Incident response basics: first steps if your site is compromised
Short answer: If you suspect a compromise, assume credentials are exposed until proven otherwise—contain the site, preserve evidence, restore from a known-good backup, then rotate secrets and review access.
A calm sequence beats heroic “quick fixes” that hide backdoors. For NZ SMEs, the goal is to get a trustworthy site back online without losing forensic detail your host or insurer may need.
First hour: contain and document
- Snapshot what you see: odd admin users, new files, unexpected redirects, or spam pages—screenshots and timestamps help.
- Do not delete blindly: wholesale deletes can destroy clues; prefer quarantine or restore.
- Alert your host: many compromises involve server-level issues only they can see.
Recovery paths: scan vs restore
Malware scans can clean some infections, but skilled attackers leave persistent shells. If you have a recent off-site backup from before the incident, a clean restore plus patch often beats weeks of whack-a-mole.
After recovery: rotate and tighten
Change all passwords, regenerate API keys, review two-factor coverage, and remove unused admin accounts. Re-check file permissions and disable abandoned plugins or themes that expand attack surface.
Frequently asked questions
Should I pay a ransom or “SEO recovery” cold caller?
Never grant server access to unverified callers. Use your host, a trusted partner, or law enforcement guidance for serious incidents.
Do I need to tell customers?
Depends on data affected and legal obligations. When personal information may be involved, get professional privacy/legal advice promptly.