Website Hacked? What to Do Right Now (Step-by-Step)

Think your website was hacked? Here's exactly what to do, in plain English, so you can stop the damage and protect your business today.

Website Hacked? Here's What to Do Right Now

If you think your website was hacked, take a breath. You are not alone, and this is something you can work through. Small business owners deal with this more often than most people realize. The good news is that there are clear steps you can take right now, even without an IT team behind you.

Let's walk through exactly what to do.

Step 1: Don't Panic. Do This First.

The first thing to do when you think your website was hacked is to stop and look for signs before assuming the worst.

Common signs that something is wrong: . Your website is showing content you did not put there. Visitors are being redirected to a different site. Google is flagging your site with a warning message. Your web host sent you a suspicious activity notice. You cannot log in to your website dashboard

If you are seeing one or more of these, something likely happened. But knowing what went wrong is the first step toward fixing it.

Step 2: Take Your Website Offline Temporarily

This sounds scary, but it protects your customers.

If your site is serving harmful content or redirecting visitors somewhere dangerous, keeping it live does more damage. Contact your web hosting company and ask them to take the site offline while you investigate. Most hosts have a support chat or phone line for exactly this situation.

You can put up a simple message that says your site is undergoing maintenance. That is honest, and it buys you time.

Step 3: Change Every Password Connected to Your Website

Do this immediately, even before you know the full picture.

Change the password for: . Your web hosting account. Your website admin panel (WordPress, Squarespace, Wix, or whatever you use). Your domain registrar account (this is where you bought your domain name). Any email addresses connected to your site

Make each new password long and unique. A password manager like Bitwarden or 1Password can help you generate and store them safely.

While you are at it, enable two-factor authentication on every account that offers it. Two-factor authentication means you need a second code, usually sent to your phone, before anyone can log in. It is one of the most effective ways to stop unauthorized access.

Step 4: Contact Your Web Host

Your web host may already know something is wrong. They monitor their servers and sometimes catch issues before you do.

Call or chat with their support team and tell them what you are seeing. Ask them to: . Check the server logs (a record of who accessed your site and when). Scan for malicious code (code that was added without your knowledge). Restore a clean backup if they have one

Many hosts keep daily or weekly backups of your site. A clean backup means you may be able to roll your site back to before the problem started. Ask specifically when their most recent backup was made.

Step 5: Scan Your Site for Malicious Code

Once your host has looked at things, you may want an independent check.

There are free tools that can scan your website and flag suspicious code or security issues. SecureLayerHQ offers a free website security scanner that gives you a quick picture of what is exposed. It is a good way to get a second opinion without needing any technical knowledge.

This kind of scan looks at your site the way an outside visitor would see it. It can spot things your host might have missed.

Step 6: Remove the Harmful Content or Code

If your host found malicious code, they can often remove it for you. Some hosts include malware removal (malware means software that was designed to cause harm) in their support plans. Others charge a fee.

If you use WordPress, there are plugins like Wordfence or Sucuri that can scan and clean your site. These tools are built for non-technical users and walk you through each step.

If this feels too complex, hiring a freelance web developer for a few hours is a reasonable option. Many can clean a compromised site quickly.

Step 7: Figure Out How It Happened

Once the immediate problem is handled, it is worth understanding the cause. This is how you prevent it from happening again.

Common reasons small business websites get compromised: . Outdated software or plugins that were not updated regularly. Weak or reused passwords. A phishing email that tricked someone into giving up login credentials (phishing means a fake message designed to steal your information). A vulnerable login page with no extra protection

Understanding the cause helps you close the door for good.

Step 8: Let Google Know You Are Clean

If Google flagged your site with a warning, you will need to ask them to review it again once you have cleaned things up.

Go to Google Search Console (a free tool from Google that shows how your site appears in search results) and submit a request for a malware review. Once Google confirms your site is clean, the warning will be removed. This can take a few days.

What This Has to Do With Your Inbox

Here is something most small business owners do not realize. A large number of website compromises start with a single email.

Someone on your team clicks a link. Enters a password on a fake login page. Forwards something without thinking. And just like that, someone has access.

Protecting your website starts before the attack. It starts with knowing what is in your inbox.

SecureLayerHQ's Morning Email Brief watches your inbox overnight and delivers one plain-English summary at 7AM. It shows you what's urgent, what's suspicious, and what tried to scam you. If something dangerous is sitting in your inbox, it flags it for you. One-tap delete and it's gone before anyone on your team can click it.

It is built for teams of 1 to 20 with no IT team required. At $49.99 a month, it costs less than taking your significant other out to eat. And you can try it free for 14 days, no credit card needed.

Because the best time to deal with a security problem is before it becomes one.

Start your 14-day free trial at securelayerhq.com. No credit card required.

FAQ

How do I know if my website was hacked?

Common signs include unexpected content appearing on your site, visitors being redirected to another website, a warning message from Google, or a notice from your web host about suspicious activity. If your admin login stops working, that is also a red flag.

What is the first thing I should do if my website is hacked?

Take your site offline temporarily to protect your visitors, then change every password connected to your website, including your hosting account, admin panel, and domain registrar. Contact your web host as soon as possible so they can check for damage and restore a clean backup.

Can I fix a hacked website without hiring anyone?

Often, yes. Your web host may be able to restore a clean backup for you. If you use WordPress, tools like Wordfence or Sucuri can scan and clean your site without requiring technical knowledge. For more serious situations, hiring a freelance developer for a few hours is a cost-effective option.

How long does it take Google to remove a hacked site warning?

Once you have cleaned your site and submitted a malware review request through Google Search Console, the review typically takes a few days. Google will remove the warning once they confirm your site is clean.

How do website compromises usually start?

Many start with a phishing email. Someone clicks a link, enters their password on a fake page, and an attacker gains access. Outdated website software and weak or reused passwords are also common causes.

How can I prevent my website from being compromised again?

Keep your website software and plugins updated, use strong unique passwords with two-factor authentication, and be careful about what links you click in email. Monitoring your inbox for suspicious messages is one of the most effective ways to stop an attack before it starts.

What is SecureLayerHQ and how does it help protect my business?

SecureLayerHQ is a security service built for small businesses with no IT team. The Morning Email Brief watches your inbox overnight and sends you a plain-English summary at 7AM showing what is urgent, what is suspicious, and what tried to scam you. You can delete any threat with one tap. It costs $49.99 a month and includes a 14-day free trial with no credit card required.

Check your business's security in 2 minutes
Free scan. Plain-English results. No signup required.
Run Free Scan →