When a client’s website is hacked, a reseller is often the first person to receive the urgent message: the site is down, visitors are seeing warnings, emails are bouncing, or strange content has appeared. In that moment, the reseller’s response can determine whether the client loses hours or days of business. A calm, structured action plan helps protect the site, preserve evidence, restore service, and rebuild trust.

TLDR: When a client site gets hacked, the reseller should act quickly but carefully: isolate the site, verify the compromise, preserve logs, and notify the client with clear expectations. The next steps include cleaning malware, patching vulnerabilities, restoring from a clean backup, and strengthening security controls. After recovery, the reseller should document the incident, monitor the site, and educate the client to prevent repeat attacks.

1. Stay Calm and Confirm the Incident

The first responsibility of the reseller is to avoid panic. Not every issue is a hack. A broken plugin, expired SSL certificate, DNS error, or failed update can look like a security incident. Before making promises or taking drastic action, the reseller should confirm what is happening.

Common signs of a compromised site include:

  • Defacement: The homepage or internal pages show unauthorized content.
  • Malware warnings: Browsers or search engines flag the website as unsafe.
  • Unexpected redirects: Visitors are sent to spam, phishing, or adult websites.
  • Suspicious files: Unknown PHP, JavaScript, or executable files appear in directories.
  • Unusual resource usage: CPU, memory, or bandwidth spikes without a clear reason.
  • Spam activity: The domain or server sends large volumes of unauthorized email.

Once the reseller has enough evidence, they should classify the event as a likely security incident and begin containment.

2. Communicate With the Client Immediately

Clients usually care most about three things: whether the site is safe, how long it will take to fix, and whether customer data is at risk. The reseller should communicate early, clearly, and professionally. Even if all details are not yet known, silence can damage trust.

A helpful first message might explain that suspicious activity has been detected, the reseller is investigating, and immediate steps are being taken to protect the site and visitors. The message should avoid blame and avoid unsupported conclusions. If the reseller does not know whether data was accessed, they should say that investigation is ongoing rather than making assumptions.

Good communication during a hack should be brief, factual, and repeated at regular intervals. The reseller may provide updates every one to two hours during active remediation, especially if the website is offline or business operations are affected.

3. Contain the Damage

Containment is the phase where the reseller limits further harm. If the site is actively serving malware or phishing pages, it may need to be temporarily disabled or placed behind a maintenance page. This protects visitors and reduces the chance of search engine penalties.

The reseller should also consider the surrounding hosting environment. If the client is on shared hosting, other accounts may be at risk. If the reseller manages a server with multiple client sites, isolating the infected account is essential.

Practical containment steps include:

  1. Put the site in maintenance mode or restrict public access if it is spreading malware.
  2. Disable suspicious user accounts in the CMS, hosting panel, FTP, and database tools.
  3. Change passwords for admin users, hosting accounts, FTP/SFTP, SSH, databases, and email accounts.
  4. Revoke unknown API keys and application passwords.
  5. Block suspicious IP addresses if attack patterns are visible in logs.
  6. Pause outgoing mail if the server is sending spam.

The reseller should avoid deleting everything immediately. Evidence is valuable, and careless cleanup can make it harder to understand how the attack happened.

4. Preserve Evidence and Back Up the Current State

Before cleaning the site, the reseller should create a secure copy of the compromised files, database, access logs, error logs, and relevant server configuration. This backup is not intended for restoration; it is a forensic snapshot. It can help identify the entry point and support any required reporting.

Important evidence may include:

  • Web server access logs and error logs
  • CMS administrator login history
  • File modification timestamps
  • Recently created users
  • Suspicious cron jobs or scheduled tasks
  • Database changes, especially injected scripts or unknown admin accounts

If the client operates in a regulated industry, such as healthcare, finance, or ecommerce, the reseller should advise them to consult legal or compliance professionals. A reseller should not guess about notification obligations when customer data may be involved.

5. Identify the Entry Point

Cleaning a hacked site without identifying the vulnerability is like mopping the floor while the pipe is still leaking. The attacker may return within hours if the original weakness remains.

For many client websites, especially CMS-based sites, common entry points include outdated plugins, abandoned themes, weak passwords, exposed admin panels, insecure file permissions, nulled software, and compromised FTP credentials. The reseller should compare installed components against known vulnerabilities and update history.

Questions the reseller should answer include:

  • Was the CMS core version outdated?
  • Were any plugins, extensions, or themes known to be vulnerable?
  • Did an administrator use a weak or reused password?
  • Were there unknown admin users?
  • Was there an exposed upload form or contact form vulnerability?
  • Did the compromise begin after a new plugin, developer access, or migration?

6. Clean the Website Thoroughly

Once containment and evidence preservation are complete, the reseller can begin cleanup. This should be systematic. Automated malware scanners can help, but they should not be the only method. Some malicious code is obfuscated, hidden in legitimate files, or stored in the database rather than the file system.

