How much does hacked site recovery cost at an agency?

In Senegal: 300,000 to 1,200,000 FCFA depending on severity (simple injection vs full deface + altered DB). In France: 800 to 3,500 EUR. Sucuri Clean service: 199 USD (1 site, 1 month cleanup) or 499 USD (1 year + WAF).

Should I pay a ransom on ransomware?

No, never. Probability of data recovery after payment is around 60 %, and paying funds organized crime. Always prefer restoring a backup and patching.

How long before Google delisting?

If the request is well filled: 24-72 h. If the site is still infected or the request poorly documented: refused + 7-14 d additional delay. Better prepare the request properly.

How to know I don't have a hidden backdoor?

Typical backdoors: innocent PHP file in /uploads/, injected code in wp_options table, suspicious cron job. Scan with Sucuri in depth + full pro audit = only way to be 99 % sure.

Can the hack come back if I clean?

Yes, in 70 % of cases if the entry flaw isn't patched (step 4). It's the step most often missed.

Recover a hacked website 2026: emergency step-by-step guide

Hacked site: 4,200 WordPress sites compromised every day worldwide

In 2026, around 4,200 WordPress sites are compromised every day according to cross-data from Sucuri, Wordfence and SiteCheck. For you, the client: one morning your site redirects to a casino, your antivirus blocks access, Google shows "This site may harm your computer", or worse, your clients receive phishing emails in your name.

Panic is a bad advisor. This guide gives you the 8 emergency steps in the exact order to follow within the first 24 hours.

Step 0 — Recognize hack symptoms

Most frequent symptoms:

Unexpected redirect: the site sends to a third site (casino, pharmacy, porn)
Malware injection: unknown JavaScript code appears in footer or pages
Google blacklist: "This site may harm your computer" in SERPs or Chrome
Google Search Console warning: "Malware detected" message
Sudden slowdown: site lags, server CPU at 100 % (often malicious bot or crypto mining)
New unknown admin users in WP-admin
Strange files: wso.php, c99.php, r57.php, or PHP files in /uploads/
Host blocking the account for suspicious activity
Spam emails sent from your domain name
Client complaint: your clients receive fraudulent emails signed in your brand's name

At the slightest symptom, move immediately to step 1.

Step 1 — Isolate the site (priority 1, < 30 min)

The goal: prevent the malware from continuing to spread, and protect your visitors.

Maintenance mode: enable a "Maintenance in progress" page via .htaccess or WP Maintenance Mode plugin
Restrict access: limit access to your IP via .htaccess (Order Deny,Allow / Deny from all / Allow from YOUR_IP)
Temporarily cut DNS if needed (extreme case of redirect to illegal content)
Block outgoing emails if spam is leaving your domain (cut SMTP on the host side)

Do NOT delete files immediately: we need to preserve evidence for step 2.

Step 2 — Identify the nature of the attack (< 2 h)

Online scan: pass the URL into Sucuri SiteCheck (free, https://sitecheck.sucuri.net), Quttera, VirusTotal
Audit of recently modified files:

`bash

find /var/www/yoursite -type f -name "*.php" -mtime -7

→ lists all PHP files modified in the last 7 days

Server logs: examine /var/log/apache2/access.log or cPanel logs to spot attacker IP
Check admin accounts: Settings > Users in WP-admin, delete any account not created by you
List active plugins: spot suspicious plugins (often an outdated plugin is the entry door)

Document the attack: origin date, infected files, source IP. Useful for step 8 (notify).

Step 3 — Clean or restore (the big step, 2-8 h)

Option A — Manual cleanup (if you have the skills or a sysadmin)

Download a clean copy of WP core, theme, plugins from official sources
Compare file by file with your install (diff or tools like WP-CLI)
Delete / replace all modified files
Scan the database for injected code (search