Goins, Writer

On Writing, Ideas, and Making a Difference

What to Do If Your Website Ever Gets Hacked

Last weekend, my blog was hacked. Within a few hours, everything was back to normal. But it was scary. And I didn’t know what to do.

My guess is that some bloggers are as ignorant as I was of what to do. In fact, if I weren’t fortunate enough to get some help, I would’ve been doomed. So I thought I’d share what I did, along with tips for what to do if your blog ever gets hacked.

Locks on a door

If your site gets hacked, you gotta lock it down! Photo credit: Flickr (Creative Commons)

Tell the world

As soon as my blog was down, I let people know via Twitter and Facebook (since people were already asking why I was sending them to a loans website). This accomplishes two goals:

  1. It sets reasonable expectations for readers, friends, and fans.
  2. It lets people know that you need help. (I’ve found that the Twitter community can be especially resourceful when it comes to technology issues.)

Contact your host

Not quite sure what to do, I first contacted my host. The folks at Site5 responded immediately (at 11pm) and removed the line of code that was injected into my site to redirect to a loans site.

They removed it, and everything was back to normal.

Or so it seemed.

I quickly realized that while my homepage was restored, all my files (i.e. posts and pages) were corrupted.

Undo the damage

A friend on Twitter offered to help fix the problem I was having (since I was tweeting the whole experience). I really cannot say enough good things about Mitch Canter (@studionashvegas). Seriously, if you have any WordPress/website/blog needs or desires, he’s your man.

Within 15 minutes, my site was back to normal. (Thanks, Mitch — you really saved my life, or at least, my blog.

Readers: Follow Mitch, send him chocolate, and consider hiring him.

Change all your passwords

Next, I changed all three of my passwords for my blog: site admin (i.e. FTP login), WordPress login, and my “backstage” login to access my server.

I auto-generated a complicated password that I had to write down and save, so that I could remember it next time I log in to my FTP. I’m ashamed to admit that two of my passwords were the same and would have been pretty easy to guess.

Install a firewall

My friend Ryan (who once had 100 WordPress blogs crash in one day due to a hacker) recommended a WordPress firewall plugin.

This is a free program that protects your blog from attacks and injections (whatever those are). When someone tries to hack your site, it sends you an email to notify you.

Other takeaways

I learned a few takeaways from the experience:

  1. Backup all your files, so that if you do lose something, it can be easily restored. (If you’re on WordPress, check out my friend Adam’s tutorial for backing up your blog.)
  2. Save your drafts offline. I’m moving over all my posts to Evernote so that they’re saved in the cloud. In the terrible event that I might lose all my posts, I could then re-post them. I also now save a copy of post drafts on my computer in my “blog” folder.
  3. Be ready. Every blog that I follow and respect has been hacked at some point. Plan for disaster. It will happen.

Concluding thoughts

  • Having a good, customer-friendly host is essential.
  • Having a friendly, neighborhood geek you can call up is really important.
  • Having a great tribe and online presence in other social media outlets really helps. Within minutes of my site being down, people were notifying me. I am so grateful for the community this blog has created.

Further reading:

Has your blog or website ever been hacked? What did you do? Is your site ready for an attack? Share your thoughts and best practices in the comments section. (Click here if you’re reading this via email or in RSS.)

*Photo credit: Flickr

About Jeff Goins

I write books and help writers get their work out into the world. I am the best-selling author of four books, including The Art of Work. Each week, I send out a newsletter with free tips on writing and creativity.

It’s Not Too Late to Become a Writer

Download my free eBook on why now is the best time to become a writer.

In this book, I share everything I’ve learned bout what it takes to start writing for a living — and how you can get started today.

Click here to download the free book now.

  •  Jeff, I have had this happen, too. We made numerous adjustments because of it. I would also suggest using VaultPress to back up your WordPress files every hour. It is expensive but a life-saver. It is made Automattic, the same folks who make WordPress.

