The first hour after discovering a website compromise is rarely calm. People panic, start deleting random files, change ten settings at once and accidentally make evidence and recovery harder. A better approach is to slow down just enough to contain the problem without destroying the trail.
This guide covers what to do in the first hour after a website hack.
1. Confirm the issue and define the scope
Is the site defaced, redirecting, sending spam, serving malware, leaking data or all of the above. Work out what you actually know before guessing wildly.
2. Contain the incident
If needed, put the site into maintenance mode, disable dangerous services or restrict access while you investigate. The aim is to stop further harm, not to perform a dramatic rebuild in the first ten minutes.
3. Preserve logs and evidence
Keep access logs, application logs, database snapshots and suspicious files. You may need them to understand entry points, assess impact or explain what happened later.
4. Rotate credentials carefully
Administrative passwords, API keys, database credentials and hosting access may all need to change. Do it methodically so you do not lock out the recovery team or miss critical systems.
5. Restore only after you understand enough
Jumping straight to a backup restore can be the right move, but restoring to the same vulnerable state just invites a repeat compromise. Pair recovery with remediation.
Final thoughts
A website hack feels chaotic, but the response should not be. Contain, preserve, understand and then recover. The organisations that cope best are usually the ones with a plan written before the incident happened.