My site was hacked

If your website has been hacked, defaced, or is redirecting to spam sites, take action immediately. Change your passwords first, then follow our recovery guide to clean up and secure your site.

01. WordPress Sites

WordPress sites are the most common target. We have a detailed step-by-step recovery guide: How to Fix a Hacked WordPress Site. This covers identifying the compromise, removing malicious files, cleaning the database, and hardening the site against future attacks.

02. Other CMS Platforms

The same principles apply to any CMS:

1. Change all passwords (cPanel, FTP, email, CMS admin, database)
2. Update the CMS to the latest version
3. Update all plugins, themes, and extensions
4. Remove any plugins or themes you do not use
5. Check for suspicious files - Look for recently modified PHP files, especially in upload directories
6. Scan for malware - cPanel includes a virus scanner under Security > Virus Scanner
7. Restore from a clean backup if available - See How to Back Up Your Website

03. Prevent Future Hacks

• Keep everything updated - CMS, plugins, themes. Outdated software is the #1 attack vector.
• Use strong, unique passwords for every account
• Install a security plugin - Wordfence for WordPress, or similar for your CMS
• Enable two-factor authentication on your CMS admin login
• Remove unused plugins and themes - Even deactivated plugins can be exploited

For comprehensive WordPress security, see WordPress Security: The Complete Hardening Guide.

Quick Recap

1. Change ALL passwords immediately - cPanel, email, CMS, database
2. Follow our WordPress hack recovery guide for WordPress sites
3. Update everything - CMS, plugins, themes
4. Scan for malware and remove suspicious files
5. Restore from a clean backup if available

Security incident response · Last updated March 2026 · Browse all General articles