    I would also recommend 1Password for all your passwords. This way you don’t have to remember them. The software does. I generate 16-to-20-character, complicated passwords for everything. They are all different, but 1Password remembers them all.

  •  A massive resource, Jeff. Thanks. This has not happened to me yet but I should probably take the necessary precautions.

    • Thanks, David. I would strongly recommend it. Not to sound all gloom and doom, but you should prepare for the worst.

  • Karen

     Wow! Thanks Jeff! I am saving this article in its very own folder. I, too, am guilty of poor password choices. All of that changes now I really appreciate you sharing your story and the great resources you used to get out of a “pickle.”

    •  Thanks, Karen. I just kind of stumbled out of it — not very intentional. Without community, I would’ve been up a creek. I wrote this so that others could more intentionally prepare.

  •  Been there man. I had a business website that was hacked by some dude in the middle east. Not fun.

    I’m gonna have to get that WordPress Firewall plug in for my personal site… just to be on the safe side.

    Thanks for sharing Jeff!

    • No problem, Rob. Yeah, it’s free, so why not?

  •  Jeff- Thanks for the tips.  I’ve always wondered how common this is and what I can do to prevent it.  

    • You’re welcome, Ethan. More common than it should be. EVERY blogger whom I respect has been hacked.

  • This has happened to me and it really stunk. It is so important to have those backups!

    What was the name of that firewall plugin?

  • Anonymous

    Thanks for the blog Jeff… I am going to read up on this and make sure it doesn’t happen to me… Good to connect… Geoff

  •  I have had clients blogs hacked and it sucks. It is never good to get that email for phone call. 
    I am thankful for friends who helped me figure out what was going on because If I didn’t have them I would have been in some trouble

    • Ditto! any other tips you’d recommend, Kyle?

      • from my experience it is watching yourself on open networks. That is where I have seen it happen the most. Anytime someone is on an open network like a coffee shop or something like that your stuff is accessible. Changing passwords often helps a ton 

  • For a completely non-technical person like me, this post is critical. I just installed the firewall plugin. I’m just about to run a backup to my Iomega eGo drive too. Thanks Jeff.

    • very cool, marianne. i’m right with you.

  • Anonymous

    Excellent advice. I just realized that my backup plug-in isn’t working – WTH? Thanks for the reminder. Dumb question, though – if I change my WordPress password, are there any implications for working with plug-ins or other programs? I’ve changed site passwords for other sites before and there’s been a time-consuming ripple effect…

  • Great tips. I’m glad things are back to normal now.

  • Linnette Mullin

    Thanks for sharing, Jeff! 😀

  • Bkantarjian

    I am saving this. Just this week I received email asking if I had requested a password change for my blog anhinga.wordpress.com. NO. Thank you so much for sharing.

  • Great information, our site has been hacked, and destroyed our rankings in Google in one day because the hacker installed re-directs.  Restoring the site is pretty much the easy part, but getting the rankings back?  That is a whole different story.

    • SC

      How did you get the ranking back? Same has happened to me?

  • After I got done crying I did the same thing you did – I went right to my Twitter pals and started sharing my sorrow.  Within 15 minutes I had 3 programmers I’d never even met, helping me get my blog back up.   Such a wonderful community on Twitter!  I blogged about those guys and sent out Tweets about them for months afterward.  Forever in their debt!

  • Saad

    I just got one of my client’s company website and blog got hacked. Guess what I did the first thing. I followed the link of facebook page, and requested the hacker that you have hacked my website. That is so brilliant of you now can you help me out get out of it please. Thanks and appreciated.

    He actually responded to wait 24 hours and he will let me know. I don’t know if he is going to delete the rest of the files too or is actually going to help 🙁

  • Guest

    I’ve been hacked 🙁  Thanks for this post Jeff, I have no idea what to do but have just contacted my host.  My hack is different to yours though – all sites on my network have been taken down and the login page to my host is “Unable to Connect”.  Worried.

