If you have a clean backup from before the hack, you’re already ahead of the curve. A verified backup is often the fastest, safest, and most reliable way to get your website back online without carrying hidden malware or backdoors into the restored version.
But the key word here is clean. Restoring the wrong backup can put you right back into the same compromised state — or even make things worse.
Below is a deeper look at how to choose the right backup, how to verify it, and what to do if you don’t have one.
How to Choose the Right Backup
Choosing the correct backup is more than just picking the most recent one. You need to ensure it’s complete, uninfected,
and compatible with your current setup.
1. Pick a Version From Before the Hack Occurred
Your goal is to restore your site to a moment in time when everything was functioning normally.
How to identify the right timeframe
- Look at server logs for unusual activity (e.g., failed login attempts, unknown IPs).
- Check timestamps of suspicious files — malware often leaves clues.
- Think back to when you first noticed something “off,” such as:
- Strange pop-ups
- Redirects
- Missing content
- New admin accounts
- Slow performance
Examples
- If you discovered the hack on March 10, but logs show suspicious activity starting March 8, choose a backup from March 6 or earlier.
- If your hosting provider alerts you that malware was detected on Monday, avoid backups from the entire weekend.
Why this matters: Attackers often infiltrate a site days or weeks before they reveal themselves. Restoring a backup from the “visible” hack date may still contain hidden malware.
2. Verify the Backup Is Complete and Uninfected
A clean backup should include all essential components of your website:
What a complete backup includes
- Core CMS files (WordPress, Joomla, Drupal, etc.)
- Theme files
- Plugin files
- Database
- Media uploads
- Configuration files (like
wp-config.php)
If any of these are missing, your restore may fail or leave vulnerabilities behind.
How to verify the backup is clean
- Scan the backup with a malware scanner before restoring.
- Compare file sizes and timestamps to known-good versions.
- Look for:
- Unexpected PHP files
- Files with random names (e.g.,
xj29s.php) - Recently modified directories that shouldn’t change often
- JavaScript injected into HTML or PHP files
Example of a red flag
If your /uploads/ folder contains .php files, that’s a strong sign of malware — this folder should only contain images and media.
3. Check That Plugins, Themes, and CMS Versions Match
Restoring a backup that uses outdated software can break your site or re-open old vulnerabilities.
What to check
- CMS version (e.g., WordPress 6.4.2)
- Theme version
- Plugin versions
- PHP version compatibility
Example
If your backup is from a year ago and uses:
- An outdated theme
- Plugins with known vulnerabilities
- A deprecated PHP version
…restoring it may cause:
- Broken layouts
- Missing functionality
- Immediate reinfection
Best practice: Restore the backup, then immediately update everything to the latest secure versions.
What Happens If You Restore an Infected Backup?
Restoring an infected backup creates a frustrating loop:
- You restore the site
- Malware is still present
- The site gets reinfected
- You restore again
- The cycle repeats
This is one of the most common mistakes business owners make after a hack.
Signs your backup might be infected
- The same malware reappears within minutes or hours.
- Your hosting provider flags your site again.
- Suspicious admin accounts reappear.
- Redirects or pop-ups return.
A backup is only useful if it’s verified clean.
What If You Don’t Have Backups?
Don’t panic — but prepare for a more hands-on recovery process. Many small businesses discover they have no backups only after a hack.
Here’s what happens next.
1. Clean the Site Manually
Manual cleanup involves:
- Removing malicious files
- Cleaning the database
- Replacing compromised core files
- Removing hidden backdoors
- Fixing broken or defaced content
- Resetting passwords and user accounts
Examples of manual cleanup tasks
- Searching for suspicious code in
functions.php. - Removing unauthorized admin accounts.
- Replacing all core CMS files with fresh copies.
- Cleaning injected JavaScript from header/footer files.
This process requires technical expertise — and patience.
2. Rebuild Compromised Components
Sometimes the damage is too deep to repair safely.
You may need to rebuild:
- Your theme
- Custom templates
- Outdated plugins
- Entire pages or sections of your site
Example
If your theme files are heavily modified or injected with malware, it’s often faster and safer to rebuild the theme from scratch rather than trying to clean every file.
3. Set Up Automated Backups Moving Forward
Once your site is clean, backups become non-negotiable.
A strong backup system includes:
- Daily or real-time backups
- Off-site storage (not on the same server)
- Multiple restore points
- Automated malware scanning
- One-click restore options
Example of a good backup strategy
- Daily backups stored on your hosting provider.
- Weekly backups stored on a separate cloud service.
- Monthly backups archived offline.
Backups are your website’s insurance policy — inexpensive, reliable, and essential.
Next Up: Updating Everything (The Step Most People Skip)
Restoring your site is only half the job. Next, we’ll cover why updating your CMS, plugins, themes, and server software is essential to preventing another attack — and how outdated software is one of the top causes of reinfection.
No backups? Don’t panic.
Green Monkeys Studio can help by rebuilding your site safely, removing malware and hidden backdoors, setting up automated backups, and strengthening your long‑term security.
Your website can be restored — and we’ll help you make sure this never happens again.
Get Help Now
Call us at (206) 551-6177 or schedule a free consultation here at https://greenmonkeysstudio.com/book-a-consultation