My Website Is Under Attack Right Now — What Do I Do in the Next 10 Minutes?

If you’re reading this while refreshing your analytics dashboard in a cold sweat, watching traffic spike into nonsense, or staring at a defaced homepage stop scrolling for a solution and start with these steps. This isn’t a theory piece. It’s what to actually do, in order, right now.

https://tremhost.com/clientarea/store/tremhost-armor-powered-by-cloudflare

Minute 0–2: Confirm What You’re Actually Dealing With

Before reacting, figure out which of these you’re facing, because the response is different for each:

  • DDoS attack — site is slow or completely unreachable, server load is spiking, traffic is coming from unusual geographic patterns or looks automated
  • Brute-force / login attack — spike in failed login attempts, unusual admin activity, or you’ve been locked out of your own dashboard
  • Site defacement or malware injection — visible changes to your homepage, unexpected redirects, browser security warnings, or Google flagging your site
  • Data breach — unauthorized access to customer data, database, or payment information

Check your hosting control panel or server logs if you can still access them. If you can’t access anything, that’s information too move to the next step.

Minute 2–5: Stop the Bleeding, Don’t Chase the Cause

The instinct under pressure is to start investigating why this happened. Resist that for now. Root-cause analysis is a job for after the site is stable — right now the priority is containment.

  • Do not start deleting files, plugins, or database entries without a backup. You can destroy your own evidence and your recovery path in the same click.
  • Do take a screenshot or note of anything visibly wrong — timestamps matter for later.
  • Do change your hosting/admin/database passwords immediately if you still have access, using a device you trust.
  • Do not post publicly about the attack yet — attackers sometimes monitor public reaction to gauge success.

Minute 5–8: Get Traffic Behind a Shield

If your site is reachable but struggling, the fastest lever available is putting traffic through a filtering layer before it reaches your origin server this is what Cloudflare’s Under Attack Mode does. It forces every visitor through a browser check before your server ever sees the request, which buys you breathing room without touching your actual site files.

If your DNS is already proxied through Cloudflare, this can be flipped on in minutes. If it isn’t if your site’s real server IP is exposed to the internet this is the part that takes longer to do safely yourself, because DNS changes can take hours to propagate if they’re not configured correctly beforehand.

Minute 8–10: Decide If You Need Emergency Help vs. DIY

Here’s the honest fork in the road:

You can likely handle this yourself if: you already have Cloudflare or a similar proxy in front of your site, you have recent clean backups, and the issue is a traffic spike rather than a breach.

You need emergency intervention if: your origin server IP is exposed, you don’t have DNS/WAF protection in place yet, you suspect actual compromise (not just traffic overload), or every minute of downtime is costing you sales, bookings, or reputation.

This is the exact gap Tremhost Armor SOS exists to close.

What Armor SOS Actually Does in This Situation

Step What Happens
Emergency DNS cutover to Cloudflare Same-day — your traffic gets routed through protection without waiting on a standard migration timeline
Under Attack Mode activation Every visitor is challenged before reaching your origin, immediately reducing attack traffic hitting your server
Emergency WAF and rate-limiting rules Custom rules deployed specifically for what’s happening to your site, not generic defaults
Origin IP rotation If your real server IP has been exposed or targeted, it’s changed so attackers lose their direct line to your server
Post-incident summary A clear written record of what happened and what was changed — useful for your own records, your customers, or compliance requirements

Cost: $150.00, one-time, for the emergency response.

Unlike the standard onboarding for Armor Lite or Armor Pro which are built for sites that want protection before something goes wrong SOS is built for exactly this moment: you’re already in it, and you need someone to act now, not schedule a consultation for next Tuesday.

After the Fire Is Out

Once your site is stable, that’s when root-cause work matters reviewing how the attacker got in, what vulnerability was exploited, and what ongoing protection should look like. Most businesses that go through an emergency response move to Armor Lite or Armor Pro afterward, specifically so this doesn’t happen a second time. That’s a separate conversation for a calmer day right now, the job is just getting your site back under control.

https://tremhost.com/clientarea/store/tremhost-armor-powered-by-cloudflare

Hot this week

PCI DSS and Small Business Hosting: What “Ready” Configuration Actually Means

If you run an online store or process payments...

Post-Incident Reports: Why Knowing What Changed on Your Server Matters as Much as Fixing It

When a website gets attacked and then recovers, the...

What Actually Happens During a DDoS Attack: A Plain-English Breakdown for Site Owners

"DDoS" gets thrown around constantly in hosting and security...

The Warning Signs Your WordPress Site Is About to Be Hit (And What Armor Pro Would Have Caught)

Most WordPress attacks don't arrive out of nowhere. There's...

Origin IP Exposed? Here’s Why Rotating It After an Attack Actually Matters

Here's a scenario that catches a lot of site...

Topics

spot_img

Related Articles

Popular Categories

spot_imgspot_img