How to Clean Up a Hijacked Website

Your website has been hijacked.  You found out when a client called and said your website was flagged as malicious on Google, in their browser, or by their anti-malware application.  After you get over the initial shock, embarrassment, and anger, you wonder what you need to do next.  How do you get your website cleaned up and your Internet reputation restored?

The first question is this:  is your site really compromised?  There is a free URL and website malware scanning tool at URLquery.  Go ahead and try it out on your website before you get too involved cleaning your site.

  • Change your passwords.  Change all your user passwords, and if you are using the default admin account, create a new account with administrative rights, and disable the default admin account.
  • Restore from backup.  You first have to determine when your site was inflected. The best way to repair your site is to restore it from a backup.  This can be easy if you have been using a backup plugin such as Updraft Plus, or something similar.  Choose a backup that was made sometime before your site was hijacked, and restore it to your web server.

If that isn’t an option, or if it doesn’t solve your problem:

  • Clean your site with your security plugin.  If you are using WordFence, Bulletproof, or a similar plug-in:
    • Upgrade to the latest version of your security plugin.
    • Upgrade all your themes and plugins.
    • Change all passwords
    • Make a new backup (of the compromised site) and store it separately.  This gives you a safe way back if things go wrong.
    • Run a scan of everything.  You may need to make some settings changes to include everything.  Expect this scan to take some time.  This should result in a list of compromised files.
    • Work through the list.  Make the necessary modifications or deletions.
    • Scan again to see if your site is clean.
  • Professional site cleaning service.  If this all seems a bit daunting, it is.  You may decide to pursue professional assistance.  Many web hosts can provide this service, as well as most of the security plugin providers, such as WordFence.

Here are some additional cleaning methods from the Wordfence website.

You may need to get your site removed from the Google Safe Browsing List, and sites like McAfee Site Advisor.  You will need to approach each service individually and follow their instructions.  For Google:

  • Sign-in to Google Webmaster Tools.
  • Add your site if it isn’t already listed.
  • Verify your site, following Google’s instructions.
  • On the Webmaster Tools home page, select your site.
  • Click Site status, and then click Malware.
  •  Click Request a review.

If this article hasn’t convinced you about the importance of web site security, nothing will.  We encourage you to set up security for your web site and web hosting account, including our old standbys of long passwords and two-factor authentication.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.