Website Defaced? How to Recover From a Defacement Attack
By Glenn Lyvers · Updated · 6 min read
A defaced website, the kind where your homepage now announces "Hacked by" someone with a dramatic alias, is usually the work of an automated script rather than a personal enemy. Recovery has three parts: take the defacement page down, restore your real homepage from a clean copy, and then search the site for what else was changed while the door was open. That third step is the one people skip, and it's the one that decides whether this happens again next month.
Defacements look like the worst kind of hack because they're the loudest. Your site isn't quietly leaking spam links; it's wearing a billboard. But in my experience they're often among the more recoverable incidents, precisely because you found out immediately. The hacks that hurt worse are the ones that hide for six months.
What a defacement actually is
Technically, a defacement is just unauthorized content replacement. The attacker gained write access to your site, through a vulnerable plugin, a stolen password, or a hosting weakness, and used it to swap your homepage for their banner. Sometimes it's a new index.html file dropped into your web root that loads instead of WordPress. Sometimes your theme's files were edited, or the homepage content in the database was replaced. Where the change lives determines how you undo it, so look before you fix: if a rogue index.html is sitting next to index.php, the fix begins with removing one file.
It's almost never personal
Clients ask me who they angered. Nobody, usually. Most defacements come from crews who compromise sites in bulk with automated tools, stamp their alias on the homepage, and move on. There are literal scoreboards where these groups log their defacements by the thousand; volume is the whole point. Your site had a weakness their scanner recognized, and it got processed. That's the entire story.
I mention this not to minimize what happened but because the answer changes your response. You don't need to worry about a determined adversary coming back for revenge. You need to close the mundane hole a bot walked through, which is a much more solvable problem.
The banner is the smallest problem
Here's the part that matters more than the embarrassing homepage. An attacker with enough access to deface your site had enough access to do quieter things too, and the automated kits usually do: a backdoor file or two so they can return, sometimes a batch of spam pages, occasionally a phishing kit tucked into an uploads folder. The defacement is graffiti on the front door. The question is what happened in the rest of the house.
So don't let anyone tell you recovery is "just restore the homepage." On the defacement cleanups I handle, I nearly always find companion files the owner had no idea about. My guide to hack detection and indicators lists the places worth checking: recently modified files, PHP in wp-content/uploads, unfamiliar admin users, scheduled tasks you didn't create.
Getting your real homepage back
Before you change anything, preserve the evidence: note the defacement page's file path and timestamp, and grab a copy of your access logs. That timestamp is your best clue to the entry point, and logs at most hosts expire fast. If you're unsure what to preserve, my first-hour checklist walks through it.
Then the mechanics are usually simple. If the attacker dropped a standalone index.html over a WordPress site, removing that file often brings your real site straight back. If theme files were edited, restore them from a clean download of the same theme version or from a backup that predates the attack. If the homepage content in the database was replaced, WordPress revisions frequently let you roll the page back in two clicks. A clean backup makes all of this faster, which is why I go on about them in the backup and recovery guide.
Now find what they left behind
With the site looking normal again, resist the urge to declare victory. Work through the quiet checks: scan the site from the outside with my free Is My Site Hacked? tool, review every administrator account, look for files modified around the defacement timestamp, and check that Google hasn't flagged you with the blacklist checker. If Search Console shows a security issue, deal with it now rather than waiting for traffic to sag.
Then close the door itself. Update everything that's outdated, remove plugins and themes you don't use, and rotate your passwords: WordPress admins, hosting panel, FTP. If the logs point to a specific vulnerable plugin, replace or patch it specifically. A defacement with the entry point left open is an invitation to be someone's statistic twice.
Check where the defacement got copied
Your server isn't the only place the banner may live. Search results can show a cached snippet of the defaced page for a while, social platforms cache link previews, and the Wayback Machine may have archived the defacement if it was up long enough. None of this means your site is still hacked; it means machines took photographs before you cleaned up.
Most of it heals on its own as pages get recrawled. You can speed Google along by requesting reindexing of the affected pages in Search Console, and refresh a stale social preview with each platform's link debugger. I'd only chase the archive copies if the defacement contained something genuinely damaging; for a generic banner, it's not worth the effort.
What to tell your visitors
If the defacement was up for an hour at 3 a.m., most of your audience never saw it, and a public statement can amplify something that would otherwise pass unnoticed. Check whether anyone actually encountered it, your analytics for that window will tell you, and match your response to the reality. If customers did see it, a short plain note works best: we were defaced, no customer data was involved (if that's true), it's fixed, and here's what we changed. People forgive a hacked site quickly. They forgive a dishonest one slowly.
One caution: don't claim "no data was accessed" unless you have a reason to believe it. Defacement kits rarely steal data, but rarely isn't never, and a wrong reassurance costs more trust than the incident.
If you'd rather hand it off
A defacement is very fixable, and if you're comfortable in your hosting file manager, you can likely do the visible part yourself today. The part where experience pays is the sweep for backdoors and the log work to find the entry point. That's what I do all day, from the US, by hand. My Bulletproof Cleaning is $195 and covers the whole job: banner down, leftovers found, hole closed, and you get a plain-English explanation of what happened. Either way, take the timestamp and the logs first. Future-you will thank present-you.
Common questions
Who defaces websites and why?
Mostly organized crews and individuals running automated tools that compromise vulnerable sites in bulk, then stamp their alias on the homepage for bragging rights. There are public scoreboards where they log victims by the thousand. Some defacements carry political messages. Either way, your site was almost certainly found by a scanner, not chosen by a person.
Does a defacement mean my data was stolen?
Not necessarily, and usually not. Most defacement kits replace content and plant a backdoor; they aren't built for data theft. But the attacker did have write access, so the possibility can't be dismissed without checking. If your site stores customer data, review what was accessible and avoid promising 'no data was taken' unless the evidence supports it.
How do I remove the 'Hacked by' page from my site?
Find where it lives first. Often it's a new index.html file in your web root that loads ahead of WordPress; deleting it restores the site immediately. Otherwise restore the edited theme files from clean copies or roll back the homepage in WordPress revisions. Preserve the file's timestamp and your access logs first, since they reveal how the attacker got in.
Will Google blacklist my site because of a defacement?
It can, if Google crawls the site while the defacement or any planted malware is live. A short-lived defacement often passes unnoticed. Check Search Console's Security Issues report and run a blacklist check after cleanup; if you were flagged, request a review once the site is genuinely clean and the warning typically clears within a few days.
How long does it take to recover a defaced website?
The visible fix is often minutes to a few hours: remove or restore the replaced files and the site looks normal again. The full job, sweeping for backdoors, closing the entry point, and rotating passwords, typically takes a few hours to a day for a standard WordPress site. Skipping the full job is how defacements turn into repeat events.
Can a defaced website be fixed without a backup?
Yes. Backups make it faster, but a defacement can be reversed without one: rogue files get deleted, edited theme or core files get replaced from clean downloads of the same versions, and database changes can often be rolled back through WordPress revisions. A backup mostly saves time and removes guesswork about what the original state looked like.