Your website disaster recovery plan

Don't panic — and don't click randomly. Panic-clicking can overwrite evidence, accidentally delete files, or make a bad situation worse. Take 30 seconds to breathe.

Take a screenshot of what you see. Capture the error message, broken page, or suspicious content. This is evidence for both diagnosis and, if needed, insurance or legal purposes.

Contact us. Email support@chykalophia.com with the screenshot and a short description of what happened. If you have an emergency care plan with us, use the emergency contact method your project lead gave you.

Check whether it's a hosting issue. Log in to your hosting dashboard (Flywheel, WP Engine, Kinsta, or your host) and look for any alerts, status messages, or maintenance notices. Also check your host's public status page.

Do not restore a backup yet — unless the site is actively causing harm (e.g., redirecting visitors to malicious content). A premature restore can wipe the evidence needed to understand what went wrong.

If the site is showing malicious content, take it offline. Most hosting dashboards have a "disable site" or "maintenance mode" option. Use it. A blank maintenance page is better than sending visitors to a scam site.

Identify what changed. Look at recent updates, new plugins, recent content edits, or any third-party changes that happened in the 24–72 hours before the problem. Most website emergencies have a clear trigger.

Check your backups. Log in to your hosting dashboard and confirm your most recent backup. Know the date of the last clean backup before the problem started. Do not delete any backups.

Change your passwords. Change your WordPress admin password, your hosting account password, and your FTP/SFTP credentials. Use your password manager to create strong, unique passwords. See how to create strong passwords.

Audit who has admin access. In WordPress, go to Users and look for any accounts you don't recognize. Remove them. See WordPress user roles explained.

Notify anyone affected. If customer data may have been exposed, you have a legal and ethical duty to notify those customers. Consult a lawyer if you're unsure what applies to your business and location.

Document everything. Write a short timeline: when you noticed the problem, what you saw, what you did, and when. This record is essential for insurance claims, compliance requirements, and preventing a repeat.

Restore from a clean backup (with our help if needed). Confirm the restored site is clean and functioning before taking it back online. See restoring your site from a backup.

Run a full security scan. Your hosting provider or a security plugin (Wordfence, Sucuri) can scan your site for remaining malicious code. Don't assume a restore is enough — malware sometimes survives a restore if it was present in your backup.

Update everything. Update WordPress core, all plugins, and your theme. Most attacks exploit known vulnerabilities in out-of-date software. See WordPress updates explained.

Review your backup schedule. Weekly backups may not be enough for an active site. Talk to us about daily automated backups. See how backups work.

Enable two-factor authentication on all admin accounts. This is the single most effective prevention for unauthorized access. See setting up 2FA.

Write a brief post-mortem. A post-mortem is a short document (one page is fine) that captures: what happened, why it happened, what you did to fix it, and what you're doing to prevent it next time. Share it with your team and with us.