How to repair a hacked website: First steps after a website hack

If your website has been hacked, the most important thing is that you stay calm and systematically take the appropriate measures. This tutorial will show you how you can recover your website one step at a time.

OK, let’s get started!


You will complete the following tasks during recovery of your website:

  1. Checking your local computer for viruses (preparation)
  2. Changing passwords
  3. Assessing damage
  4. Restoring your backup
  5. Updating plugins and themes
  6. Removing your website from blacklists

Checking your computer for viruses

Before you start recovering your website, you must exclude the possibility that your computer was the origin of the attack. For this reason, first check your local computer for viruses and/or infections with malware.

Virus scanners: For example, you can use the free EU-Cleaner from the German “botfrei” anti-botnet initiative.

Consulting: The Anti-Botnet consulting center will help you delete the viruses for free. For 1&1 customers: If your website has been hacked, we will automatically send you contact data and a ticket number by e-mail, so you can contact the Anti-Botnet consulting center in addition to 1&1 support.

Changing passwords

As a first step, make sure that the attacker can no longer access your webspace, website or database. You manage passwords in the customer area of your web hosting service and in the admin area of your website. As a 1&1 customer, you can adjust your passwords in the 1&1 Control Panel.
Learn how to change your 1&1 passwords in the 1&1 Help Center.

Change the following passwords:

And three more important tips:

  • Always access your webspace using secure protocols like SFTP.
  • If you also used your passwords for other services, you also have to change the passwords in those services.
  • Choose secure user names: Never use default names like adminor test. This is the most effective way to prevent hacker attacks in which the administration password is stolen.

Resetting your website admin password with phpMyAdmin

If you are no longer able to log in to the admin area of your website, the attacker may have deactivated your account or changed the password. In this case, you must change the password in the database. Let’s go through the whole process using WordPress as an example:

  • Start phpMyAdmin (find out more: 1&1 Help Center)
  • In the database of your website, open the users table
  • Search for your user and select Edit at the beginning of the line.
  • Delete the hash value in the user_pass
  • You now have to store your new password as a hash value in the user_pass. To generate a hash, you can, for example, use the md5 Hash Generator.
  • Select Save and click OK.

Full tutorial: How to Change your WordPress Admin Password using phpMyAdmin (Database Method)

Assessing damage

Now it is time to evaluate the situation and plan how to proceed.

  • Which files are affected?
  • Did the attacker have access to your website?
  • Is just one website affected, or are multiple websites on your webspace affected?
  • Did the attacker have access to your database?
  • Is sensitive data affected? Who needs to be informed?

For example, to assess the extent of the damage, you can use the Google Webmaster Tools. You will need a Google account. Google recommends the following steps (excerpt):

  • To find out what Google’s automatic scanners have found, open the Google Safe Browsing diagnostics page for your website (; replace “” with the URL of your website).
  • If your website has been infected with malware, check the “Malware” page in the Search Console. Click Status in the website dashboard and then Malware. This page lists example URLs of your website that contain malicious code. Hackers sometimes add new URLs to your website for their malicious purposes. For example, this is the case in phishing attacks.
  • Check the .htaccess file (Apache) or other access control functions (depending on the website platform) for any malicious changes.
  • Check your server logs (in your webspace under ~/logs/) to see when files were hacked. Note that hackers can also change logs. Look out for suspicious activities such as failed login attempts or unknown user accounts, and check the command history (particularly roots).

Source: Google Search Console Help

Restoring your backup and checking for malware

In this step, you replace all the infected files with files from an uninfected backup. As a 1&1 customer, you can find a list of affected files in your webspace in the log directory under ~/logs/forensic/.

If you cannot exclude the possibility that the attacker had access to your database, you should also restore the database from a backup.

If you had not previously created a backup…

If you had not previously created any backups, you have the following options:

  • Restarting: Delete your website and your database and set them up again.
  • Recovery via a backup from your web hosting provider: 1&1 offers customers in Shared Hosting the option of recovering files on their webspaces.
    Recover files in your 1&1 Control Panel now / Instructions (1&1 Help Center)

Manage webspace: Webspace Recovery

In the future, you can use one of these backup solutions, for example:

  • Creating WordPress backups: for a fee, with a subscription: VaultPress. Free backups: BackWPup Free
  • Creating Joomla! backups: You can create backups directly and at no charge in Joomla using Akeeba Backup or EJB (Easy Joomla! Backup).

These solutions back up your files and database.

Important: Backups in your webspace could be compromised by attackers. For optimal protection of your backups, you should always copy them to a separate local data storage device or cloud storage.

