Tips on how to recover from a website hack

Last week I wrote about some of the indicators that will tell us if our website has been compromised. This week I want to give you an overview of what to do if you have been hacked.

Don't panic (yet)

Investigate the IOC (indicator of compromise). If you have received a warning or been blacklisted, find out why. Many of the tools used to check websites are automated, and a false positive is possible. Years ago we were blacklisted by our ISP because of a test file in a non-searchable folder. It was embarrassing, but easily resolved.

Don't deny it

If your site has been compromised, don't deny it. This is not technical advice, but it is still valid. Being breached is bad for your reputation. But denying a breach that security experts have confirmed is even worse. Even if it is not your decision, you can still make this recommendation.

Quarantine your site if required

If the attack is severe, you may need to quarantine your site. This means taking it offline while you remove any malicious content and audit user accounts.

You can stop your web server, or point your DNS entries to a static page on a different server. You can also contact your host provider to help you with this.

Identify the damage

Tip: Keep your website folders clean! Remove files that aren't used, such as old images or test databases. That will make it easier to manage the files that should be there.

The most popular files for hackers to attack are .htaccess and .php files. If you are comfortable with the code, you can check these files yourself.

Use the free security utilities to identify affected files.

  • Check your site on Google's Safe Browsing Tool. Just type in your URL and check your site's status.
  • Use the Google Search Console (previously Google Webmaster Tools) to check for any security issues. Google provides instructions on how to do this.
  • You can use Sucuri to run a free website check. This is also a good way to find out if any of your security headers are missing.
  • If you use a CMS like WordPress or Joomla!, look for the various tools available for that platform.

Clean the files

I hope you have a backup with the clean version of your files. If you don't, you'll have to download the affected files, fix them, and then re-upload them.

If your web server uses cron jobs, check your scheduler via your hosting control panel. Delete any suspicious tasks.

Google has a detailed set of instructions on how to clean and maintain your site if it has been hacked.

Check user accounts

Check your site's users accounts. If an attacker has created illegal accounts, delete them.

Change the passwords for all site users and accounts.

As always, please share your thoughts and comments.

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.