My Website Was Hacked! A 7-Step Checklist for What to Do Right Now

It’s a moment of pure panic. You type in your website’s address and are met with a defaced homepage, a strange error, or worse, a warning from your browser that your site is dangerous. Your stomach sinks. That dreaded thought hits you: my website was hacked.

Take a deep breath.

This is one of the most stressful experiences a website owner can face, but you are not alone, and this is a fixable problem. The absolute worst thing you can do right now is panic and start deleting things randomly. The best thing you can do is follow a calm, methodical plan.

This is your emergency response checklist. Follow these seven steps to regain control of your site, clean up the damage, and secure it against future attacks.

Step 1: Take a Breath & Isolate Your Site

Before you do anything else, the goal is to stop the bleeding. A hacked website can be used to infect your visitors’ computers with malware or steal their data. You need to take it offline immediately.

The easiest way to do this is by using a maintenance mode plugin. If you can still access your WordPress dashboard, install a plugin like “WP Maintenance Mode” and activate it. This will show a simple, safe message to your visitors while you work in the background. If you can’t log in, you can also ask your host (see Step 2) to help you put up a temporary page. The key is to prevent anyone else from accessing the compromised site.

Step 2: Contact Your Hosting Provider Immediately

Your hosting provider is your most important ally in this crisis. They are the first responders for your website. A good host is more than just a server; they are a team of experts with powerful tools and a deep understanding of server security.

Contact your host’s support team (you can reach the CloudFivo team here and tell them clearly, “I believe my website was hacked.”

Provide them with as much detail as you can. They can:

• Help you identify suspicious files on the server.
• Check server logs for unusual activity.
• Temporarily block traffic if needed.
• Guide you through the recovery process.

Do not skip this step. Their expertise is invaluable.

Step 3: Scan Your Website for Malware

A hack almost always involves malicious files or code being added to your website. You need to find and identify every piece of it. The best way to do this is with a dedicated security scanner.

If you don’t already have one, install a reputable security plugin like Wordfence or Sucuri Security. These plugins have powerful scanners that will check all of your core files, themes, and plugins against a database of known malware and vulnerabilities. Run a full, high-sensitivity scan and save the report. This will give you a “hit list” of infected files that need to be cleaned or removed.

Step 4: Restore from a Clean Backup

This is your ultimate escape hatch. If you have regular backups of your website, restoring it is often the fastest and most effective way to get rid of a hack completely.

The critical part is to choose a backup from a date before you believe the hack occurred. If you restore a recent, infected backup, you’ll be right back where you started.

Log in to your hosting control panel (cPanel) and look for the backup tool. Most hosts, including CloudFivo, offer automated daily or weekly backups. Choose a clean restore point and run the restoration process. After it’s done, your site will be back to its pre-hacked state. But you’re not done yet—you still need to close the security hole.

Step 5: Change Every Single Password

Assume that the hacker has stolen your login credentials. To lock them out for good, you must change every password associated with your website. This is non-negotiable.

Create new, strong, unique passwords for:

• Your Hosting Account / cPanel: This is the master key to your server.
• FTP/SFTP Accounts: How files are uploaded to your site.
• All WordPress Admin Users: Don’t just change your own; change it for every user with admin access.
• Your Database Password: This can often be changed via your cPanel.

Step 6: Update All of Your Software

Outdated software is the #1 entry point for hackers. They exploit known vulnerabilities in old versions of plugins, themes, and WordPress itself.

Once you have restored your site and changed your passwords, go to your WordPress dashboard and update everything to the latest version:

• Update the WordPress Core software.
• Update every single plugin.
• Update your theme.

If you have any plugins or themes that haven’t been updated by their developers in over a year, consider finding a replacement. They could be an abandoned security risk.

Step 7: Harden Your Website to Prevent This Again

You’ve cleaned up the mess. Now, you need to bolt the door so the hacker can’t get back in. “Hardening” your website means adding extra layers of security.

• Keep Your Security Plugin Active: Don’t uninstall Wordfence or Sucuri. Keep them running to monitor your site.
• Remove Unused Plugins & Themes: If you’re not using it, delete it. Every piece of inactive software is a potential security risk.
• Enforce Strong Passwords: Use a plugin that forces all users to create strong passwords.
• Limit Login Attempts: This stops hackers from trying to guess your password over and over.

Conclusion: Stronger Than Before

Getting hacked is a terrifying experience, but it’s not the end of the world. By following this checklist, you can systematically take back control, clean up the damage, and close the security holes that let the attacker in.

In the end, this stressful event has an upside: your website will be safer, stronger, and more secure than it was before. It’s a tough lesson, but a valuable one. And remember, having a security-conscious hosting partner makes all the difference.

For more tips on website security and management, check out our [blog](https://cloudf