Ongoing security monitoring | $99-299/month |
The Real Cost
Beyond direct expenses, consider:
Lost revenue during downtime
Damaged customer trust
SEO ranking drops (can take months to recover)
Time spent on recovery instead of business
Stress and frustration
Prevention is always cheaper than recovery.
Download PDF Checklist
When to Call a Professional
Some situations require professional help:
Call a Professional If:
You don't have technical WordPress experience
The hack is complex (multiple backdoors, database compromise)
You can't identify how the hack occurred
Customer data may have been compromised
You need the site back online urgently
You've tried to clean it but the hack keeps returning
Google won't remove the security warning after your cleanup
What to Look for in a Security Professional:
Specific WordPress security experience
Clear pricing and scope of work
Guarantee against re-infection (for a period)
Post-cleanup hardening included
References from similar businesses
IE Web Services: Your San Bernardino Security Partner
At IE Web Services, we've helped dozens of Inland Empire businesses recover from website hacks—and more importantly, we've helped hundreds prevent them in the first place.
Emergency Hack Recovery
If your site has been hacked, we offer:
Rapid Response: We start working within hours, not days
Complete Cleanup: Malware removal, backdoor elimination, database cleaning
Root Cause Analysis: We identify how the hack occurred
Security Hardening: We implement protections to prevent recurrence
Google Review Assistance: We help get security warnings removed
30-Day Guarantee: If the same hack returns, we fix it free
Web CARE Plans: Prevention Over Recovery
Our ongoing management plans include:
✅ Daily Backups — Always have a clean restore point
✅ Security Monitoring — 24/7 malware scanning and alerts
✅ Firewall Protection — Block attacks before they reach your site
✅ Immediate Updates — Security patches applied within 24 hours
✅ Login Security — Brute force protection and 2FA
✅ Monthly Security Audits — Proactive vulnerability identification
The average hack recovery costs $500-1,500. Our monthly management plans start at $149.
The math is simple: prevention costs less than recovery, every time.
Get Help Now
Is your website currently hacked? Don't wait—every hour matters.
Call us Today! [Phone Number]
Or request emergency support: [Contact Form Link]
We serve businesses throughout San Bernardino County, Riverside County, and the entire Inland Empire, including San Bernardino, Fontana, Rancho Cucamonga, Ontario, Riverside, Corona, Rialto, Colton, Redlands, and surrounding communities.
Your website is your business's digital front door. Let's make sure it's secure.
IE Web Services has been protecting Inland Empire businesses online for over 20 years. We understand the unique challenges facing local businesses and provide security solutions that actually work.