Updating applications, extensions, plugins and themes

To close known security holes, you must update all applications, plugins, extensions and themes as soon as you have restored your backup.

Attackers very often use security holes in plugins and themes. For this reason, make sure you update all plugins, extensions and themes, and check which ones you actually need. Every plugin affects the security of your website. Weigh the benefits and risks before you decide to use a plugin.

Removing your website from blacklists

Google, Bing, Yahoo and many antivirus programs maintain blacklists for websites that are infected with malware. Websites on Google’s blacklist, for example, are removed from the search index or at least punished with a lower ranking.

You have changed all your passwords and imported a clean backup? Now is a good time to have your page removed from these blacklists.

Requesting a new malware review (using Google as an example)

If Google reported malware or unwanted software on your website, you can use the Google Webmaster Tools to request a new review. Google will check your page for malware again in the next 24 hours.

You can find the status of the review using the Google Webmaster Tools in the Search Console in the Security Issues section. Open Google Webmaster Tools

If you have successfully removed all the malware, the status message for your website should look like this:

Video: Help for hacked sites (Google)

This video from the Google Webmasters shows you how and why websites get hacked, and what recovery options you have.

Google offers very good information for webmasters, as well as help on the topics of malware, security flaws and website recovery in the Google Search Console Help.

Evaluate: How did my website get hacked?

Cyber criminals either use weak points in the software you use or find out user data to attack your website:

  • Software/security holes: Attackers can use security holes in a CMS (content management system) like WordPress or Joomla!, or security holes in plugins, extensions or themes, to access your system.
  • User accounts/passwords: This is a direct attack via FTP or the admin account of your website. Attackers use passwords they have stolen or determined using brute force. This presents a higher risk for anyone who uses weak user names and passwords, and accesses his or her webspace using unencrypted connections (FTP).

In order to protect you and increase the security of your website, 1&1 checks all files that are changed for malware. If we find malware, we immediately lock the affected files, inform you, and offer our assistance.


Attacks on websites are part of daily life on the Internet. If your website has been hacked, you may initially feel a little shocked. At this point, it is important to stay calm because you now know what to do and can act effectively. Experienced employees in 1&1 Support will help you through each step in recovering your website.

Increase your website’s security and stay off blacklists with 1&1 SiteLock

If you want to be proactive, you can use 1&1 SiteLock, to protect your website from hacks. As the complete security solution for your website, 1&1 SiteLock provides the following:

  • vi-details-hosting-sitelockWebsite Application Scan: Keeps you informed on the vulnerabilities of your applications used (the most common entry point for hackers). This saves you time because you won‘t have to personally check with your software vendors for updates and security patches.
  • SQL Injection Scan: 1&1 SiteLock performs a SQL Injection Scan to detect risks quickly and efficiently. This helps you block access to your databases and sensitive customer data to outsiders.
  • Cross-site scripting (XSS): 1&1 SiteLock checks your site, discovering places where an attacker could inject malicious code.
    Malware Scan: 1&1 SiteLock scans for malware and external redirects, hidden links or links to recognized malware sites. Protects your customers from viruses and trojans on their computers.
  • File Change Monitoring: 1&1 SiteLock will monitor changes made to any file during a scan. So you‘ll be made aware if any unwanted changes were made.
    Search Engine Blacklist Monitoring: 1&1 SiteLock scans make sure your website is not blacklisted from any search engines, and your e-mails are not marked as spam, to ensure uninterrupted communication with your customers.
  • SSL Verification: 1&1 SiteLock verifies your SSL certificate and makes sure that it is compatible with the requirements of your web browser. This ensures that no customers get a warning for data security, and there are no uncertainties.

How to Use 1&1 SiteLock (1&1 Help Center)

You might also like

The Basics for a Safe Joomla! Website

Two Factor Authentication for WordPress and Joomla! with Google Authenticator and YubiKey

Please rate this post :

22 thoughts on “How to repair a hacked website: First steps after a website hack

  1. Rosalind says:

    This page definitely has all of the information and facts I needed about this subject and didn’t know who
    to ask.

  2. Daniel says:

    Suppose a website is hacked. THEN updated to WordPress 4.4.1.

    I am still able to login, change password etc Doesn’t WordPress 4.4.1 break all cross scripts and all is resolved or do you have to still remove all the infected files and load an uninfected backup?

    1. 1and1help says:

      Hi Daniel,

      thanks for reaching out to us.

      An update does not remove infected files.

      So we recommend you to remove first the whole WordPress folder, install a fresh WordPress 4.4.1 and after that import a clean, checked backup.

