Incident Response Guide

My Website Has Been Hacked and Replaced

You visited your website and found it replaced with a hacker message, strange content, or something completely different. Here's what to do.

Updated 7 May 2026

What Just Happened

Your website was accessed without your permission and its content was replaced or altered. This is called defacement — attackers replace your site with their own message, images, or spam links.

It most commonly happens through outdated plugins, extensions, or themes: 91% of WordPress vulnerabilities are found in third-party plugins, and 11,334 new CMS plugin vulnerabilities were discovered in 2025 alone — a 42% jump from the previous year. The same pattern applies to Joomla, Drupal, and other platforms. Weak or reused passwords are the second most common cause.

Your website is now showing the attacker’s content to visitors. Some defacements also inject hidden malware that affects visitors’ computers, or redirect visitors to scam sites. This is urgent — but recoverable.

Step 1: Take the Site Offline Immediately

Log in to your hosting control panel (the company that hosts your website — for example SiteGround, GoDaddy, Hostinger, One.com, or similar) and temporarily suspend or take the site offline. Look for a “Suspend”, “Maintenance Mode”, or “Take offline” option.

If you cannot find this option quickly, continue to the next steps — you can still recover even with the site briefly online.

Step 2: Document the Attack

Before changing anything, take screenshots of:

  • What the defaced website looks like in the browser
  • Any message left by the attacker
  • The date and time

This documentation is needed for your hosting provider, your police report, and diagnosing how the attacker got in.

Step 3: Change All Passwords Immediately

From your phone or another device — not your usual computer (which may be compromised), change:

  1. Hosting control panel password — where you manage the website
  2. Domain registrar password — where you registered the domain name (may be the same company)
  3. FTP/SFTP password — if you use FTP to upload files, find this in your hosting panel
  4. Website admin password — WordPress, Joomla, or whichever CMS you use
  5. Email accounts linked to the website — especially the one used to log in to the above services

Use our password generator for each. Every account must get a different password.

Step 4: Contact Your Hosting Provider

Open a support ticket or call your hosting company. Tell them:

  • Your website was defaced
  • Approximately when it happened
  • That you need their help to identify how the attacker got in

Ask them for access logs — specifically the access_log, error_log, and any SSH or SFTP connection logs for the period of the attack. Most hosting companies have a security team that handles these incidents and can tell you exactly what happened.

Step 5: Restore From a Backup

Most hosting providers keep automatic backups of your website. This is the fastest recovery path.

In your hosting control panel, look for:

  • “Backups” or “Backup Manager”
  • “Restore” or “Restore from backup”
  • Tools named JetBackup, CodeGuard, or similar

Restore to a backup from before the defacement happened. Check your screenshots for the date — choose a backup clearly before that point.

Important: Restoring a backup brings your old site back, but it does not fix the vulnerability the attacker used. If you do not address the root cause (Step 6), it can happen again.

If no backup is available:

  • Contact your hosting provider — they may have a backup even if you cannot see it in the panel
  • WordPress: reinstall core files, reinstall each plugin and theme fresh from wordpress.org, clean the database manually — or ask your host for help
  • Joomla / Drupal: reinstall the CMS core from the official site, then reinstall extensions; ask your host to restore database from their copies
  • Wix, Squarespace, Shopify: contact the platform’s support directly — they control the infrastructure and can restore previous versions

Step 6: Find and Fix the Vulnerability

Once the site is restored, identify how the attacker got in before putting it back online.

Outdated CMS plugins, extensions, or themes (most common)

This is the number one cause of defacements. Attackers scan millions of websites automatically, looking for known vulnerabilities in popular plugins and extensions.

WordPress:

  • Log in to admin → Dashboard → Updates → update WordPress core, all plugins, all themes
  • Remove any plugins or themes you do not actively use — each is an attack surface even if inactive
  • Consider installing Wordfence (free) — monitors for intrusions and blocks known attack patterns

Joomla:

  • Log in to admin → System → Update → Extensions — update Joomla itself and all extensions
  • Remove unused extensions and templates

Drupal:

  • Log in to admin → Reports → Available updates — apply all pending updates
  • Remove unused modules and themes

Wix / Squarespace / Shopify (hosted platforms):

  • These platforms handle their own core updates automatically; your exposure is mainly through third-party apps you have installed
  • Review installed apps and remove any you do not need
Weak or reused admin password

Weak or reused passwords are behind a large share of website compromises. If your site admin password was short, common, or reused from another account, that may be the entry point.

