Security, Security and Privacy

What to Do If a Client Website Is Hacked in South Africa

Posted on by Kafi

What to Do If a Client Website Is Hacked in South Africa

Introduction

Discovering that a client’s website has been hacked is a high-pressure situation, especially when it belongs to a client who depends on it for their business. Even if it is not a website for business, generally seeing your site or that of your client being hacked will send a chill down your spine.

Don’t feel overwhelmed; most hacked websites can be fixed and restored. What matters is how quickly and correctly you respond.

For us in South Africa, how we respond is different because our response is governed by both technical urgency and the Protection of Personal Information Act (POPIA). If you see that:

  • The site is redirecting to strange pages, or
  • Suspicious content is appearing or
  • Your login access is blocked, or
  • The website has gone completely offline

Then it is likely your website has been hacked, but don’t panic. This guide will walk you through exactly what to do, step by step.

Steps to Take on What to Do When a Website Is Hacked

1. Immediate Containment

The moment a hack is detected, your priority is to prevent further damage or data extraction.

Go Offline: Put the site into Maintenance Mode or temporarily take it offline. This prevents users from interacting with malicious scripts and stops the hacker from continuing their session.

For a WordPress site, you can install plugins like SeedProd or LightStart to create custom maintenance pages, or edit the .htaccess file to redirect all traffic to a maintenance.php file, if you have access to the cPanel for custom-built sites.

Isolate the Environment: If you are a reseller, ensure the infected account is “jailed” (using tools like CloudLinux) so the malware doesn’t transfer to your other clients.

Freeze the Evidence: Do not delete everything immediately. Take a snapshot of the infected state for forensic analysis. This is vital if the Information Regulator asks for proof of how the breach occurred.

2. Contact Your Hosting Provider

Your hosting provider can help with:

  • Server-level scans
  • Security logs
  • Malware detection

Don’t try to handle everything alone. If you are unsure, use available support.

3. Change All Credentials

Once the site is isolated, you need to remove the “intruder” and their backdoors. This includes cPanel/hosting logins, FTP accounts, email accounts, database passwords, and every single CMS admin user. This prevents attackers from regaining access.

4. Scan for Malware and Remove Malicious Files

Scan by using a server-side scanner (like Imunify360) to identify and quarantine malicious files. Hackers usually enter through an unpatched “open window.” Be careful, incomplete cleanup can cause reinfection.

5. Restore from a Backup

If you have a clean off-site backup from before the infection, restoring it is often faster and safer than manual cleaning. If restoration is not possible, manually remove infected files and clean compromised scripts

6. Check User Accounts

Look for unknown admin users and suspicious permissions

Remove any unauthorized access.

7. Update Everything

Once the site is clean, update the website core, all plugins, and themes to their latest versions immediately.

This closes security gaps.

8. Re-enable the Website

Once everything is secure, bring the site back online and test the functionality. Ensure everything works properly.

Always double-check before going live.

9. The Legal Mandate: POPIA Section 22

In South Africa, if you have “reasonable grounds” to believe personal information (emails, names, ID numbers) has been accessed by an unauthorized person, you have a legal obligation to act.

Notify the Regulator: Under POPIA Section 22, you must notify the Information Regulator as soon as reasonably possible. This is done via a specific Section 22 Security Compromise Notification Form.

Notify the Data Subjects: You must also inform the affected clients/users in writing (usually via email) and provide a prominent notice on the website.

The penalty for not reporting a data breach can reach R10 million or jail time. Protecting a client isn’t just about the code, it’s about the legal and human response that follows.

What to Say: Your notification must include:

  1. What happened (description of the breach).
  2. The possible consequences for the user.
  3. What are you doing to fix it?
  4. What they should do (e.g., change passwords).

How you communicate with your client during this hour will define your professional relationship for years.

Be Transparent, Not Technical: Your client doesn’t care about “SQL Injections”; they care about their business. Explain the situation in plain language: “There was unauthorized access to the site; we have taken it offline to protect your data and are currently restoring it from a secure backup.”

Provide a Timeline: Give them regular updates (every 2–4 hours) until the site is back online. Uncertainty breeds panic.

Once the site has been restored and everything is okay, provide a report to your clients detailing how it happened and what measures (Multi Factor Authentication, Web Application Firewall, better backups) you are putting in place to ensure it doesn’t happen again

How to Prevent Future Hacks

After fixing the issue, strengthen your security:

1. Use Strong Passwords

Avoid weak or reused passwords.

2. Enable SSL Certificates

Secure all data transmission.

3. Install Security Tools

Use firewalls and malware scanners.

4. Set Up Regular Backups

Always have a recovery option.

5. Keep Everything Updated

Prevent vulnerabilities.

6. Monitor Websites Regularly

Catch issues early.

Avoid these Mistakes

  • Ignoring the Problem: Delays can make things worse.
  • Skipping Backup Restoration: Trying to fix everything manually can be risky.
  • Not Changing Passwords: Attackers may still have access.
  • Leaving Vulnerabilities Open: Fix the root cause, not just the symptoms.

Why Preventing Website Hack Matters for Your Hosting Business

Handling hacks properly helps you:

  1. Build trust
  2. Retain clients
  3. Show professionalism
  4. Stand out from competitors
Action Detail Priority
Kill Sessions Log out all users and reset all passwords. Critical
Notify Host Inform your parent hosting provider; they may have logs you need. High
POPIA Form Complete the Section 22 form for the Information Regulator. Legal Requirement
Rollback Restore from the last known-good backup. Fastest Recovery

NOTE
A hack can disrupt years of SEO progress in days. Once the site is clean, check if Google has flagged the site as “Harmful.” Once clean, request a Security Review to remove the warning labels from search results. Afterwards, resubmit Sitemaps

Re-indexing the site quickly helps ensure that any “SEO Spam” links indexed during the hack are replaced by your legitimate content.

Final Thoughts

If a client website is hacked in South Africa, the key is to act quickly, follow a clear process, and restore security as soon as possible. With backups, proper tools, and good practices, you can resolve issues efficiently and protect your clients moving forward.

Be Prepared, Not Reactive. Website hacks can happen, but with the right process, they don’t have to be a disaster.

Explore Secure Reseller Hosting Plans  Today

Need help fixing a hacked website? Contact us

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments