You’ve just discovered your website has been hacked. Maybe Google is showing a warning to your visitors. Maybe your hosting provider sent a suspension notice. Maybe a customer told you something looked wrong.

Whatever tipped you off — the important thing now is to act fast and act smart. A botched cleanup can be worse than no cleanup at all, leaving backdoors open for reinfection and giving you a false sense of security.

This guide walks you through exactly what to do — step by step — and explains when DIY cleanup makes sense versus when you need a professional on it immediately.

Step 1: Don’t Panic — But Stop the Bleeding

The instinct when you discover a hack is to immediately start deleting files or restoring backups. Resist that urge for a moment. Before you touch anything, do the following:

• Put your site in maintenance mode if possible (prevents visitors from being exposed to malware)
• Take a full backup of the current infected state — you may need it for forensic analysis
• Document everything you’re seeing: error messages, unusual files, redirect behavior
• Change all passwords immediately: CMS admin, FTP/SFTP, hosting control panel, and database

Changing passwords is critical. If hackers have your credentials, cleaning files without changing access details is pointless — they’ll simply re-upload everything.

Step 2: Identify the Scope of the Infection

Before you can clean anything, you need to know what’s been compromised. Common infection points include:

• Core files: Modified CMS core files (WordPress, Joomla, etc.) with injected malicious code
• Theme and plugin files: Backdoors hidden inside theme functions or inactive plugins
• Database: Spam links, malicious redirects, or phishing content injected into posts or options tables
• Uploaded files: PHP shells disguised as images or documents in your uploads directory
• .htaccess file: Redirect rules added to silently send visitors to malicious sites

Run a thorough malware scan using a reputable tool. Look for recently modified files — especially any PHP files in directories that shouldn’t contain them (like your uploads folder).

Step 3: Remove Malicious Code and Files

This is the hardest step — and where most DIY cleanups go wrong. Options include:

Option A: Restore from a Clean Backup

If you have a recent backup that predates the infection, restoring it is the fastest path to a clean site. However, this only works if:

• You’re confident the backup is clean (infections can be dormant for weeks before activating)
• You’re not losing significant new content or customer data
• You’ve identified and closed the vulnerability that allowed the hack — otherwise you’ll be reinfected

Option B: Manual Cleanup

For technically skilled users, manual cleanup involves:

• Comparing your core CMS files against the official, clean version and replacing any modified files
• Scanning all theme and plugin files for obfuscated code (base64_decode, eval, and similar functions used to hide malicious scripts)
• Cleaning the database: searching for spam links, injected iframes, and suspicious redirect URLs
• Scanning uploaded files for PHP shells and removing them
• Reviewing and restoring your .htaccess file to its clean state

Warning: manual cleanup is time-consuming, technically demanding, and easy to get wrong. Missing a single backdoor means hackers retain access and the infection returns — often within 24–48 hours.

Option C: Use a Professional Malware Removal Service

For most website owners, this is the right call — especially if you’re not deeply technical, if the infection is extensive, or if your site handles customer data or transactions.

Sucuri’s malware removal service is one of the most trusted in the industry. Their security analysts handle the entire cleanup manually — removing malware, closing backdoors, cleaning the database, and verifying the site is fully restored. It’s included in their platform plans with a guarantee: they keep working until your site is completely clean, with no extra per-incident fees.

Step 4: Harden Your Site Against Reinfection

Cleaning the infection is only half the job. If you don’t close the vulnerability that allowed the hack, you’ll be back in the same situation within days. After cleanup:

• Update your CMS core, all themes, and all plugins to their latest versions
• Remove all inactive or abandoned plugins and themes — they’re common entry points
• Implement a web application firewall (WAF) to block future attacks at the edge
• Set up file integrity monitoring to alert you to unauthorized changes
• Review and restrict file permissions — PHP files should not be writable by the web server
• Enable two-factor authentication on all admin accounts

Step 5: Request Removal from Blacklists

If your site was flagged by Google, McAfee, Norton, or other security databases, you need to request removal separately after the site is cleaned. For Google:

• Log into Google Search Console
• Go to Security Issues and review what was flagged
• Click ‘Request a Review’ and describe specifically what you found and how you fixed it
• Wait 1–3 business days for Google to re-evaluate (straightforward cases are usually resolved quickly)

Important: only submit for review once the site is fully clean. A failed review can delay the process and flag your domain as a repeat offender in Google’s system.

Why You Should Seriously Consider Letting Experts Handle It

DIY cleanup is possible — but the risks are real:

• Missed backdoors lead to reinfection, often within days
• Incomplete database cleaning leaves spam or phishing content live
• Core file replacements done incorrectly can break site functionality
• Every hour of delay means more visitors exposed to malware

Professional cleanup services handle hundreds of infections every month. They know exactly where hackers hide backdoors, what obfuscated code looks like, and how to verify a site is genuinely clean rather than superficially fixed.

When you factor in your own time, the risk of reinfection, and the cost of getting it wrong — a professional cleanup service often works out cheaper than doing it yourself.

🧹 If your site has been hacked, don’t gamble with a DIY fix. Get professional malware removal from Sucuri — guaranteed cleanup, no extra fees, and protection included so it doesn’t happen again.

Prevention Is Always Better Than Cure

The best outcome is never needing this guide in the first place. With continuous malware monitoring, a web application firewall, and proactive security in place, the vast majority of attacks never get through.

Sucuri provides all of this — prevention, detection, and response — in a single platform designed for website owners who don’t want to think about security until they have to.

If your site has been hacked, take a breath — and then take action. Clean, fast, and thorough recovery is possible. The key is not cutting corners.