"Site Hacked! What do now?!?"
Welcome to the Shitshow

So, your website got hacked. Maybe you woke up to an angry client email, maybe there’s a hostile foreign takeover, or maybe you just found out when you Googled your business and found ads for wiener pills with the words “CLICK HERE FOR PRIZES” where your homepage used to be. Either way, welcome to the club. Your site’s been hacked. It’s stressful, it’s scary, and a complete time-suck.
With the rise of DIY site builders like WordPress, Wix, and Squarespace, more businesses than ever are online. Which is great… until it’s not. These builders are powerful, but all those bells and whistles come at a cost: security holes big enough to drive a truck through.
Every time you think, “Ooh, I need a fancy newsletter signup, a pop-up for coupons, and an analytics tracker that tells me what cereal my customers eat,” you’re adding more potential vulnerabilities. Every plugin is a potential crack in the wall — and hackers are total crack-heads.
Why Me?!?
Let’s get one thing straight: you’re not special. Well, maybe you are, but hackers don’t care. They didn’t pick you because they hate your logo (be honest, it could be better) or think your services suck. They picked you because you’re legitimate — and that’s all they need.
Here’s why you got hacked:
- Traffic Diversion: Hackers reroute your visitors to shady, malware-infested websites to steal their info.
- SEO Spam: They inject your site with garbage content to boost their shady website’s Google ranking.
- Resource Theft: Your website’s server power gets hijacked to mine cryptocurrency or push more spam.
- Data Harvesting: Got a contact form? Newsletter signup? Congrats — you’re now a free data farm.
- “Why Not?” Attacks: Sometimes it’s not even personal. Bots roam the internet looking for vulnerabilities — if you’ve got one, they’ll find it.
How Did They Get In?
Honestly, it’s probably your fault. But let’s not dwell on that — let’s break down the common weak points:
- Weak Passwords: “password123” is basically an open invitation. Use strong, unique passwords — and stop reusing the same one on your email, Facebook, and website.
- Outdated Plugins/Themes: Developers patch vulnerabilities all the time. If you’re not updating regularly, you’re basically leaving your site’s pants down.
- Third-Party Integrations: That live chat plugin from a developer you’ve never heard of? Yeah, that might as well be malware gift-wrapped that you pay $4.99 a month for and the pleasure of hosting
- File Upload Forms: Got a form that lets users upload files? Congratulations, you just gave hackers a direct tunnel to your server.
- Bad Hosting: Cheap hosting cuts corners on security. You saved $5/month, but now you’re losing thousands.
How to Fix Your Hacked Website
Alright, it’s happened. Time to stop panicking and start fixing. Here’s what to do:
- Change Every Damn Password
- Website admin login? Change it.
- Hosting account? Change it.
- FTP, database, email linked to the site? Change those too.
- Kill Active Sessions
- If your platform allows it (WordPress does with plugins like “Force Logout”), boot out any logged-in users. That includes you. Be a big kid and log in again after you change your password
- Shit, kill all your email sessions. Maybe they gained access through your email password.
- Disable Third-Party Services
- Shut down everything non-essential: email marketing integrations, CRMs, live chats, payment gateways — the whole lot.
- Back Up What’s Left
- If your site still has salvageable data, back it up. You might need it.
- Contact your host
- Let your host know that you think your site was hacked.
- Tell them the steps you’ve already taken.
- Ask their suggestions and if they have any levers they can pull to help out.
- DO NOT buy any “enhanced security” bullshit – these are a fucking scam.
- Wipe the Site
- This one hurts, but sometimes you gotta nuke the infected files.
- If your host offers a clean restore point, use it. Otherwise, delete everything and reinstall from scratch.
- Scan for Malware
- Services like Sucuri or Wordfence (for WordPress) can help detect and clean remaining malware.
- Rebuild — Smarter This Time
- Keep it lean. Start with only essential features. No unnecessary fluff.
- For every plugin you reinstall, ask: “What business problem is this solving?”
Am I Screwed?
Short answer: Probably not.
Long answer: Still no, but it might feel fucked Worst case? You build a new site. Yeah, it sucks — but think about it. The first site was probably built when you didn’t know half the stuff you do now. This time around, you’ll make it faster, more secure, and more effective – or pay somebody to make it better, faster, and avoid parts of the process you hated last time.
Silver lining: very screwup is a chance to learn. Your next website won’t just be better — it’ll be hacker-proof (or at least a bigger pain in the ass to break into).
Don’t Let It Happen Again
- Stop being a whiny bitch about authentication — it’s crucial.
- Enable Two-Factor Authentication (2FA) — everywhere, always.
- Update Everything — weekly, at least.
- Limit User Access — only give access to people who need it.
- Ditch Sketchy Plugins — if it looks janky, it probably is.
- Get a Damn Backup System — automatic, daily backups. No excuses.
Your website is your business’s digital storefront. If you wouldn’t let some random dude walk into your physical shop and start rearranging the furniture, don’t let your site be a free-for-all either.
Now go clean up that mess — and make sure it doesn’t happen again.