Discovering your website has been compromised — defaced, redirecting visitors, or flagged by Google as unsafe — is stressful, but the actual recovery process follows a predictable order that limits further damage.
Before cleaning anything, stop the bleeding — take the site offline or put it in maintenance mode so it stops actively harming visitors (serving malware, redirecting to scam pages) while you work on the actual cleanup.
Cleaning the malicious files without finding and closing the actual entry point (an outdated plugin, a stolen admin password, a vulnerable upload form) means you'll likely be compromised again shortly after cleanup — the entry point matters as much as the cleanup itself.
Sophisticated compromises often leave backdoors beyond the initial obvious infection — a full malware scan of every file, not just the ones showing visible symptoms, matters here. This is where dedicated website security scanning tools earn their cost over a manual file-by-file review.
Every password with access to the site — hosting, CMS admin, FTP, database — should be changed, since you don't know which credentials were actually compromised versus simply unused by the attacker.
If Google or a browser has flagged your site as unsafe, you'll need to request a review after cleanup is verified complete — this doesn't happen automatically once you've fixed the problem.
A web application firewall and regular automated malware scanning catch most of what leads to a full compromise before it happens — cheaper and far less stressful than the cleanup process above.