Website Hacked? What to Do in the First Hour (Checklist)
By Glenn Lyvers · Updated · 6 min read
If your website has just been hacked, here is what matters in the first hour: don't delete anything, take a full backup of the site exactly as it is (infection and all), change your hosting, WordPress, and email passwords from a device you trust, and run a scan so you know what you're actually dealing with. Cleanup comes later. The first hour is about not making things worse.
I've been cleaning hacked websites every day since 2012, and the worst messes I see are rarely the hack itself. They're what the owner did in the first thirty panicked minutes. Deleted folders. Cancelled hosting accounts. Restored week-old backups over the top of the evidence. So before you touch anything, read this. It's short on purpose.
Don't delete anything. Not yet.
Your first instinct will be to find the weird files and get rid of them. Resist it. Those files are your evidence. They carry timestamps that tell you when the break-in happened, and the server logs from that window tell you how. Delete them and the cleanup turns into guesswork. Guesswork is how sites get reinfected two weeks later.
There's a second reason to slow down: some of what looks suspicious is legitimate. I once had a client who deleted half his theme because a forum post told him hackers hide code in functions.php. They sometimes do. But so does every theme developer on earth, and his site went from hacked to hacked and broken.
If a file frightens you, rename nothing, delete nothing, and write down the path. That list becomes useful later.
Back up the hacked site. Yes, the hacked version.
This sounds backwards, and clients push back on it all the time. Why would you want a copy of the infected site? Two reasons. First, if anything goes wrong during cleanup, you can get back to a known state instead of a half-remembered one. Second, that snapshot preserves the evidence: the malicious files, the database as the attacker left it, and ideally the access logs, which most hosts throw away after a few days or weeks. Once the logs rotate, the story of how you got hacked often goes with them.
A zip of the site files from your hosting file manager plus a database export is enough. A full cPanel backup is better. Store it somewhere safe and label it clearly so nobody restores it by accident six months from now. If you want the longer version of how backups should work on a healthy site, I wrote about that in my backup and recovery guide.
Change these passwords, in this order
Do this from a computer you trust, not the one that might have a keylogger on it. If the attacker got in by stealing your password from an infected laptop, changing that password from the same laptop hands them the new one too.
- Your hosting account (cPanel, Plesk, or your host's dashboard). This is the master key.
- Every WordPress administrator account. Not just yours. All of them.
- Your email account, especially the one that receives password resets for the site.
- FTP and SFTP accounts, including old ones you forgot existed.
- The database password in
wp-config.php, if you're comfortable editing it. If not, it can wait for the cleanup.
Make them long, make them unique, and put them in a password manager. The attacker may still have a backdoor into the site at this point, and that's a cleanup problem. But passwords are the doors you can lock right now, so lock them.
Find out what you're actually dealing with
Not every hack is the same animal. A spam-link injection, a phishing kit in your uploads folder, and a credit-card skimmer call for different responses, and the response has a different urgency depending on whether visitors are being harmed.
Start with my free scanner at Is My Site Hacked?. It checks your site from the outside the way Google and browsers see it. Then check whether you're already on any blacklists with the blacklist checker. If Google Search Console is set up for your site, open the Security Issues report; that's where Google tells you specifically what it found. And if you're still not certain the site is hacked at all, my guide to identifying website hacks walks through how to confirm it before you commit to a cleanup.
Should you take the site offline?
It depends on what the hack is doing. If your site is actively serving malware to visitors, redirecting them to scam pages, or hosting a fake bank login, then yes: put up a maintenance page now. Protecting your visitors comes before protecting your traffic. If the damage is quieter, say hidden spam links that only search engines see, the site can usually stay up while you work.
What I'd ask you not to do is cancel your hosting account in a fit of frustration. I've watched people do it. The evidence disappears, the backups disappear, and sometimes the domain configuration goes with them. Suspended is recoverable. Deleted is deleted.
Write down a timeline while it's fresh
This step costs five minutes and saves hours later. Open a note and record what you know: when you first noticed something wrong, what exactly you saw and where, anything unusual in the days before (a new plugin, a new user, an email about a login you don't remember), and every change you've made since discovering the problem. Include dates and rough times.
Why bother? Because whoever cleans this site, you or someone like me, will be reconstructing events from file timestamps and log entries, and a human timeline anchors that work. "The redirect started around Tuesday evening, and I'd installed a gallery plugin that weekend" narrows a log search from a month of noise to a two-day window. Memory fades fast under stress. Paper doesn't.
The actual cleanup comes next
Everything above is triage, and you can be done with it inside an hour. The real work, finding every malicious file, closing the hole the attacker used, and getting off whatever blacklists picked you up, is the part that takes experience. If you want to do it yourself, my step-by-step malware removal walkthrough is honest about what's involved, including the parts where DIY tends to go sideways.
And if you'd rather not spend your week on it, that's what I'm here for. I do this every day, personally, from the US. My Bulletproof Cleaning is $195 flat, and I don't consider the job done until the site is clean, the entry point is closed, and you know what happened. Either way, take a breath. Hacked sites get fixed. Yours will too.
Common questions
Should I take my hacked website offline immediately?
Only if the hack is hurting visitors: serving malware, redirecting to scam sites, or hosting phishing pages. In those cases put up a maintenance page right away. If the damage is quieter, like hidden spam links, the site can usually stay online while you clean it. Don't cancel your hosting account either way; you'd destroy the evidence and backups you need.
Will my hosting company clean my hacked site for me?
Almost never. Most hosts will scan the account, send you a list of flagged files, and sometimes suspend the site until it's clean, but the actual cleanup is your responsibility. Some sell a cleanup service at a premium. The report they send is still useful, so ask for it, including the full file paths.
Should I just delete everything and start over?
Usually not. Deleting the site destroys the evidence of how the attacker got in, and if you rebuild with the same passwords, the same plugins, and the same habits, the hole comes back with you. A proper cleanup keeps your content and rankings and closes the entry point. Starting over makes sense only for tiny sites with nothing worth saving.
Can the hacker still get in while I'm figuring this out?
Yes. Until the entry point is closed and any backdoor files are removed, assume the attacker still has access. That's why the first-hour moves are password changes and a preserved backup rather than cosmetic fixes. Changing passwords locks the doors you control; the cleanup deals with the copies of the key they may have hidden.
How do I know my site is actually hacked and not just broken?
Look for outside confirmation: a browser warning, a Google Search Console security notice, visitors reporting redirects, or a scanner flagging specific files. A white screen or an error on its own is more often a plugin conflict than an attack. Run an external scan and check the blacklists before you commit to a full cleanup.
Do I need to tell my customers my site was hacked?
If customer data may have been exposed, such as payment details or passwords, then yes, and depending on where you operate there may be legal notification requirements. If the hack was defacement or spam with no customer data involved, a notice is usually optional. Honesty ages better than silence if there's any real chance customers were affected.