There are several things you have to consider if your website is hacked, and those things might vary based on the definition of "hacked". If your site is merely defaced, you will need to do at least the following:

-- Put your Incident Management plan into action (oh, don't have one? sigh)
---- Determine the vector of the attack and remediate it
---- Restore the site to a known good configuration
---- Manage the ensuing public relations situation (manage it well!)
---- Evaluate your security and make adjustments
---- Conduct a solid postmortem that is used to inform your senior management team (including the board, if applicable) and customers
---- Stop paying security lip service

Now, if by "website is hacked" we mean some level of e-commerce breach, then there's even more work to do than listed above:

---- Perform notifications as per all applicable breach laws (be proactive here)
---- Engage a thorough forensics effort to ensure that your organization well understands the extent of the damage, and can accurately communicate it and remediate it.
---- Really stop paying security lip service (trust me, you are)

There will necessarily be some concurrent activity out of the above lists, and the priority of certain actions will be impacted by the type of organization, the industry, the extent of the hack, and the manner in which it was discovered. No matter how it happened, good communication is critical to restoring trust and confidence of customers, partners, etc. Not just one-time communication, but ongoing communication.

And, start taking security seriously, as opposed to the way *most* organizations treat it, as something annoying that takes up time and money and can't be gotten around easily enough.

-ASB: http://XeeMe.com/AndrewBaker