What happens when your website gets hacked (and what recovery really costs)
The typical website hack costs $2,000–$15,000 to recover from and can erase months of SEO progress. Here's the actual recovery process and how to prevent it.
Hacked websites are more common than you'd think. Sucuri Security reports that more than 30% of active WordPress sites have at least one exploitable vulnerability. Most owners don't find out until the damage is already done.
This guide explains how to detect a hack, what to do in the first few hours, what recovery actually costs, and what a professional maintenance plan does to prevent one.
How you know you've been hacked
It's not always obvious. The most common symptoms:
- Strange redirects — visit your site and it sends you to a Chinese pharmacy or casino
- Google's red screen — "This site may harm your computer"
- Sudden ranking drop — from first-page results to nowhere overnight
- Emails bouncing — mail servers flag your domain as spam
- New content you didn't publish — articles about viagra, pages in languages you don't speak
- Unknown admin users — accounts you didn't create
- Hosting alerts — "unusual traffic detected" or "excessive CPU usage"
If you see any of these, assume you're hacked until proven otherwise.
The first 2 hours — what to do immediately
1. Isolate the site
Take the site offline BEFORE you investigate. Options:
- Enable maintenance mode in your hosting panel
- Point the domain to a static "under maintenance" page
- Block all traffic except your IP at the firewall
Every minute the infected site stays online is more damage to your reputation and SEO.
2. Preserve evidence
Before you clean ANYTHING, back up the current (infected) state. You need this to:
- Identify the entry vector
- Know which files were modified
- Detect backdoors the attacker left to return
3. Change ALL passwords
- Hosting panel
- FTP/SSH
- Database
- WordPress/CMS admin
- Email connected to the site
- Any API keys exposed in code
Assume all are compromised — better to change too many than too few.
The next 24 hours — forensics
Identify the entry point
The most common vectors:
| Vector | % of hacks | Signs |
|---|---|---|
| Outdated plugin | 52% | Plugin not updated in 6+ months |
| Nulled/pirated theme | 18% | Theme downloaded free from unofficial site |
| Weak password (brute-force) | 15% | Logs with thousands of login attempts |
| SQL injection | 8% | Custom form without input validation |
| Credentials stolen via phishing | 5% | Attacker with legitimate login but isn't you |
| Other | 2% | — |
Review server logs from 7–14 days before you detected the hack — the attacker likely got in days before activating the infection.
Clean the infected code
- Compare files against clean CMS/framework baselines
- Look for files with recent modification dates outside normal hours
- Search for suspicious strings:
eval(base64_decode(, hidden iframes, obfuscated JavaScript - Check the database for strange admin users, posts with embedded PHP
Remove the backdoors
This is the hardest part. A serious attacker leaves 5–10 hidden backdoors to come back after cleanup. They can be disguised as legitimate files (wp-config-backup.php, .htaccess.old, etc.).
The only safe way to be clean is restore from a backup taken before the hack — if you have a reliable one.
What a hack actually costs
Typical breakdown of professional recovery for a medium-sized site:
| Item | Cost |
|---|---|
| Forensic analysis + entry vector identification | $300 – $800 |
| Malware cleanup (hourly, 5–20 hours) | $500 – $2,000 |
| Backup restoration | $200 – $500 |
| Post-cleanup hardening | $300 – $600 |
| Google Safe Browsing re-review request | $0 – $200 |
| SEO recovery | Months of work |
| Direct total | $1,300 – $4,100 |
If the hack exfiltrated customer data, add:
- Breach notifications (required in Florida under § 501.171)
- Potential GDPR/CCPA fines if applicable
- Civil lawsuits
- Lost customer trust = customers who don't come back
The average hack for a small business ends up costing $5,000–$15,000 when you count recovery + revenue lost during downtime.
What a real maintenance plan does to prevent this
- Fast patch application — known vulnerabilities closed in days, not months
- Web Application Firewall (WAF) — blocks SQL injection and XSS attempts before they reach your code
- File integrity monitoring — alerts if any file changes outside an official deploy
- Verified backups — last night's backup ready to restore if something happens
- Regular vulnerability scans — tools like Wordfence, Sucuri, or manual audits
- Strong authentication — 2FA required on admin, passwords rotated periodically
A good plan doesn't guarantee you'll never be hacked, but it drastically reduces the probability and ensures recovery takes hours instead of weeks.
The lesson
The cheapest time to prevent a hack is before it happens. The second-best time is when you sign up for a serious maintenance plan. The worst time is after it's already happened.
If your site hasn't received security updates in the last 60 days, you're silently accumulating risk. Reach out for a free audit — we'll tell you how exposed you are, no strings attached.