How to Clean Up a Hijacked Website

Your website has been hijacked.  You found out when a client called and said your website was flagged as malicious on Google, in their browser, or by their anti-malware application.  After you get over the initial shock, embarrassment, and anger, you wonder what you need to do next.  How do you get your website cleaned up and your Internet reputation restored?

The first question is this:  is your site really compromised?  There is a free URL and website malware scanning tool at URLquery.  Go ahead and try it out on your website before you get too involved cleaning your site.

  • Change your passwords.  Change all your user passwords, and if you are using the default admin account, create a new account with administrative rights, and disable the default admin account.
  • Restore from backup.  You first have to determine when your site was inflected. The best way to repair your site is to restore it from a backup.  This can be easy if you have been using a backup plugin such as Updraft Plus, or something similar.  Choose a backup that was made sometime before your site was hijacked, and restore it to your web server.

If that isn’t an option, or if it doesn’t solve your problem:

  • Clean your site with your security plugin.  If you are using WordFence, Bulletproof, or a similar plug-in:
    • Upgrade to the latest version of your security plugin.
    • Upgrade all your themes and plugins.
    • Change all passwords
    • Make a new backup (of the compromised site) and store it separately.  This gives you a safe way back if things go wrong.
    • Run a scan of everything.  You may need to make some settings changes to include everything.  Expect this scan to take some time.  This should result in a list of compromised files.
    • Work through the list.  Make the necessary modifications or deletions.
    • Scan again to see if your site is clean.
  • Professional site cleaning service.  If this all seems a bit daunting, it is.  You may decide to pursue professional assistance.  Many web hosts can provide this service, as well as most of the security plugin providers, such as WordFence.

Here are some additional cleaning methods from the Wordfence website.

You may need to get your site removed from the Google Safe Browsing List, and sites like McAfee Site Advisor.  You will need to approach each service individually and follow their instructions.  For Google:

  • Sign-in to Google Webmaster Tools.
  • Add your site if it isn’t already listed.
  • Verify your site, following Google’s instructions.
  • On the Webmaster Tools home page, select your site.
  • Click Site status, and then click Malware.
  •  Click Request a review.

If this article hasn’t convinced you about the importance of web site security, nothing will.  We encourage you to set up security for your web site and web hosting account, including our old standbys of long passwords and two-factor authentication.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.