Website Compromise Recovery

Website Compromise Recovery Guide

If you believe your website has been compromised, it is important to act quickly. This guide walks you through identifying the issue, securing your environment, restoring your site, and preventing future incidents.

If We Have Suspended Your Website

If we have detected suspicious activity, we may temporarily disable your website to prevent further damage.

In this case, you will receive an email explaining:

Why the site was suspended
What indicators of compromise were found
The steps required to restore service

You should follow the steps in this guide before requesting reactivation. This ensures the compromise has been fully resolved and reduces the risk of reinfection.

Quick Checklist

If you need a fast response, follow this checklist:

Take the website offline
Change all passwords
Remove unknown users
Restore from a clean backup
Update all software
Enable security protections

Then follow the full guide below for a complete recovery.

Signs Your Website May Be Compromised

You may notice one or more of the following:

Unexpected redirects to unknown websites
New or modified files you did not create
Unknown admin users in your CMS
Search engine warnings or blacklisting
Sending spam emails
Sudden drop in website performance or uptime

If any of these happen, begin the recovery process immediately.

Step 1: Isolate the Website

The first priority is to limit further damage.

Disable access via your control panel, limit to your IP address
Suspend compromised user accounts
Inform your team to avoid logging in until secured

Step 2: Secure Access Credentials

Assume all credentials may be compromised.

Change all passwords including:
- Hosting control panel
- FTP/SFTP accounts
- CMS admin users
- Database users
Enable two factor authentication where available
Remove any unknown or unused accounts

Step 3: Identify the Entry Point

Understanding how the compromise occurred helps prevent recurrence.

Common causes include:

Outdated CMS, plugins, or themes
Weak or reused passwords
Vulnerable custom code
Insecure file permissions

Check:

Recent file changes
Access and error logs
Installed plugins or extensions

Step 4: Scan and Clean Files

You must remove all malicious code.

Manually review:
- Core CMS files
- Themes and plugins
- Upload directories
Remove any suspicious or unfamiliar files
Replace core files with clean versions from the official source

If unsure, it is safer to restore from a known clean backup.

Step 5: Restore from Backup

If a clean backup is available, this is often the quickest recovery method.

Identify the most recent unaffected backup
Restore both files and database
Verify the site is functioning correctly

Important:

Do not restore backups that may already contain the compromise

Step 6: Update Everything

Once the site is clean, ensure all software is up to date.

Update your CMS to the latest version
Update all plugins and themes
Remove any unused plugins or themes

Outdated software is one of the most common causes of compromise.

Step 7: Harden Security

Reduce the risk of future incidents by improving security.

Enforce strong password policies
Enable two factor authentication
Limit login attempts
Disable file editing within the CMS where possible, add define(‘DISALLOW_FILE_EDIT’, true); to the wp-config.php file