How to Clean Up a Hijacked Website

Your website has been hijacked.  You found out when a client called and said your website was flagged as malicious on Google, in their browser, or by their anti-malware application.  After you get over the initial shock, embarrassment, and anger, you wonder what you need to do next.  How do you get your website cleaned up and your Internet reputation restored?

The first question is this:  is your site really compromised?  There is a free URL and website malware scanning tool at URLquery.  Go ahead and try it out on your website before you get too involved cleaning your site.

  • Change your passwords.  Change all your user passwords, and if you are using the default admin account, create a new account with administrative rights, and disable the default admin account.
  • Restore from backup.  You first have to determine when your site was inflected. The best way to repair your site is to restore it from a backup.  This can be easy if you have been using a backup plugin such as Updraft Plus, or something similar.  Choose a backup that was made sometime before your site was hijacked, and restore it to your web server.

If that isn’t an option, or if it doesn’t solve your problem:

  • Clean your site with your security plugin.  If you are using WordFence, Bulletproof, or a similar plug-in:
    • Upgrade to the latest version of your security plugin.
    • Upgrade all your themes and plugins.
    • Change all passwords
    • Make a new backup (of the compromised site) and store it separately.  This gives you a safe way back if things go wrong.
    • Run a scan of everything.  You may need to make some settings changes to include everything.  Expect this scan to take some time.  This should result in a list of compromised files.
    • Work through the list.  Make the necessary modifications or deletions.
    • Scan again to see if your site is clean.
  • Professional site cleaning service.  If this all seems a bit daunting, it is.  You may decide to pursue professional assistance.  Many web hosts can provide this service, as well as most of the security plugin providers, such as WordFence.

Here are some additional cleaning methods from the Wordfence website.

You may need to get your site removed from the Google Safe Browsing List, and sites like McAfee Site Advisor.  You will need to approach each service individually and follow their instructions.  For Google:

  • Sign-in to Google Webmaster Tools.
  • Add your site if it isn’t already listed.
  • Verify your site, following Google’s instructions.
  • On the Webmaster Tools home page, select your site.
  • Click Site status, and then click Malware.
  •  Click Request a review.

If this article hasn’t convinced you about the importance of web site security, nothing will.  We encourage you to set up security for your web site and web hosting account, including our old standbys of long passwords and two-factor authentication.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.