Your Website Just Got Hacked — Here's What to Do

First: don't panic, and don't delete everything

The instinct is to wipe the site and start fresh. Resist it. The compromised files are evidence — they tell you how the attacker got in. Delete them blindly and you'll likely get hacked again the same way next week. Stay calm and work through the steps below in order.

1. Contain it (first 15 minutes)

• Take the site offline or into maintenance mode — stop it serving malware to your visitors and customers.
• Change the critical passwords — hosting, admin login, database, and the email tied to them. Use new, strong passwords.
• Log out all sessions if your platform allows it, to kick the attacker out.

2. Assess the damage

Before you fix anything, understand what happened. Look for:

• What changed — defaced pages, new admin users, unknown files, unexpected redirects.
• What data was touched — especially anything with customer details, orders, or payment information.
• How they likely got in — an outdated plugin, a weak password, an exposed login, a known vulnerability.

Take screenshots and keep your logs. If you don't know how to read this, this is the point to bring in someone who does — guessing wastes the window where the trail is still fresh.

3. Clean and recover

• Restore from a known-good backup if you have one from before the compromise.
• Remove the malicious files and any backdoors the attacker left to get back in.
• Update everything — the platform, themes, plugins, and dependencies — to close the hole.
• Reset all credentials again after cleaning, in case they were captured.

4. Your Data Protection Act obligations

This is the step Zimbabwean businesses miss. If personal customer data may have been exposed, the Data Protection Act 2021 brings obligations — including notifying the regulator and, in some cases, affected individuals. Ignoring a breach isn't just risky for customers; it can carry penalties. Document what happened and what data was involved.

5. Make sure it can't happen again

Recovery isn't finished when the site is back up. Close the door properly:

• Fix the root cause you found in step 2 — not just the symptoms.
• Add the basics — security headers, strong unique passwords, and two-factor authentication on admin accounts.
• Set up real backups on a schedule, stored somewhere separate from the site.
• Get a security assessment to find the other weaknesses before someone else does.

A hack is a horrible way to learn where your weak points were — but businesses that respond properly usually come back more secure than they were before. Move calmly, fix the cause, and don't skip the data-protection step.