My website has been hacked
Spam pages, Google warnings, dodgy redirects. Here is how to clean it properly so it stays clean.
01 / What probably happened
Almost certainly an old vulnerability
Most small business sites get hacked through one of three doors: an out of date plugin or theme, a reused admin password that leaked in a third-party breach, or a vulnerability in the hosting account itself. The attacker is almost never targeting you specifically, they are running an automated script against thousands of sites and yours happened to match.
Common signs: dodgy redirects to gambling or pharmacy sites, mystery pages full of spam appearing in Google for terms unrelated to your business, a Safe Browsing warning, or your hosting provider suspending the account because of malware. All of these are recoverable.
Do not just delete the spam pages and call it done. Without finding and closing the entry point, the hacker comes back the next day through the same door. Cleaning has to happen in the right order.
02 / How to clean a hacked site properly
The non-negotiable steps
Skip any of these and the hack comes back. This is how incident responders handle it, in the right order.
Take the site offline cleanly
Replace the live site with a temporary holding page so visitors do not see infected content and Google does not keep crawling spam. This buys you time to clean without making the SEO damage worse.
Identify how they got in
An out of date plugin, a leaked admin password, a vulnerable theme or a weak FTP credential. There is always a doorway. Cleaning the site without closing the door means you get hacked again next week.
Remove injected files and pages
Hackers commonly add hidden spam pages, redirect rules and PHP backdoors scattered through the file system. We hunt them down systematically rather than relying on a scanner that misses half of them.
Clean the database
Spam links and SEO-poisoning content often live in the database, not the files. We export it, scan it, scrub it and put it back. The site does not 'mysteriously come back hacked' a week later.
Rotate every credential
Every admin user, every database password, every API key, every FTP login. If we cannot prove a credential is safe, it gets replaced. Old admin accounts created by the attacker get removed.
Submit a Google reconsideration
If Google flagged the site or added a Safe Browsing warning, the warning does not lift on its own. We file the reconsideration request through Search Console with the cleanup details so the warning is removed quickly.
03 / How we handle it
Our incident response
Triage
We confirm the site is compromised, identify the type of attack (SEO spam, malware, redirect, defacement, phishing kit), and check whether visitors are at active risk. You hear back within the hour.
Stabilise
We take the live site down to a clean holding page so customers and Google see something safe. We snapshot the infected site for forensic work without serving it to anyone.
Clean
We restore from a known-good backup if one exists, or rebuild from a clean version of the platform plus your real content. Every credential is rotated. Every backdoor is removed. The original entry point is closed.
Prevent
We move you to hardened hosting with daily backups, automatic updates, a firewall, intrusion monitoring and Search Console alerts. The next attempted attack hits a wall.
FAQ
Common questions
Google is showing a warning on my site. How do I get it removed?
First we have to actually clean the site. The warning is there because Google scanned and found something. Once the site is genuinely clean, we file a reconsideration request through Search Console. The warning usually lifts within 24 to 72 hours after Google reviews it.
Will I lose my SEO ranking after a hack?
Short hacks (cleaned within a day or two) usually leave SEO mostly intact, especially if the spam pages were quickly removed and a reconsideration was filed. Long undetected hacks (months of redirects) can take weeks to recover from. The faster you act the less you have to recover.
Is my customer data safe?
Depends on the attack. SEO spam injections usually do not touch customer data. A full database compromise might. We will tell you honestly what was reachable from the attacker's position, and if customer data was exposed we will help you handle the GDPR notification process.
How do you know you have removed everything?
We do not trust scanners alone. We compare every file against a known-good version of the platform, check the database against expected schemas, look at every admin user, and audit cron jobs and scheduled tasks. Anything that does not belong gets removed. Then we monitor for re-infection.
What if it happens again?
If the same hack comes back, we did not actually fix the entry point. Most repeat infections come from a backdoor file the original cleanup missed. On a managed plan we monitor for re-infection in real time and fix free of charge if it happens within 90 days.
Should I tell my customers?
If customer data was accessed or could have been accessed, yes, and you need to do it within 72 hours under GDPR. If only the public website was defaced or had spam injected, normally no, but it is worth noting publicly if customers might have seen the bad version and been confused.
Want a site that is harder to break into?
On our managed plan, hosting is hardened, plugins are kept current, backups run daily and intrusion attempts get caught in real time. From £79/month.