Application Restoration · Drupal

Drupal restoration and hacked-site recovery

Your Drupal site is defaced, redirecting visitors, white-screening after an update, or just gone. We find what got in, clean it out, and hand back a site that's harder to hit next time.

From: $390 · Turnaround: 24-72 hours
24-72 hours From first access to back online
Drupal 7, 9, and 10 Including end-of-life Drupal 7
Flat $390 diagnosis Rolls into the restore if you proceed
Written incident report What got in and what we changed

Search “Drupal restoration” and you mostly get checklists written in 2016 and a couple of scanner subscriptions. Helpful if you have the time and the stomach to do it yourself at 1am. This is the other option: you give us access, we do the recovery, and you get the site back with a written account of what was wrong. We work on Drupal 7, 9, and 10. Drupal 7 is the one we see compromised most, because it went end-of-life in January 2025 and a lot of sites never moved off it.

What we recover from

Three ways a Drupal site goes down, three recovery paths

Compromise

A redirect script sending your traffic to a pharma page, a defaced front page, injected PHP hiding in a block or the PHP filter module, an admin account in the {users} table you didn't create. We isolate the site, find the entry point, and pull the persistence, not just the visible symptom.

Broken update

A composer update that half-finished, a module update that white-screened the site, or update.php that errored partway and left the database mid-migration. We get you back to a consistent state, on a staging copy first when the live site still half-works.

Data or host loss

A corrupted database, a host that wiped the account, files gone and a backup nobody ever tested. We rebuild from whatever exists, recover the database where we can, and tell you honestly what's recoverable before you pin hopes on it.

Most of what we clean traces back to two things: an unpatched core or module, and no working backup. So every restoration ends with one configured and a patch plan, whether or not you keep us on afterward.

What the recovery covers

A real clean, not a delete-and-reinstall

Everything below is in scope on a standard Drupal restoration. We diagnose first and quote the rebuild before any step we can't undo.

Emergency access via SSH, host panel, or rescue mode when the normal admin login is gone
A forensic snapshot of files and database taken before we change anything
Malware and backdoor scan across core, contrib modules, themes, the files directory, and settings.php
The {users} table checked for rogue admin accounts and unexpected role grants
Enabled modules and custom blocks reviewed for injected PHP, and the PHP filter module disabled
Core and contrib diffed against the packaged releases on drupal.org to spot tampered files
Site cleaned or rebuilt from a known-good copy, with your content and uploads preserved
Database repaired or restored, and update.php run properly to finish any half-done migration
settings.php hash salt regenerated and database credentials rotated
trusted_host_patterns, file permissions, and caches set back to sane values
Site confirmed clean and loading from outside your own network
What you receive

A working site and the paper trail to prove it

You get the site back, plus the paper trail, so you or your next developer aren't guessing about what happened.

01

A working Drupal site

Front end and admin back up, content intact, confirmed from outside your network.

02

A written incident account

What got in, how, what we removed, and what we changed, in plain language.

03

A clean core and module inventory

Versions, what was tampered with, and what still needs patching.

04

A working backup

Off-site backups configured and one restore tested, because an untested backup is a guess.

05

A hardening checklist

The specific changes that keep this particular site from getting hit the same way.

How it runs

Triage, contain, clean, harden

Recovery starts within hours of getting access. A broken update is often same-day; a full compromise clean-up runs one to three days depending on how deep it went.

1

Access and triage

You give us host and SSH access. We snapshot everything before touching it, then read the logs and the file tree to find the cause.

Hour 1 — cause identified
2

Contain and diagnose

We isolate the site so it stops redirecting or leaking, confirm every entry point, and scope the clean-up.

Same day
3

Clean and restore

Backdoors removed, tampered files replaced from drupal.org sources, database repaired, content preserved.

Day 1-3
4

Harden and hand over

Credentials rotated, patches applied, backup configured, incident write-up delivered.

On completion
Pricing

Quoted before we start, no surprise invoice

Diagnosis is a flat $390. It includes triage, the root cause, and a written quote for the full restore. Green-light the restore and the $390 rolls into it. A clean broken-update fix is often close to the diagnosis fee; a deep compromise on a large multisite costs more, and you see the number before we start.

Drupal site redirecting visitors right now?

If it’s defacing pages, redirecting traffic, or pushing spam as you read this, containment comes first, not paperwork. Reach out and we’ll isolate the site, then diagnose. The longer an injected redirect runs, the more search engines and blocklists notice.

Most popular

Diagnosis & containment

$390 one-time
  • Emergency access and forensic snapshot
  • Malware and backdoor scan
  • Root-cause finding
  • Isolation if the site is actively compromised
  • Written quote for the full restore
Start diagnosis

Full restore & hardening

from $690 one-time
  • Everything in diagnosis
  • Full clean or rebuild with content preserved
  • Database repair or restore
  • Credential rotation and update.php run properly
  • Backup configured and tested
  • Hardening checklist and incident report
Get a quote
Tech we work with

Drupal stack we recover and rebuild

Drupal 7 Drupal 9 Drupal 10 Composer Drush MySQL MariaDB PHP-FPM nginx Apache settings.php Backup and Migrate fail2ban ClamAV
Where this fits

How Drupal recovery connects to the rest

This is the Drupal-specific version of our restoration work. If the same box runs other sites or the compromise reached the server itself, the root-access path is our Linux server recovery. Once the site is clean, the next conversation is usually keeping it that way through our Drupal support, or for an end-of-life Drupal 7 site, moving off it entirely. If you’d rather buy the whole thing as one fixed package, our Drupal rescue bundle wraps the restore, the hardening, and a migration plan together.

Restoration for Drupal support & development services

Need restoration for drupal support & development services sorted?

We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.

We read every message. We don't pass your details to anyone else, ever.