      Kind regards,
      Michael, 1&1

  3. Jon says:

    I have a question: suppose someone gets into my website, changes my password and also changes the admin email. What can I do if that’s the case? How can I regain the control of my website?

    Thank you in advance

    1. 1and1help says:

      Hi Jon,

      I would recommend you to follow all of the steps of this article. As a precaution you should also do local backups of your website data and data bases on a regular basis.

      Michael, 1&1

  4. Jim Walker says:

    Nicely summarized.
    Just like to add that a service that does not update your WordPress (if that is what you are running) after being compromised is only removing a symptom of the problem.

    The greater problem when a site is hacked is the existing code.
    Patching or removing malware only solves about 20% of the problem.

    80% of the problem, and why websites are compromised in the first place, is due to keeping a website updated.

    Analogy-wise, simply removing malware is like vacuuming the carpet after a burglar breaks into your house, while still leaving your front door key under your front door mat.

    Sure, the house is cleaner after the break in, but you’ve not done anything to prevent the burglar from coming back tomorrow.

    Maintaining software updates and backups on a regular basis are the key to website security.

    1. 1and1help says:

      Hi Jim,

      Thank you for sharing with the community! You mentioned some very important things everyone should be mindful of!

      Best regards,
      Michael, 1&1

  5. heena soni says:

    But what can we do after hacking? my web site is showing an error is occurred.

    1. 1and1help says:

      Hi heena soni,

      depends on what exactly happened. Maybe contacting our support is the best choice in this case:

      Best regards,
      Michael, 1&1

  6. Jim McNally says:

    I received notification that my email was being used to send spam. My website was not hacked – just my email. Not all mail servers are rejecting my mail, but at least one is.

    I have reset my mail password, but now I want to check with google and other providers to see if I am still on a blacklist. Suggestions?

    1. 1and1help says:

      Hi Jim,

      mxtoolbox is my recommendation as an online blacklisting check:

      Best regards,
      Michael, 1&1

  7. wphackedhelp says:

    WordPress core is, in fact, very secure, just as secure as any other Content Management System, just as secure as any other software suite or Operating System. Security issues most often arise from administrators and users. In other words, you are the weakest link. A weak password and/or a password used across multiple services, in conjunction with an easily guessable username, is typically the vector of attack against any website.

    1. 1and1help says:


      thanks for sharing your point of view with the users. We appreciate it very much!

      Michael, 1&1

  8. hello Jim i really need your help on this one…My website works perfectly well on my computer(laptop/desktop).. but when ever i open it on mobile phones it redirects immediately and i get this message (The page at says your LENOVO A500, might be slowed down! Click “UPDATE NOW” to Install Application from Google Play).. When i click ok.. It takes me to one particular shopping site (JUMIA) and tells me to download there app.. Please what do i do.. i need a good and urgent reply please

    1. 1and1help says:


      this is something our expert should have a deeper look at.

      Please contact them with the data you can find here:

      Best regards,
      Michael, 1&1

  9. George says:

    I highly recommend changing passwords frequently and hardening your wordpress logins. If you don’t there is a gooc chance your site will get hacked. I run a web design agency in Sydney and I come across hacked sites all the time. I use these guys to clean hacked sites and to prevent sites from being hacked. They’re top class. There are plenty of options around, just make sure you go with someone who knows what they are doing.

  10. Nasheet Omar says:

    I m newby to websites scripting viruses etc
    So does cpanel and adminpanel f a website same. What do you do when you r cpanel password hacked

    1. 1and1help says:


      if your 1&1 Control Panel password was hacked, please try to change it as soon as possible via this site:

      If you don’t get the reset mail from this page, its very likely that the hacker already changed your contact e-mail address. In this case, please contact us:

      Best regards,
      Michael, 1&1

  11. siri says:

    my website fully hacked and now i cant even open my site showing
    ( The requested URL /wp-login was not found on this server.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.) so please help me how to get my website back it is new website and iam beginner in blogging please reply to me.

    1. 1and1help says:


      if the article does not help you at all, because you don’t know what to do with it, please contact our support team. They will talk with you about how and if we are able to help you.

      You can find our contact informations here:

      Best regards,
      Michael, 1&1

  12. Ich wollte einfach einen netten Gruss da lassen. Bin eben auf die
    Seite gestossen.

  13. Bridge says:

    It’s really helpful for the personal site owner.
    However, I ever bought a host and the host was hacked. The service provider told me all the sites on the host were affected.

Leave a Reply

Your email address will not be published. Required fields are marked *