  • The new password you set in Step 3 should be long (20+ characters), random, and used nowhere else
  • Enable two-factor authentication on your CMS admin account:
    • WordPress: go to Users → Your Profile, look for Two-Factor Options (requires the “Two Factor” plugin)
    • Joomla: go to User Manager → your account → Two Factor Authentication
    • Wix / Squarespace / Shopify: enable 2FA in your account security settings
  • Enable 2FA on your hosting control panel as well
FTP credentials were stolen

FTP is an older, unencrypted protocol for uploading website files. If malware on your computer stole your FTP credentials, attackers could replace your entire website through it.

  • Change your FTP password (done in Step 3)
  • If possible, switch from plain FTP to SFTP (encrypted) — your hosting provider can explain how
  • Run a malware scan on the computer you normally use to manage your website
Hosting control panel account was accessed

If the attacker accessed your hosting control panel directly, they could change files, DNS settings, or install backdoors.

  • Check login history in your hosting panel — look under Security or Account Activity for unfamiliar IP addresses or login times
  • Enable two-factor authentication on your hosting panel if not already done
  • If your hosting account email was also accessed, treat it as a separate incident and follow the email account hacked guide

Step 7: Scan for Remaining Malware

Even after restoring a backup, run a scan to confirm nothing was left behind — attackers sometimes install backdoors that survive a restore.

Free tools (run from your phone or another computer):

  • Sucuri SiteCheck — enter your website address at sucuri.net/website-security-platform/sitecheck/ to scan for malware and blacklist status (works for any CMS or custom site)
  • Wordfence (WordPress only) — run a full scan from the WordPress admin panel after restoring
  • Joomla / Drupal: most hosting panels include a malware scanner — check under “Security” in your hosting control panel

If your hosting provider offers a malware scanner in the control panel, run that as well.

Step 8: Check If Google Has Flagged Your Site

If your site was defaced for more than a few hours, Google may have detected and flagged it — which causes visitors to see a red warning page (“This site may harm your computer”) before they can access your site.

To check and fix this:

  1. Log in to Google Search Console (you may need to verify ownership of your site)
  2. Look for a Security Issues section
  3. If issues are listed, click “Request a Review” once you have cleaned the site

Google typically reviews and removes warnings within a few days of a request.

Step 9: Report It

Police report: If the website is connected to your business or if you believe you were targeted specifically, file a police report. Bring your screenshots and the timeline.

Online cybercrime reporting:

  • Most countries have a national cybercrime reporting centre — search for “[your country] report cybercrime” to find yours
  • Your national CERT (Computer Emergency Response Team) also handles these reports — a full list is at enisa.europa.eu/topics/csirts-in-europe for European countries

After Recovery: Checklist

Before going back to normal, confirm each of these:

  • Site is fully restored and displaying correctly
  • All passwords changed (hosting, domain, FTP, CMS admin, related email)
  • CMS core, all plugins, and all themes updated to latest versions
  • Unused plugins and themes removed
  • Malware scan completed — no threats found
  • Two-factor authentication enabled on hosting panel and CMS admin
  • Automatic backups enabled in your hosting panel
  • Google Search Console checked — no security warnings active

Prevention Going Forward

The best protection against defacement is keeping your website software up to date and maintaining recent backups. Most successful attacks exploit known vulnerabilities in outdated plugins — vulnerabilities that already have patches available.

  • Enable automatic updates for your CMS core and all plugins/extensions/modules
  • Remove unused plugins, extensions, and themes — even deactivated ones can be exploited
  • Back up regularly — daily or weekly automatic backups through your hosting panel
  • Use strong, unique passwords for every website-related account (use our password generator)
  • Check your site monthly — simply visit it yourself to confirm it looks normal
  • Consider a web application firewall (WAF) — services like Cloudflare offer a free tier that blocks many common attacks before they reach your site