  • Well, I just joined the ranks of the initiated. I was hacked.
    It was a nightmare during the time, but now that I look back it really wasn’t that bad.
    One thing I did do, which you didn’t mention here, was to take down the site. In my case, it was giving visitors malware. So I figured this way it wouldn’t be flagged and wouldn’t infect anyone. (To bring down the site, I just went to the root director and deleted index.php after backing it up.)
    And I will absolutely echo your sentiments about having a good network of techie friends. They saved my rear end in this case!

  • Davidvanorbeek

     This is an event I started on Facebook to
    spread the news about “the legal stealing” of my old site-name,… My site was hijacked 3 months ago,…

    Metal art sculptures – Vanorbeek David, Artdeev

    David versus Goliath.







    First of all my best wishes for the new year, that your life may be
    as you want it to be! A good health and lots of good creations!

    I start this event NOT because I want it so much, NOT because I have
    nothing else to do, I start this event to make sure you don’t have to
    write the same story in the future!
    My story started more then 10 years
    ago. As an young artist I asked a friend to built me a website about my
    work. My name is David (deev), I make sculptures (art),
    so artdeev.com was born. More then 10 years I put love and work in
    this site so I felt like a proud father about this virtual creation.
    Pagerank 4 on Google, the first page to show up under
    ‘metal art sculptures’, +500 links pointing to it and many thousands
    of people who have visited it and have my business cards ever since.
    But sometimes happy stories come to an end,…when you
    don’t follow (or even forget to follow) the rules of Big Brother,
    untouchable and cold.
    Ten years ago my friend created my site at Yahoo. I thought it was a
    good idea to choose for a well known company in which I honestly
    believed until two months ago! Two months ago from one second
    to the other I was no longer the owner of my own websitename!!!
    Yahoo had sold my name!!! Without my permission, without I knew about it
    they sold my artdeev.com to an Australian Domainname
    company. What the f**k happened, what went wrong? I didn’t
    understand. Seems that the contract of 10 years expired, and also the 40
    days above that time. How could this happen? What mistake have
    I made? They didn’t ask me, they didn’t contact me, nor the friend
    who created the site ten years ago! She still seemed to be the official
    owner, she still lives on the same address, has the same
    phone number as 10 years ago. Suddenly there it was, my mistake: I
    didn’t have the password or an email-address linked to the creation of
    the site! I never knew or asked my friend about it and
    she thought she gave it to me. So maybe (?) yahoo has sent out an
    email to notify about the expiring? Thing is that not I, nor my friend
    ever opened this mail address at all in ten years time, so
    you would think the mails must have been returned to the sender and
    they therefor would phone or write to the post address of the owner!?
    No, expired, sold, new owner. And what about my own name
    then and my mail address, it is on the site and I always payed them
    with visa, so they knew my name.
    When I contact the ‘new’ owner two days later an I put a back-order
    (to see I can buy it back) for the site I get no answer. In the mean
    time an other friend of mine who is IT consultant and
    journalist is contacting the Yahoo-chiefs in Europe and America
    about this matter. A few days later the site becomes an online casino
    and a few more days later the site gets his 3th owner!?,
    again an domain-seller company in Portland this time. When I ask to
    buy my name back the answer is dry and clear: “Our domain sales experts
    can research the availability of any domain name.
    Simply enter an offer of $2500 or more and we’ll get started!”
    Simply? Excuse me, I forgot to pay $10 for the hole year, so this is
    what you have paid for it also!!! Nice business!!!
    The story is even a little bit more complicated, but these are the
    most important facts. So on the other side of the world a company owns
    my site name now, they have caused me more then one month
    not to be able to work,… I live with my family from my work and as
    the most of you people know how hard it is to make a living out of art.
    But Big Brother only look at the rules, rules that he
    has written! No compassion, no humanity, no feelings, no hart, NO
    ART!!! “Simply” would have been that when I noticed the site was gone I
    could have acted, I could have bought it back and pay a
    tax for being to late. If today you type in the words ‘vanorbeek
    david’ on google, artdeev shows up. A site about gambling, poker, bingo,
    nothing to do with me at all, but my name is associated
    with it! Is this legal then, because what they did is legal!!!

