[[INSTRUCTION: ]]

# The First 5 Minutes: How to Immediately Isolate Your Hacked Website

The moment you discover your website has been hacked—whether through a defaced homepage, a phishing alert from Google, or a sudden flood of spam links—panic is a natural first reaction. However, the first five minutes after detection are the most critical. Your immediate actions determine whether the damage remains contained or spreads to your users, your server, and other websites hosted on the same account.
The goal in this initial, high-stress period is simple: isolation. You must sever the attacker’s connection and prevent further compromise without destroying crucial forensic evidence.
This guide provides a rapid, step-by-step protocol focused on emergency isolation and containment. By executing these essential steps within the first five minutes, you buy yourself the necessary time to calmly investigate the root cause, clean the infection, and restore your site safely.
Phase I: Immediate Isolation (The First 5 Minutes)
Your priority is to stop the bleed. The three actions below must be performed immediately to prevent further damage and to lock the attacker out.
Step 1: Lock the Doors (Change All Key Passwords)
The attacker likely gained entry through compromised credentials. Changing passwords immediately renders their existing access keys useless.
Action 1: Change the Most Powerful Users

WordPress/CMS: Change the passwords for all Administrator-level users immediately. If you can still access the dashboard, do this first.
Hosting/cPanel: Change the password for your hosting control panel (cPanel, Plesk, etc.). This is the master key to your entire server account, including databases and backups.
Database (MySQL): Change the password for the database user that your website uses. You typically do this through your hosting control panel’s MySQL section. This is crucial because many backdoors store their access credentials directly in the database.

Action 2: Change FTP/SFTP Access

Change or Disable: Change the password for all existing FTP accounts, or, better yet, disable FTP access entirely if you don’t need it for the next 24 hours. Many attacks use simple, compromised FTP credentials.

Time Check: This should take no more than 2 minutes. Focus only on the passwords, not the recovery or cleanup.
Step 2: Sever the Connection (Take the Site Offline)
You need to prevent the attacker from issuing further commands and stop your users from being exposed to malware or spam. Do not simply delete the files; you need the files for forensics.
Action 1: Rename the Site Root Folder (Recommended)
The fastest, cleanest way to take a site offline without affecting other sites on your hosting account is to rename the root directory.

Access File Manager/FTP: Log into your hosting control panel’s File Manager or connect via FTP.
Locate the Site Folder: Find the public directory for the compromised site (e.g., public_html/yoursite.com).
Rename It: Rename the folder to something like yoursite.com_HACKED_DO_NOT_USE.

Result: Because the server can no longer find the expected site directory, visitors will see a 404 error, and all malicious scripts will stop executing immediately.
Action 2: Disable the Site in Hosting Settings (Alternative)
Many modern hosting panels offer a “Disable Site” or “Suspend” function for an individual domain, which can be a single-click isolation method.
Time Check: This should take less than 1 minute.
Step 3: Block External Access (Modify .htaccess)

The attacker may have left a backdoor or web shell that allows them to re-access the site even if you’ve renamed the folders. You need to block all script execution at the server level.
Action: Restrict PHP Execution in the Uploads Folder
Most WordPress attacks inject malicious PHP files into the wp-content/uploads folder. Normally, this folder should only contain images and media, not executable code.

Locate the .htaccess File: Using FTP/File Manager, navigate to the wp-content/uploads/ folder. (If a .htaccess file doesn’t exist there, create one.)
Insert Security Code: Add the following lines to the top of the .htaccess file to block PHP execution:

Apache


<Files *.php>
deny from all
</Files>






Result: Even if a malicious file remains in the uploads directory, the server will refuse to execute it, preventing the attacker from running shell commands.
Time Check: This should take 2 minutes.
Phase II: Diagnosis and Preparation (The Next 10 Minutes)
Once isolated, you can move to the next steps. Do not start cleaning yet. You must first ensure you know how the site was hacked and that you have a secure starting point for recovery.
Step 4: Contact Your Host and Security Provider
Your hosting provider is your most powerful ally. They have server-level tools and logs that you do not.
Action 1: Notify the Host

Open a High-Priority Support Ticket: Inform your host that your site is hacked, that you have isolated it (mentioning the folder rename), and that you require them to check the server logs (access logs, error logs) for suspicious activity, particularly just before the breach occurred.
Request a Malware Scan: Ask them to run a server-side scan on the entire account to check for dormant malware and backdoors outside your main website folders.

Action 2: Check Blacklist Status

Verify if your site has been flagged by Google. Go to Google Search Console (GSC). Check the Security Issues report. If Google has already flagged it, you will need to file a review request after the cleanup.

Step 5: Secure a Clean Backup (The Recovery Anchor)

You need a version of your site that you trust to be clean. This is often the hardest part.
Action 1: Isolate the Database

Export the Database: Go to phpMyAdmin (via your hosting panel) and immediately export the current, infected database as a .sql file. This is crucial evidence for later analysis.
Restore a Clean Database: Check your hosting company’s automatic backup system. Identify a database backup from before the time of the hack (if you know it). Restore this known clean database.

Action 2: Secure the Files

Restore Clean Files: Restore a full file backup from a known safe date (pre-hack).
If No Clean Backup Exists: Download the following three clean components from official sources:

A fresh copy of your CMS core (e.g., WordPress) from the official repository.
A fresh copy of your active theme.
Fresh copies of all currently installed plugins.



Rationale: The files you use to restore should always come from an external, clean source. Never trust files pulled from the infected server, even if they look clean.
Step 6: Commence the Systematic Cleanup
With the attacker locked out, passwords changed, and clean assets secured, you can begin the comprehensive cleanup process.

Start with the Clean Core: Replace all files in your primary installation (except the wp-content folder) with the fresh core files.
Scan wp-content: Use security tools (like Wordfence, Sucuri, or professional scanners) to scan the wp-content folder (themes, plugins, uploads) for malicious code.
Check Core Files Manually: Pay special attention to wp-config.php and functions.php for injected malicious lines, which are common hiding spots.
Verify Database: Check your database for new, suspicious admin users, injected spam links in post content, and changes to the site URL settings.

Conclusion

A website hack is a technical emergency. By following the First 5 Minutes protocol—changing all master credentials, disconnecting the site immediately via folder renaming, and blocking dangerous execution in the uploads folder—you neutralize the attacker’s ability to inflict further damage. The subsequent steps, involving host notification and securing a truly clean starting point (a clean backup), move the process from panic to methodical recovery. Remember: isolation is the priority, evidence is precious, and recovery must be done with external, clean files to ensure the breach is completely closed.