Back to blog

    June 22, 2026

    The real cost of a hacked small business website (beyond the cleanup bill)

    When a small business gets hacked, the owner usually sees one number: the invoice from whoever cleans it up. Maybe $800. Maybe $2,000. They write the check, breathe out, and move on. The problem is that invoice is rarely more than 20% of what the incident actually costs. The other 80% shows up over the following months — in lost rankings, dead email deliverability, refunded customers, and hours the owner will never get back.

    Here's what the full bill actually looks like.

    The direct costs everyone sees

    Let's start with the visible damage, because at least these numbers are easy to point at.

    Cleanup and incident response. For a typical WordPress compromise, professional remediation runs $500 to $2,000. That covers identifying the entry point, removing malicious files, cleaning the database, restoring legitimate content, and hardening the site so it doesn't get reinfected the next day. If the attacker installed a self-healing backdoor — code designed to regenerate itself after surface-level cleanup — expect the higher end of that range. I dealt with one of these recently for a contractor in Southern California: a previous "fix" had missed the persistence mechanism entirely, and the site kept getting reinfected and pumping out spam posts (115+ of them by the time I got involved). Cleaning it properly took longer because half the work was undoing the previous shortcut.

    Hosting emergency fees and upgrades. If your shared host suspends the account because the malware is sending spam or eating CPU, you'll often pay a "review fee" to get reinstated. Some hosts charge $150–$300 for this. Worse, they may force you onto a higher-tier plan or insist you buy their malware scanner add-on as a condition of returning. Add $20–$50/month, every month, forever.

    Downtime revenue loss. If your site sells anything — or if it's how new customers find and contact you — every hour offline is money on the floor. For a service business doing $300k/year that gets 60% of leads through the website, a 48-hour outage during peak hours can easily cost $1,500–$3,000 in lost pipeline. For an e-commerce site, the math is more direct and usually worse.

    So far we're maybe at $2,000–$5,000 all-in. That's the part most owners think about. Now let's talk about what they don't.

    SEO recovery: the silent six-month tax

    This is the cost that genuinely blindsides people.

    When your site gets hacked, two things usually happen on the search side:

    1. Google detects the malware (or the spam content the attacker injected) and flags your site with a "This site may be hacked" or "Deceptive site ahead" warning in search results. Sometimes they de-index you entirely.
    2. The attacker's spam pages — fake pharmacy posts, sketchy backlinks, Japanese SEO spam — pollute your domain's reputation and replace your real content in Google's index.

    Getting the warning removed is the easy part. You clean the site, submit a reconsideration request through Google Search Console, and within a few days the warning usually drops. That part takes hours, not months.

    The hard part is rebuilding rankings. Google doesn't just flip a switch back to "trusted" the moment the warning clears. Your domain's reputation took a hit, your content got swapped out, and your backlink profile may now be tangled with spam. Realistic recovery to pre-hack ranking positions is three to six months of clean operation, fresh content, and patience. For competitive local search terms, sometimes longer.

    If your business was getting 40 leads a month from organic search at position 3, and you drop to position 12 for six months, that's roughly [TODO: Sebastian — plug in a realistic CTR drop math example, e.g. "240 leads over six months you won't get"]. That number alone usually dwarfs the cleanup invoice.

    Email blacklisting: when your domain becomes spam

    Here's the one nobody warns you about. When attackers compromise a site, one of the most common things they do is use your domain to send spam — either by hijacking your mail server, abusing your hosting account's mail capabilities, or spoofing your domain from elsewhere.

    The result: your domain ends up on blacklists like Spamhaus, Barracuda, SORBS, and SpamCop. Once that happens, legitimate emails from your domain start getting:

    • Silently dropped by Gmail and Outlook
    • Sent straight to spam folders
    • Bounced with hard-fail messages
    • Refused entirely by corporate mail servers

    Your invoices stop arriving. Your quotes get ignored. Your customer service replies vanish. And — this is the worst part — you have no idea it's happening. You hit send, the email appears in your sent folder, and on the recipient's end nothing arrives. You look unresponsive or unprofessional, and you may not figure it out for weeks.

    Getting off blacklists takes time. Each list has its own removal process. Some are automatic after a clean period (often 7–14 days with no spam activity). Others require manual requests. And even after delisting, mailbox providers like Gmail keep a longer-memory reputation score — your deliverability stays degraded for a month or more after the formal blacklist clears.