    I would like to ask all of you, little brothers and little sisters,
    as a sort of support and as proof that you have read this story so you
    don’t have to write the same in the future, to,
    ‘participate’ (this is symbolic) (push “participate” in the head of
    the page) this event and maybe to “invite your friends” (also push
    “invite friends” in the head of the page) so they can read,
    join and share. As I, you are not alright with this situation and
    the way it works. Who does he think he is this Big Brother, doesn’t he
    know the story of David and Goliath? Spread the

    Make sure you control the expiring date of your website!!!

    Thank you
    David, alias

    New name http://www.vanorbeek.com



  • Jessie

    OMG- My website got hacked last year, and it was such a
    mess. I had 2 other websites hosted on my same FTP server, and they were all
    being redirected to some weird website selling pharmaceuticals or something. I
    worked on it for probably 2 days before I gave in and started looking for
    professional help. I found a website called eSecurityPros.com and worked with
    their technicians. They had my sites completely fixed, up and running in a day.
    The whole thing costs about $200, but definitely worth it. I’d recommend them
    to anyone.

    • Scurit

      There are a lot of scam companies that claim to be experts in malware removal. eSecurityPros.com has only been in business for about 5 months. Trust real experts, with security credentials and degrees – scurit.com. We also don’t charge 200.00 because we know what we are doing and have been in the industry for over 15+ years, not 5 months.

  • Siddharth Gowda

    Since a year i am using total web security ( http://totalwebsecurity.com/ ). This is a website protection tool that will protect my website from malware and hackers.

  • Sonali Singh

    I have first hand experience and know it can be such a hassle to deal with. Later I started using https://totalwebsecurity.com to hardening my website. It is a brilliant tool to protect our website from malware and hackers and getting blacklist from google. Awesome !!!

  • zodiac legend

    My business fan-page just got hacked. Fb support was USELESS and didn’t know how to assist me in getting it back. It had 12 000 fans and was created in 2009.

    So much for their `loyalty’ …

  • Piter
  • kapil

    i am running car-market.in from many year just because of good hosting contact at skype id for issues related to hacking or want to buy hosting remember us

  • Mona McDonald

    The best way to save it from being hacked is use Clef Plugin: https://www.techgrapple.com/how-to-save-wordpress-blog-from-hackers/

  • Tamara Laschinsky

    Just got rid of many of my domains and noticed they have all been hacked! Host company says domain is available to buy so someone is just ‘using’ it

  • if your website got hacked contact me mananc@ymail.com i will fix in 2 days

  • danielgrant

    Every weblog that I adhere to and regard has been compromised at some factor. Strategy for catastrophe. It will occur. casino en ligne belge

  • Harvinder Singh Mand

    can anyone check my website? if it can be hacked or not? I am going to make website for charity. I am allowing you all to do hacking on my website. you can also write me on admin@bangsipura.com. Post date 27/11/2015. you can try until 15/12/2015.

  • Peter Lobert

    My site got hacked. My brother was able to figure out the website that did it. I’m wondering if I can tell Google and PayPal (it’s a college paper website and they use PayPal) to let them know these guys are cons?

  • bumblebee8

    Does anyone know about a hack attack by sancakdey? I went to a website and all it had on it was “hacked by Sancakdey” and there was a Turkish flag. I don’t know who they are (turkish of course anyway), or if going/being on that site will infect my computer.

  • Ana

    My site was hacked. It is now up and running again but when you google the name, it still says that it was hacked. How can I fix this?

