When your website is hacked your first response should be to stop the problem from getting any worse. In fact, ideally, you should remove the source of the problem completely if you can. You then need to reverse the damage. This means both getting your website working as intended and getting it recognized as safe by the relevant authorities. Once this is done, you need to “learn and prevent” to stop a repeat of the incident.
In addition to all of the above, you will need to think about whether or not the attack has any legal/regulatory implications. If so you need to check your obligations and address them.
Dealing with the immediate problem
Before you swing into action, make a call to your hosting provider. There is always a chance that they are the ones who have been hacked and all you have to do is wait for them to deal with it. This is unlikely, but your hosting provider will still need to know that you are aware of the issue and are dealing with it. They may even be able to offer some kind of help, or at least advice and possibly contacts of technical support companies.
If the problem does lie with you, rather than your host, then you will want to stop third-parties (including genuine visitors) from accessing your website while you work on it. Most hosting consoles will have an option to do this. If not, you can password-protect the main directory.
Have your website scanned by a proper website vulnerability scanner. As a minimum, this will seek and destroy any malware on your site. If you’re lucky, this may be enough to rectify the problem. If you have other websites on the same server, scan them too in case they are in the process of being attacked.
While you’re doing this, have an anti-malware program scan your computers and mobile devices too, especially if they have any connection with your website (and even if they don’t). Technically this comes under “learn and prevent”, but if you do have malware on your local devices, then there are lots of good reasons for getting rid of it as quickly as possible.
Reversing the damage
If you run a very small site, then you may be able just to delete everything and replace it all with a backup. Most businesses, however, are going to need to go through the process of giving their site a thorough clean, page by page. For larger sites, this is really the only way to ensure that everything goes back exactly as it was before, which may be very important to your search engine rankings.
The process of repairing your website will depend on various factors, not least being what specifically was done and how your website was built, e.g. what CMS you use. In many cases, it can involve getting very hands-on with files (including vital ones such as your core files), database tables, and user accounts. In many cases, it will involve identifying malicious code, which is often well-disguised, generally as legitimate PHP extensions.
Getting this wrong can cause even more damage, for which read expense and downtime. It’s therefore highly advisable to think carefully about whether or not you really have the in-house skills for the job. If not, it’s best just to get a third-party vendor to take care of it for you. Remember, if you miss any malicious code, which is very easy to do if you’re new to the job, you could find yourself being hacked again (and again).
Once you’re happy your site is back as it should be, change all your administrator passwords, and, if possible, implement two-factor authentication. Then reach out to your host, the search engines, and any other blacklisting organizations to request a review of your site.
Learn and prevent
There is a good chance that your clean-up operation will have identified how the hackers attacked your website. If not, then you need to go through your logs as often and thoroughly as necessary until you figure it out. You also need to undertake a robust security audit to identify any further security weak points. This is the time to update software as necessary, not during the clean-up process. The clean-up process is to get your website back to how it was.
The learn-and-prevent stage is also a good opportunity to think about how well you handled the attack. For example, how easy was it for you to find important credentials (e.g. your CMS login, hosting login and FTP / sFTP access credentials), your logs, and your backups? How well did you undertake initial triage and how easily did you assemble a support team?
