Seeing Google's hacked-site warning under your own business name is a uniquely bad morning. The instinct is to start deleting anything that looks suspicious — and that instinct is exactly what makes most hacked sites harder to fix. Here's what actually helps in the first day, in order.
First: What NOT To Do
Don't mass-delete suspicious files. Some of them are evidence pointing to how the attacker got in — destroy that, and the cleanup team is left guessing, which usually means the site gets reinfected through the same hole.
Don't just restore an old backup and move on. If the backup predates the infection it removes the symptoms, but the vulnerability that let the attacker in is still there waiting.
Don't ignore it because the site 'still works.' Spam injections and redirects often stay invisible to you while showing to search engines and visitors from ads.
Hour One: Contain
- Change the passwords that matter: WordPress admin, hosting/cPanel, and FTP — from a clean device.
- Check WordPress users for administrator accounts you don't recognize, and note them (don't just delete yet — note the usernames and creation dates).
- Take a full backup of the site as it is now, infection included. It sounds counterintuitive, but this preserves the evidence and gives cleanup a safe reference point.
- If the site handles payments, consider putting it into maintenance mode until it's verified clean.
The Cleanup Itself
Proper cleanup means scanning files against known-clean versions of WordPress core, the theme, and plugins; removing injected code; and — the step amateurs skip — identifying the entry point. In most cases it's an outdated plugin with a published vulnerability, an abandoned plugin nobody noticed, or a weak admin password. Close that hole, or the whole exercise repeats in a month.
After cleanup comes hardening: login protection, correct file permissions, and removing whatever software let the attacker in. See security & backups for the full picture.
Getting Google's Warning Removed
Once the site is verified clean, you request a review through Google Search Console. The warning is usually removed within a few days after Google re-scans and finds nothing. Requesting a review while the site is still infected wastes a review cycle and delays everything — verify first, then request.
Making Sure It Never Happens Again
The honest prevention list is short and boring: keep everything updated, remove software you don't use, use strong passwords, keep tested off-site backups, and have someone monitoring. That's the entire reason monthly website management exists — the next incident either stays small or never happens.
Frequently Asked Questions
My site is hacked right now. What's the very first message to send you?
Your website link plus anything strange you noticed (weird pages, redirects, warning screenshots). Mark it urgent — active infections take priority over scheduled work.
Will I lose my content during cleanup?
No — cleanup targets injected code, not your pages and products. A full backup is taken before anything is touched, so nothing legitimate is at risk.
How fast can the Google warning disappear?
Cleanup usually takes hours to a day depending on the infection; Google's review after that typically clears within a few days.
Dealing with a hacked site right now?
Don't delete anything. Send us the link first — we'll tell you what we see and what it needs.