Hacked website - what next?

These instructions provide you with a brief overview of how you can clean up your website and make it secure. They apply to all operating systems.

Locating the malicious code on the affected website

A close inspection of the web pages and directories concerned is required. It is quite possible that the same malicious code has been installed on several subsites or that other malicious code has been stored in the same web directory. Malicious code that is intended to infect other computers could also be installed. Often, this is in the form of executable files such as .exe, .bat, .ps1, etc. If it is not possible to locate the malicious code, we recommend that you contact your Internet service provider (ISP).

Removing the malicious code

After the malicious code has been located, it must be removed. Under certain circumstances, restoring an earlier backup can help.

Installing the current version of the CMS

If using a CMS such as WordPress, Joomla or Typo3, make sure that you install and use the most recent version. This prevents criminals from using the same vulnerability in the CMS to install malicious code on the website again. The most recent version of the CMS is always indicated on the manufacturer's website.

Please note: Any plugs-ins which have been installed must also be updated. Vulnerabilities in plugs-ins are also regularly misused by criminals as a point of entry.

Checking all of the webmaster's computers for malware

Before FTP and CMS credentials are changed, all computers used for website administration (i.e. all computers on which the CMS login username, password, etc. have been entered) must be scanned for malware.

Changing the access passwords

After the computer has been scanned and any malware has been removed, the FTP and CMS credentials must be changed. This prevents cybercriminals from once again being able to install malicious code on the website using previously stolen credentials (username and password). If passwords for other internet services (webmail, PayPal, etc.) have been used on the affected computer, these also need to be changed.

If these points are neglected, there is a high risk that cybercriminals will gain access to your website again and install further malicious code.

Further Information

Preventive measures

After the website has been cleaned up, we recommend taking additional measures to prevent cybercriminals from gaining access to the website in the future. To this end, the NCSC has drawn up a checklist of corresponding measures: Measures to secure content management systems (CMS)

Last modification 09.12.2021

Top of page