Website Security

Your Small Business Website Got Hacked: What to Do Right Now

By JustAddContent Team·2026-03-29·11 min read
Your Small Business Website Got Hacked: What to Do Right Now

Discovering that your website has been hacked is one of the most stressful experiences a small business owner can face. Your mind races with questions. Is customer data compromised? How long has this been going on? Will Google blacklist your site? Can it be fixed?

Take a breath. While a hacked website is serious, it is a problem that can be solved. Thousands of small business websites get hacked every day, and the vast majority are fully recovered. This guide will walk you through the immediate steps to contain the damage, clean up the hack, restore your site, and prevent it from happening again.

How to Tell If Your Website Has Been Hacked

Sometimes a hack is obvious. Other times, it is subtle and can go unnoticed for weeks. Here are the most common signs:

Obvious Signs

  • Your website redirects to a different site (often spam, gambling, or pharmaceutical sites)
  • Unfamiliar content, links, or pages appear on your site
  • Google displays a "This site may be hacked" or "This site may harm your computer" warning
  • Your hosting provider has suspended your account
  • Visitors or customers report suspicious behavior

Subtle Signs

  • Your site is suddenly much slower than usual
  • You find new user accounts in your CMS that you did not create
  • Your search results show strange titles or descriptions in foreign languages
  • You are sending emails you did not write (your email account may also be compromised)
  • Your site's traffic has dropped significantly for no apparent reason

If you are seeing any of these signs, act quickly. Here is your step-by-step response plan.

Step 1: Stay Calm and Document Everything

Before you start changing things, take a moment to document what you are seeing. This information will be valuable for cleanup and for understanding how the hack occurred.

  • Take screenshots of any visible signs of the hack (redirects, strange content, error messages)
  • Note the date and time you discovered the problem
  • Record what has changed recently (new plugins, theme updates, new user accounts, hosting changes)
  • Check your email for any notifications from your hosting provider, Google Search Console, or security tools

Step 2: Contain the Damage

Your first priority is to stop the hack from causing further harm.

Put Your Site in Maintenance Mode

If possible, put your website into maintenance mode so visitors see a "temporarily down for maintenance" page instead of hacked content. This protects your visitors and your reputation.

In WordPress, you can do this by:

  1. Installing a maintenance mode plugin (if you can still access your dashboard)
  2. Or creating a simple maintenance.html file on your server and configuring your .htaccess to redirect all traffic to it

Change All Passwords Immediately

Change passwords for every account associated with your website, in this order:

  1. Hosting account (cPanel, Plesk, or your hosting provider's dashboard)
  2. CMS admin accounts (WordPress, Shopify, etc.)
  3. FTP/SFTP accounts
  4. Database accounts
  5. Associated email accounts
  6. Domain registrar account

Use strong, unique passwords for each one. A password manager like Bitwarden or 1Password makes this manageable. For guidance on creating secure passwords, read our post on strong passwords and protecting your business accounts.

Revoke Unauthorized Access

Check for any user accounts you do not recognize and delete them immediately. In WordPress, go to Users and review every account. Pay special attention to any accounts with administrator privileges.

Step 3: Identify the Type of Hack

Understanding what type of hack you are dealing with helps you clean it up more effectively.

Malware Injection

Malicious code has been inserted into your website files. This is the most common type of hack and can manifest as redirects, pop-ups, hidden links, or cryptocurrency miners running in visitors' browsers.

SEO Spam (Pharma Hack)

Hackers have injected hidden pages or links on your site to boost their own search rankings. You might see hundreds of spam pages indexed under your domain when you search site:yourdomain.com in Google.

Backdoor Installation

Hackers have planted hidden files that give them continued access to your server, even after you change passwords. These are often disguised as legitimate-looking files with names like wp-config-backup.php or hidden in upload directories.

Defacement

Your site's appearance has been changed, typically with a message from the hacker. While visually dramatic, defacements are usually the easiest hacks to clean up.

Data Theft

The most serious type of hack. If your site handles customer data, payment information, or personal information, you may have legal obligations to notify affected parties.

Step 4: Scan Your Website for Malware

Use multiple scanning tools to get a complete picture of the infection:

Free Online Scanners

  • Sucuri SiteCheck (sitecheck.sucuri.net): Scans your site's public-facing pages for malware, blocklisting status, and security issues
  • Google Safe Browsing (transparencyreport.google.com/safe-browsing): Check if Google has flagged your site
  • VirusTotal (virustotal.com): Scans your URL against dozens of security vendors

Server-Level Scanning

If you have server access, run a deeper scan:

  • Wordfence (WordPress plugin): Scans all WordPress files against the official repository and identifies modified or suspicious files
  • Maldet (Linux Malware Detect): A server-side malware scanner for Linux hosts
  • Your hosting provider's scanner: Many hosts offer built-in malware scanning tools

Check Google Search Console

If you have Google Search Console set up, check:

  1. Security Issues report: Google will list any security problems it has detected
  2. Manual Actions: Check if Google has applied any manual penalties
  3. URL Inspection tool: Test specific pages to see what Google sees

Step 5: Clean Up the Hack

This is the most involved step and varies depending on the type of hack. For a detailed, comprehensive walkthrough, our guide on how to recover a hacked website covers every scenario in depth.

Option A: Restore from a Clean Backup

If you have a recent backup that predates the hack, this is often the fastest and most reliable recovery method.

  1. Identify when the hack occurred. Review your server access logs and file modification dates to determine when the infection started.
  2. Find a backup from before that date. Make sure the backup is clean by scanning it before restoring.
  3. Restore the backup through your hosting control panel or manually via FTP.
  4. Update everything immediately after restoring (CMS core, themes, plugins) since the vulnerability that allowed the hack likely still exists in the backup.