  • Rob Taylor

    Do you need the help of a hacker for all your cyber/identity issues, Then you just need to consult (cybernetichacker@gmail.com). He is a certified webmaster, ethical Hacker, penetration engineer and Professional Database Hacker. He is capable of all social media hacks, clears criminal records just to mention a few. He is also good a hacker for penetration testing, Software testing, Database Penetration, Website Ransoming, Url Removal, Database take down, Location detecting, Driver’s License retrieval, changing School grades, clearing of criminal records, Iphone Hacking, Email, Paypal, Social Media Hack, Password Sniffing, Bank Transfers and Company Money-Wire Services. I should say no more cybernetichacker is the man for the job. I have worked with him and i’m very much impressed with the results.

  • Jennifer Grant

    Hello everyone. I’m Jennifer…Do you need to hire a certified ethical
    hacker for website database hack, phone cloning, Social networks hack
    (Whatsapp,Twitter,Facebook,Instagram), topping credit score, background
    checks, school servers, icloud, viber chats, hacked email retrieval and
    deleted files, calls log and spy call recording, monitoring SMS text
    messages remotely, cell phone GPS location tracking, track internet
    browsing history and bank account hacks. Stop getting scammed by the
    fakes & flakes and contact a certified ethical hacker at
    (pyramideye.hack@outlook.com). Pyramideye hacker is the best. I am happy
    I worked with him because he’s super fast and affordable

  • sam davies

    Do you need to hire a licenced hacker who can even stand in court If your spouse cheats contact he can help you. very talented and

    immaculate I call him the genius, we’ve had a few runnings together and I am always more than satisfied with his services. Some of

    the tricks he did for me are cloning my girlfriend’s phone and topping my credit score to an awesome number. If you need such

    services drop him a mail at ispyoo2017@gmail.com he offers the best services ranging from background checks, surveillance(

    includes access to social networks, school servers, icloud and much more), infidelity to tracing people Hack viber chats, facebook

    messages and yahoo messenger.
    Track Calls log and Spy Call Recording.
    Monitoring SMS text messages remotely.
    Cell phone GPS location tracking. Spy on Whatsapp Messages.
    Free Update and 100% Undetectable.
    Track BBM messages and Line messages.
    View All Photos Captured.
    Track Internet Browsing History and Read phone Access Address Book, totally worth your money, please no time wasters, he won’t

    under any circumstances work for free, you can reach him by email ispyoo2017@gmail.com

  • Pascal Aderson

    I’ve come to understand that genuine hackers always have tools handy to work with, no
    genuine hacker will ask you to pay for tools before your work is done, don’t fall for their
    lies, I have been jacked several times by all these fake assholes. So i met pavelnovakbreach@gmail.com
    he actually solved my problem, i was in dire need of a hacker to monitor my wife’s activities online,
    Pavel was able to reveal my infidel wife’s activities, for that I am grateful to him, he offers services
    ranging from Facebook, whatsapp, emails, Twitter, Kik, imo, cell phone, website hacks, changing DMV records,
    background checks, locating individuals, expunging criminal records and so much more, if you are in dire need
    of a hacker you should contact this man, he is smart with his services and takes payment at the point of delivery,
    i had to write this about him, tell him Wayne reviewed him when he starts asking questions.


  • williamson

    it is just so unfortunate that when you try to hire a hacker, you basically see email spammers ..
    i met a couple people that did not do as promised but i encountered a youtube comment where they
    gave positive comments about an hacker a wesite and his email that belonged to an elite hacker
    who actually carried out their job and did as said. i visited his website it was so real i also
    contacted the mail i received a swift response and realized his wide range of skills and services
    rendered. i hired him for numerous jobs and this was in 2012 . i implore you to do same, to avoid being ripped.
    instead of hiring email spammers, send a mail to me and i will give you details of him. not putting it up here.
    williamsonjames226@gmail.com..thats my mail..