If you’re reading this while refreshing your analytics dashboard in a cold sweat, watching traffic spike into nonsense, or staring at a defaced homepage stop scrolling for a solution and start with these steps. This isn’t a theory piece. It’s what to actually do, in order, right now.
https://tremhost.com/clientarea/store/tremhost-armor-powered-by-cloudflare
Minute 0–2: Confirm What You’re Actually Dealing With
Before reacting, figure out which of these you’re facing, because the response is different for each:
- DDoS attack — site is slow or completely unreachable, server load is spiking, traffic is coming from unusual geographic patterns or looks automated
- Brute-force / login attack — spike in failed login attempts, unusual admin activity, or you’ve been locked out of your own dashboard
- Site defacement or malware injection — visible changes to your homepage, unexpected redirects, browser security warnings, or Google flagging your site
- Data breach — unauthorized access to customer data, database, or payment information
Check your hosting control panel or server logs if you can still access them. If you can’t access anything, that’s information too move to the next step.
Minute 2–5: Stop the Bleeding, Don’t Chase the Cause
The instinct under pressure is to start investigating why this happened. Resist that for now. Root-cause analysis is a job for after the site is stable — right now the priority is containment.
- Do not start deleting files, plugins, or database entries without a backup. You can destroy your own evidence and your recovery path in the same click.
- Do take a screenshot or note of anything visibly wrong — timestamps matter for later.
- Do change your hosting/admin/database passwords immediately if you still have access, using a device you trust.
- Do not post publicly about the attack yet — attackers sometimes monitor public reaction to gauge success.
Minute 5–8: Get Traffic Behind a Shield
If your site is reachable but struggling, the fastest lever available is putting traffic through a filtering layer before it reaches your origin server this is what Cloudflare’s Under Attack Mode does. It forces every visitor through a browser check before your server ever sees the request, which buys you breathing room without touching your actual site files.
If your DNS is already proxied through Cloudflare, this can be flipped on in minutes. If it isn’t if your site’s real server IP is exposed to the internet this is the part that takes longer to do safely yourself, because DNS changes can take hours to propagate if they’re not configured correctly beforehand.
Minute 8–10: Decide If You Need Emergency Help vs. DIY
Here’s the honest fork in the road:
You can likely handle this yourself if: you already have Cloudflare or a similar proxy in front of your site, you have recent clean backups, and the issue is a traffic spike rather than a breach.
You need emergency intervention if: your origin server IP is exposed, you don’t have DNS/WAF protection in place yet, you suspect actual compromise (not just traffic overload), or every minute of downtime is costing you sales, bookings, or reputation.
This is the exact gap Tremhost Armor SOS exists to close.
What Armor SOS Actually Does in This Situation
| Step | What Happens |
|---|---|
| Emergency DNS cutover to Cloudflare | Same-day — your traffic gets routed through protection without waiting on a standard migration timeline |
| Under Attack Mode activation | Every visitor is challenged before reaching your origin, immediately reducing attack traffic hitting your server |
| Emergency WAF and rate-limiting rules | Custom rules deployed specifically for what’s happening to your site, not generic defaults |
| Origin IP rotation | If your real server IP has been exposed or targeted, it’s changed so attackers lose their direct line to your server |
| Post-incident summary | A clear written record of what happened and what was changed — useful for your own records, your customers, or compliance requirements |
Cost: $150.00, one-time, for the emergency response.
Unlike the standard onboarding for Armor Lite or Armor Pro which are built for sites that want protection before something goes wrong SOS is built for exactly this moment: you’re already in it, and you need someone to act now, not schedule a consultation for next Tuesday.
After the Fire Is Out
Once your site is stable, that’s when root-cause work matters reviewing how the attacker got in, what vulnerability was exploited, and what ongoing protection should look like. Most businesses that go through an emergency response move to Armor Lite or Armor Pro afterward, specifically so this doesn’t happen a second time. That’s a separate conversation for a calmer day right now, the job is just getting your site back under control.
https://tremhost.com/clientarea/store/tremhost-armor-powered-by-cloudflare



