Stay Calm — And Act Fast

Discovering a website breach triggers a natural panic response. The most important thing is to act methodically. Rushed, uncoordinated responses often cause additional damage — deleting logs that contain forensic evidence, alerting attackers that they've been detected, or pushing incomplete fixes that leave backdoors open. Follow this structured plan.

Phase 1: Identification and Scoping

Before you can respond, you need to understand what happened and how far the compromise extends.

  • Verify the breach. Confirm this is a real incident — not a false alarm, a misunderstanding, or a benign anomaly. Check server logs, security plugin alerts, and browser warnings (Google Safe Browsing flags, etc.).
  • Determine the scope. Is only one page affected, or has the entire server been compromised? Were databases accessed? Are other hosted domains on the same server involved?
  • Preserve evidence. Before making any changes, take snapshots of log files, affected files, and database states. Destroying evidence hinders your forensic investigation.

Phase 2: Containment

Stop the bleeding before beginning cleanup. Active containment prevents the attacker from doing further damage while you work.

  1. Take the site offline or into maintenance mode. This prevents further malicious activity and protects your users from being exposed to malware or phishing pages.
  2. Change all credentials immediately. Reset passwords for your CMS admin, hosting control panel, FTP/SSH, database, and any associated email accounts. Assume all are compromised.
  3. Revoke active sessions and API tokens. Force logout all active sessions across your CMS and connected services.
  4. Block known attacker IPs. If logs reveal specific IP addresses involved in the attack, block them at the firewall level — though be aware attackers often use rotating proxies.

Phase 3: Eradication

Find and remove everything the attacker left behind.

  • Scan for malware and web shells. Use tools like Maldet, ClamAV, or your hosting provider's malware scanner. Pay special attention to upload directories, theme files, and plugin folders.
  • Audit file integrity. Compare current files against known-clean backups or original installation files to identify unauthorized modifications.
  • Check the database. Look for injected spam links, rogue admin accounts, malicious redirects stored in the database, or altered content.
  • Search for backdoors. Attackers commonly leave multiple backdoors. Search for recently modified PHP files and common backdoor patterns (eval, base64_decode, system commands).

Phase 4: Recovery

Restore from a clean state and implement improvements before going back online.

  1. Restore from a verified clean backup. Ensure the backup pre-dates the compromise. Test the restored site in a staging environment first.
  2. Patch the exploited vulnerability. If the attacker gained access through an outdated plugin, misconfigured file permission, or weak credential — fix it before relaunching.
  3. Implement a WAF. If you weren't running one, now is the time. Configure it to block the attack type used against you.
  4. Remove from blocklists. If Google, McAfee, or other services have flagged your site, submit reconsideration/removal requests after cleanup is confirmed.

Phase 5: Post-Incident Review

A breach is a learning opportunity. Don't skip this phase.

  • Document the incident timeline. Record when the breach occurred, how it was discovered, what was compromised, and every action taken in response.
  • Identify the root cause. Was it an unpatched vulnerability? Phished credentials? An insecure third-party integration? Understanding the entry point is essential for prevention.
  • Notify affected parties. Depending on what data was exposed and your jurisdiction, you may have legal obligations to notify users and regulators.
  • Strengthen monitoring. Implement file integrity monitoring, login alerts, and regular automated security scans so the next incident is caught faster.

A well-executed incident response limits damage, protects your users, and turns a security failure into a stronger, more resilient posture going forward.