E:LAB
← Services
← All guides
7 min read

What to do when your site is hacked — a guide for small businesses

By Yang Kyoungchan

A 5-step recovery flow any non-technical owner can follow — isolate → identify (defacement, malware, SEO spam, phishing) → restore from backup → rotate credentials → request a search-engine review. Don't panic; go in order.

  • Hack recovery
  • Restore
  • Small business
  • Safe Browsing

If your website has been hacked, the first thing to do is don't panic — take the site offline for a moment. The flow is: ① isolate the site (switch to a maintenance page) → ② identify what kind of hack it is → ③ restore from a clean backup → ④ change every password and credential → ⑤ request a search-engine review. You don't need to be technical — just follow the sequence. Here's each step.

Step 1 — Stop and isolate the site

Leaving a hacked page live can infect your visitors' computers or get your site flagged as dangerous by search engines. To stop the damage from growing, block it first.

  • In your hosting panel, switch the site to a "maintenance" state or take it private temporarily.
  • Change the admin password immediately and lock down FTP and database access. (Do this first even before you know the cause.)
  • If you can, tell your host you "think you've been hacked." Many of them will help with backup restores and a first-pass check.

Step 2 — Identify what kind of hack it is

The response depends on the type. Most cases are one of these four.

  • Defacement: the front page is replaced with different images or text. The most visible, but usually superficial in scope.
  • Malware injection: looks fine on the surface, but quietly pushes a virus to visitors. This is what triggers the red browser warning.
  • SEO spam: piles of spam pages (gambling, pharma) created under your domain. Search and you'll find pages you never made. It's devastating for rankings — see how a hack tears down your search rankings for the mechanics.
  • Phishing pages: fake bank or login screens hidden inside your site. The type that gets blocked and reported fastest.

To check whether you've already been blocked, enter your domain on Google's Safe Browsing site status page. And in Google Search Console, the Security & Manual Actions menu shows the breach type directly.

Step 3 — Restore to a clean state

Don't try to fix the hacked files one by one — the safest move is to roll the whole thing back to a clean pre-hack backup.

  • From your host's backups or your own, pick one from "before the estimated time of the hack."
  • If you have no backup, find and delete files created or modified after the hack. Hidden backdoors are easy to miss here, so if running this yourself is hard, getting expert help is the safer route.
  • Even after restoring, if you don't close the entry point you'll be breached again within days. Always update old boards, plugins, and your CMS to the latest version.

Step 4 — Change every password and credential

Hacks usually start from a leaked password or key. Leave even one and you get re-compromised. Change all of these.

  • All admin, FTP, DB, and hosting-account passwords
  • Reissue API keys used for payments, email, and integrations
  • Apply 2FA (OTP) to admin login wherever possible

Step 5 — Request a search-engine review

If malware or phishing got you blocked, cleanup alone won't clear the warning. You have to ask Google for a review — "cleanup is done, please look again." Delisting typically happens within 7–14 days. The exact screens and how to fill out the request are laid out step by step in the Safe Browsing recovery guide.

Once recovery is done, the key is to make scanning a habit so the same thing doesn't recur. To see whether any vulnerabilities or exposed paths still remain on your site, just verify your domain with the Security:Lab free scan and you'll know in seconds.

FAQ

Q. Can't I just build a new site after getting hacked?

If your domain is already registered as dangerous by search engines, the warning follows you as long as you keep the same domain — even on a brand new build. Cleaning up and recovering reputation via a review comes first.

Q. Won't my hosting company handle it?

They'll often help with backup restores and a first check, but closing the entry point and preventing recurrence is usually outside their scope. Steps 4 and 5 are on you.

Q. When is it worth paying for an expert?

If you have no clean backup, you keep getting breached after cleanup, or the site handles payments or personal data — get expert help. A simple defacement you can usually recover yourself with the flow above.

Q. What should I do day-to-day to avoid getting hacked again?

Keep boards, CMS, and plugins current; use strong passwords and 2FA; back up regularly; and scan exposed paths on a schedule — those four cover most of it. You can automate the regular scan around the items in the methodology.

← Back to all guides