A strong cleanup process includes:

  1. Scan all website files for malware, backdoors, injected scripts, and suspicious patterns.
  2. Replace core CMS files with fresh copies from official sources.
  3. Remove unused themes, plugins, and extensions rather than simply disabling them.
  4. Inspect uploads directories for executable scripts, especially PHP files where images should be.
  5. Search the database for injected JavaScript, spam links, hidden admin users, and malicious redirects.
  6. Check configuration files such as .htaccess, web.config, wp-config.php, and equivalent CMS files.
  7. Review scheduled tasks for malicious jobs that can recreate malware.

If a clean backup exists from before the compromise, restoration may be the fastest route. However, the reseller should still patch the entry point before bringing the restored site online. Restoring an old vulnerable version can simply reintroduce the same problem.

7. Patch, Harden, and Reset Access

After malware removal, the reseller should harden the site before reopening it to the public. This is the point where short-term cleanup becomes long-term protection.

Recommended hardening steps include:

  • Update the CMS core, plugins, themes, and server software.
  • Remove abandoned or unsupported extensions.
  • Enforce strong passwords for all users.
  • Enable multi-factor authentication for administrators where possible.
  • Set correct file permissions and disable unnecessary write access.
  • Disable file editing from the CMS admin dashboard if supported.
  • Limit login attempts and protect admin URLs.
  • Install or configure a web application firewall.
  • Enable automatic security updates for trusted components.

The reseller should also reset all credentials, not just the CMS admin password. Attackers often collect database passwords, FTP credentials, API tokens, and hosting panel logins. Any credential that may have been stored on the site or used to manage it should be treated as exposed.

8. Restore Reputation and Search Visibility

Even after a site is clean, browsers, antivirus systems, and search engines may continue to warn visitors. The reseller should check major security blocklists and search engine consoles. If the site was flagged, a review request may be needed after cleanup.

For ecommerce or lead generation sites, the reseller should test important workflows before declaring victory. Contact forms, checkout pages, payment integrations, analytics, tracking scripts, and email notifications should all be checked. A site can appear clean but still fail critical business functions.

9. Monitor Closely After Recovery

The first 24 to 72 hours after restoration are critical. Many reinfections happen because a backdoor was missed or the attacker still has valid credentials. The reseller should monitor file changes, login attempts, server resource usage, outgoing email volume, and malware scan results.

It is also wise to schedule follow-up scans over the next several weeks. A professional reseller should treat recovery as an ongoing process, not a single cleanup task. If suspicious activity returns, the reseller should revisit the entry point analysis and consider deeper server-level investigation.

10. Document the Incident

Documentation protects both the client and the reseller. After the incident is resolved, the reseller should prepare a concise report. This report does not need to be overly technical, but it should clearly explain what happened, what actions were taken, and what preventive measures are recommended.

The incident report may include:

  • Date and time the issue was reported
  • Symptoms observed
  • Likely cause or confirmed entry point
  • Files, users, or database areas affected
  • Cleanup actions performed
  • Passwords and access keys reset
  • Security updates applied
  • Recommended next steps

This report helps the client understand the value of the reseller’s work. It can also support insurance claims, compliance reviews, or internal business records.

11. Turn the Incident Into a Prevention Plan

A hack is stressful, but it can become an opportunity to improve the client’s security posture. After recovery, the reseller should recommend a maintenance and security plan. Many small businesses do not understand that websites require ongoing care, just like physical storefronts, vehicles, or computers.

A practical prevention plan may include regular updates, scheduled backups, uptime monitoring, malware scanning, firewall protection, security reports, and periodic access reviews. The reseller should also encourage clients to limit admin privileges and remove users who no longer need access.

The best reseller response is not only to fix the hacked site, but to reduce the chance that the same client will face the same emergency again.

FAQ

How quickly should a reseller respond to a hacked client site?

A reseller should respond as soon as possible, ideally within minutes during business hours. Even if the full investigation takes longer, the client should receive an immediate acknowledgment and a basic containment plan.

Should the reseller take the website offline?

If the site is distributing malware, redirecting users, stealing data, or damaging the client’s reputation, temporarily taking it offline or placing it in maintenance mode is often the safest option. The decision should be explained clearly to the client.

Is restoring from backup enough?

Not always. A backup can restore clean files, but if the original vulnerability remains, the site may be hacked again. The reseller should patch software, reset credentials, and remove the entry point before relaunching.

Who is responsible if customer data was exposed?

The client is usually responsible for legal and regulatory obligations related to their customer data. The reseller can provide technical findings, but the client should consult legal or compliance experts if sensitive information may have been accessed.

How can a reseller prevent future hacks?

The reseller can offer managed updates, strong backup policies, malware monitoring, firewalls, password controls, multi-factor authentication, and regular security reviews. Consistent maintenance is the most effective long-term defense.