    The fix going forward involves properly configured SPF, DKIM, and DMARC records so attackers can't spoof your domain in the first place. A basic SPF record looks like this:

    v=spf1 include:_spf.google.com -all
    

    That -all at the end tells receiving servers to reject any mail claiming to be from your domain that doesn't come from the listed sources. Without it, your domain is wide open to be impersonated, and you have no way to prove the spam wasn't you.

    Legal exposure if customer data was involved

    Most small business sites don't store much sensitive data, but "most" isn't "all." If your site has a customer login, takes payment information directly (not through a redirect to Stripe/PayPal), stores form submissions with personal details, or runs e-commerce with stored addresses and phone numbers, you may have notification obligations under state law if that data was exposed.

    Every US state now has a data breach notification law. California's CCPA and the various state equivalents generally require you to notify affected customers — and sometimes the state attorney general — within a specific window, often 30 to 60 days, when personal information is exposed. If you operate in or sell to customers in states with stricter laws, or if you handle payment card data and fall under PCI-DSS, the requirements get more specific and the penalties for non-compliance get real.

    I am not a lawyer and this isn't legal advice. But the practical reality is: if a hacked site touched customer PII, the response is no longer just "clean it and move on." You probably need to talk to a lawyer, you may have notification costs (mailings, credit monitoring offers, public disclosures), and your exposure to a customer lawsuit goes up. [TODO: Sebastian — optionally add a sentence about what kinds of small-biz sites typically don't trigger this, to keep readers from panicking.]

    That legal review alone can run several thousand dollars. Notification mailings and credit monitoring offerings add more. This is the cost category where "cheap incident" turns into "five-figure incident" fast.

    The incident tax: hours that never appear on any invoice

    Here's a cost owners systematically underestimate: their own time, and their team's time.

    When a site gets hacked, the owner usually spends the first 24 hours:

    • Discovering the problem (often through a customer email or a Google warning)
    • Panicking, then calling the hosting company
    • Trying things on YouTube before giving up
    • Finding and vetting someone to actually fix it
    • Communicating with customers who are seeing warnings or spam
    • Briefing the team and answering everyone's questions
    • Reviewing what happened with the person doing the cleanup
    • Checking and re-checking that it's actually fixed
    • Updating passwords, reviewing user accounts, asking the team to do the same
    • Following up over the next few weeks as SEO and email recover

    Realistically, that's 20–40 hours of owner time spread over a month. If the owner's effective hourly value is $100, that's another $2,000–$4,000 of cost that never gets written down anywhere. Add in the time pulled from staff — your office manager helping field customer questions, your marketing person watching analytics tank — and the people cost often matches or exceeds the technical invoice.

    And none of this includes the cost of not doing the work you were supposed to be doing. Sales calls you didn't make. Proposals you didn't write. Customers you didn't follow up with.

    Adding it up

    For a typical small business WordPress compromise, the real total cost looks something like:

    • Cleanup and remediation: $1,000–$2,000
    • Hosting fees and downtime: $500–$3,000
    • SEO recovery (lost leads over 3–6 months): $2,000–$15,000+
    • Email deliverability damage: $500–$2,000 in lost business and recovery work
    • Legal/notification (if PII involved): $0–$10,000+
    • Owner and staff time: $2,000–$5,000

    The cleanup invoice is in there. It's just not the headline number. The total for an average small-business incident lands somewhere between $6,000 and $25,000 when you count everything honestly. For incidents involving customer data or extended SEO damage, much higher.

    Prevention is cheaper than response. Every time.

    The math on this is almost embarrassing. A site hardening engagement — closing the common WordPress entry points, locking down admin access, setting up file integrity monitoring, configuring SPF/DKIM/DMARC properly, putting a WAF in front of the site — costs a fraction of even the visible portion of an incident. A modest monthly security retainer that keeps plugins patched, monitors for compromise, and includes rapid response if something does slip through, costs less per year than a single mid-sized cleanup.

    The contractor I mentioned earlier? The hardening work I did after the cleanup cost less than the cleanup itself, and it's the reason the site has stayed clean since. That's the pattern. The first incident is what makes owners take prevention seriously. The goal of this post is to make you take it seriously before the first incident.

    If your WordPress site hasn't been hardened, your email authentication records aren't set up, and nobody is actively monitoring for compromise, you're not saving money. You're just deferring the bill, with interest.

    If you'd like a straight conversation about what reasonable prevention looks like for a business your size — no scare tactics, just specifics — head over to thewizrdz.io and get in touch. The security retainer is built for exactly this: keeping the incident from happening in the first place, at a cost that makes the math obvious.

    Need help with what this post covers? I do this for a living.

    Book a free 15-min site audit