Option B: Manual Cleanup

If you do not have a clean backup, you will need to clean the infection manually.

For WordPress sites:

  1. Replace WordPress core files. Download a fresh copy of WordPress from wordpress.org and replace all core files (everything except wp-content and wp-config.php).
  2. Review wp-config.php. Compare it to the default wp-config-sample.php and remove any suspicious code.
  3. Clean the wp-content directory. Go through each plugin and theme folder. Delete any plugins or themes you do not use. For active ones, compare files against fresh downloads from the official sources.
  4. Check the uploads directory. Look for PHP files in wp-content/uploads/, which should normally only contain images and media files. Delete any PHP files found there.
  5. Review .htaccess files. Check the root .htaccess and any .htaccess files in subdirectories for malicious redirect rules.
  6. Clean the database. Search for suspicious content in your database, particularly in the wp_options and wp_posts tables. Look for base64-encoded strings, iframes, and JavaScript injections.

Option C: Professional Cleanup

If the hack is severe, the cleanup is beyond your technical comfort level, or you handle sensitive customer data, consider hiring a professional security service. Services like Sucuri, Wordfence, and MalCare offer hack cleanup packages starting around $200-500.

Step 6: Harden Your Website Security

After cleaning up the hack, you need to close the vulnerabilities that allowed it to happen in the first place.

Update Everything

  • Update your CMS (WordPress, Joomla, etc.) to the latest version
  • Update all plugins and themes
  • Remove any plugins or themes you are not actively using

Strengthen Access Security

  • Enable two-factor authentication on all admin accounts
  • Limit login attempts to prevent brute-force attacks
  • Change your database table prefix from the default wp_ to something unique
  • Restrict file permissions (directories: 755, files: 644)

Install a Security Plugin or Firewall

For WordPress, install a security plugin like Wordfence or Sucuri Security. These provide:

  • File integrity monitoring (alerts you when files change)
  • Firewall protection (blocks malicious traffic before it reaches your site)
  • Login security (brute force protection, two-factor authentication)
  • Malware scanning on a regular schedule

For a complete security setup guide, read our website security guide for small businesses.

Set Up Automated Backups

If you did not have backups before, set them up now. Follow the 3-2-1 rule:

  • 3 copies of your data
  • 2 different storage media (local and cloud)
  • 1 offsite backup (stored somewhere separate from your hosting)

Automate daily or weekly backups depending on how frequently your site changes.

Step 7: Notify Affected Parties

Depending on the nature of the hack, you may need to notify others.

If Customer Data Was Compromised

Many regions have data breach notification laws (GDPR in Europe, various state laws in the US). If personal or financial data was potentially accessed, consult a lawyer about your notification obligations. Prompt, transparent communication builds trust even in difficult situations.

Request a Google Review

If Google flagged your site with a security warning:

  1. Go to Google Search Console
  2. Navigate to Security Issues
  3. After cleaning up the issues, click "Request a Review"
  4. Google typically reviews within 72 hours, though it can take longer

Notify Your Hosting Provider

Let your hosting provider know about the hack and the steps you have taken to resolve it. They may have additional recommendations or be able to provide server-level protection.

Step 8: Monitor for Recurrence

Hackers often try to regain access through backdoors they have planted. Stay vigilant:

  • Monitor file changes using your security plugin's file integrity feature
  • Check Google Search Console weekly for security issues
  • Review access logs for suspicious activity
  • Scan for malware on a regular schedule (at least weekly)
  • Set up uptime monitoring to alert you immediately if your site goes down

How Websites Get Hacked: Understanding the Root Causes

Understanding how hacks happen helps you prevent the next one. The most common attack vectors for small business websites include:

Outdated Software

This is the number one cause. Outdated CMS installations, plugins, and themes contain known vulnerabilities that hackers exploit with automated tools. Keeping everything updated is the single most important thing you can do. Our guide on keeping your WordPress site secure and updated covers a practical maintenance routine.

Weak Passwords

Simple, reused, or commonly used passwords are easily cracked through brute-force attacks. "Password123" and "admin" are not passwords. They are invitations.

Vulnerable Plugins and Themes

Even up-to-date plugins can have zero-day vulnerabilities. Only install plugins from reputable sources, and remove any you are not actively using. The fewer plugins you have, the smaller your attack surface.

Insecure Hosting

Cheap shared hosting can expose your site to "cross-site contamination," where a hack on one site on the server spreads to others. Choose a reputable hosting provider with strong security measures.

Phishing Attacks

Hackers may target you (the site owner) with phishing emails designed to steal your login credentials. Always verify the sender before clicking links, and never enter your credentials on a page you reached through an email link.

Prevention Checklist

Here is a concise checklist to protect your website going forward:

  • [ ] Keep CMS, plugins, and themes updated (check weekly)
  • [ ] Use strong, unique passwords with a password manager
  • [ ] Enable two-factor authentication on all admin accounts
  • [ ] Install a web application firewall
  • [ ] Set up automated backups (daily or weekly)
  • [ ] Remove unused plugins, themes, and user accounts
  • [ ] Monitor for file changes and security issues
  • [ ] Use SFTP instead of FTP for file transfers
  • [ ] Choose reputable hosting with strong security
  • [ ] Keep your computer and email accounts secure as well

As our research shows, small business websites are targeted by hackers every day. The good news is that most attacks exploit basic vulnerabilities that are straightforward to address. With the right security measures in place, you can dramatically reduce your risk and focus on running your business with confidence.

Get weekly small business tips

Practical guides, tool reviews, and actionable advice delivered to your inbox every week. No spam, unsubscribe anytime.