Incident response

My Magento Store Was Hacked — Here's the Exact Recovery Plan

By W3ctrl Services · June 5, 2026

Discovering your store is hacked is stressful — but the order in which you respond matters more than speed. Follow these steps and you'll remove the malware and stop it coming back.

Step 1: Confirm it

Run a scan at MageArgus to confirm and locate the problem — skimmers, webshells, rogue admins or an unpatched CVE. Don't act on a hunch; know what you're dealing with.

Step 2: Contain

Put the store in maintenance mode, rotate all admin credentials, and take a snapshot for forensics before you change anything you might need as evidence.

Step 3: Find the entry point

This is the step everyone skips — and it's why hacks recur. Identify exactly how the attacker got in (CVE, extension, stolen credentials, leftover backdoor) before cleaning.

Step 4: Clean

Remove injected code, webshells, malicious scheduled tasks and unauthorized admin users. Compare core files against known-good versions to catch tampering.

Step 5: Patch & rotate keys

Apply the relevant security patches and rotate your encryption key — especially if CosmicSting was involved, since a stolen key stays valid otherwise.

Step 6: Harden

Close the gaps that let it happen: 2FA, CSP, file permissions, and removing risky extensions. See our Magento 2 security checklist.

Step 7: Monitor

Turn on continuous monitoring so any re-infection is caught immediately.

When to call professionals

If you're not 100% sure you found the root cause, get expert help — a missed backdoor means you'll be cleaning again next week. W3ctrl's Magento malware removal team does this every day.