The first hour after a site goes down is when people make the mistakes that create more work later. Overwriting files before they have been examined. Restoring a backup that is compromised as well. Changing passwords on accounts that are not the actual entry point. Acting fast in the wrong direction.

Here is a sequence that holds up across most incidents.

Step 1: Document Before You Touch Anything

Screenshot error messages. Note the time the alert came in. Check your monitoring dashboard and hosting control panel for any unusual activity. This information is useful for diagnosing what happened and for your hosting provider if you need their support.

The instinct to act immediately is understandable. Resist it until you know what you are dealing with.

Step 2: Check Your Hosting Dashboard

Log into your hosting account directly, not through your site’s admin panel. Look for unusual server resource usage, error logs, and unfamiliar files in your file manager. Your hosting dashboard often shows symptoms that the site itself will not show you. If your host has a malware scanning tool, run it now.

Step 3: Take the Site Offline or Put It in Maintenance Mode

If visitors are being redirected to malicious destinations or seeing error content, take the site offline while you work on it. A page that says the site is temporarily unavailable is better than one that is actively serving malware to your visitors.

Step 4: Identify Your Last Clean Backup

Before restoring anything, identify when the compromise likely happened. Security monitoring timestamps, error logs, or server logs will show the earliest signs of unusual activity. Restoring a backup from after the compromise restores the compromised state. You want the most recent backup from before the incident.

Step 5: Restore, Then Harden

Restore from the clean backup. Then, before bringing the site back online, address the entry point. Outdated plugin — update or remove it. Compromised admin account — remove it and audit the others. Default login path, change it. Restoring without hardening puts you back in the same position.

Step 6: Rotate All Credentials

Change passwords on all admin accounts. If the site is connected to external services, rotate API keys as well. A compromised site may have been used to capture credentials, so treat all access credentials as potentially exposed.

Step 7: Notify Customers If Necessary

If the site collected user data and that data may have been exposed, customers need to know. What you are legally required to disclose and when varies by location and the type of data involved. That is a question for a lawyer, not a web consultant.

What Speeds This Up

A current tested backup. Documented credentials for your hosting account, domain registrar, and CMS admin. Your developer’s contact information is stored elsewhere, not on the compromised site’s dashboard.

None of these requires advanced investment. They require advanced organization.

Need a plan? Book a one-hour strategy session and walk away with a clear direction for your website, security, or digital strategy. All sessions are recorded with full transcription. $250 — Book a Strategy Call

Want to get to know me first? Book a free 15-minute intro call. No pitch, just a conversation. Book a 15-Minute Call

 

Cybersecurity Series

  1. The Hack I Couldn’t Fix Between Matches
  2. The Same Tools Powering AI Are Being Used to Attack Your Website
  3. 7 Signs Your Website May Already Be Compromised
  4. Why Small Business Websites Get Hacked (And Why It’s Usually Not Personal)
  5. What It Actually Costs to Clean a Hacked Website
  6. How Bots Actually Find Your Website
  7. Taking Over a Website Means Taking Over Its History
  8. What Website Monitoring Actually Means
  9. What a Real Website Security Audit Actually Includes (And Why Most Sites Never Get One)
  10. Cybersecurity Is a Business Expense, Not a Panic Purchase
  11. Your Website Is Down — What To Do In The First 24 Hours