Magento hacked store: first response checklist
What to do in the first hour if a Magento store appears hacked, including evidence preservation, containment and safe recovery.
Preserve the current state first
If you suspect a compromise, do not immediately delete files or restore a backup without thinking. Take a snapshot of code, database and logs so you can understand what happened and avoid restoring the same problem.
Contain the risk
Disable suspicious admin users, restrict admin access, block obvious malicious traffic, take affected payment components offline if needed and check whether checkout has been modified.
Then remediate properly
Once the store is stable, find the entry point. Missing patches, exposed config, weak credentials, abandoned modules and writeable web roots are common causes.