When you think about your website getting hacked, you probably imagine a dramatic moment — a screen going blank, a warning message, something obvious. The reality is very different. Most website breaches are silent. The attacker gets in, does what they want, and leaves before you ever notice anything is wrong.
Understanding the timeline of a breach is the first step to stopping one. Here is what happens, from the moment an attacker finds your site to the long tail of recovery.
Minute 0: The breach happens
It starts with an automated scan. An attacker does not sit at a keyboard and manually pick your website out of millions. Instead, they run a bot that scans thousands of websites at once, looking for common vulnerabilities: an outdated WordPress plugin, an exposed configuration file, a login page with no rate limiting, an unpatched server component.
These bots scan the entire internet, 24 hours a day, 7 days a week. Your website has been scanned dozens of times today already. Most scans find nothing useful and move on. But if the bot finds a way in — say, a plugin with a known vulnerability that you have not updated — the breach begins in under a second.
What to do: Keep all software updated. Remove unused plugins and themes. Run regular security scans to find vulnerabilities before bots do.
First 10 minutes: The attacker explores
Once the bot finds a way in, it automatically explores the environment. It checks what files are on the server, what databases are accessible, what user accounts exist. It looks for configuration files that might contain passwords, API keys, or database credentials.
Within minutes, the attacker typically plants a backdoor — a small hidden file that lets them get back into the server even if you fix the original vulnerability. This backdoor is designed to avoid detection. It might be disguised as a legitimate system file or hidden deep in a directory you would never check.
At this point, your website still looks completely normal. Your visitors notice nothing. Your analytics show regular traffic. But someone else now has the same access to your server as you do.
What to do: If you discover a breach in progress, change all passwords immediately and take the site offline. A backdoor means that simply patching the original vulnerability is not enough — you need a full forensic review.
First hour: Data exfiltration begins
With access established, the attacker starts extracting value. This usually means downloading your database — customer names, email addresses, phone numbers, order histories, and anything else stored on your site. If you process payments and store card details (which you should never do), those are a prime target.
The attacker might also set up additional capabilities: a phishing page hidden on your domain, a cryptocurrency mining script that uses your server resources, or a spam email operation running through your mail server. Some attackers install ransomware that encrypts your files and demands payment for the decryption key.
If your site has an admin panel, the attacker may change credentials to lock you out. If your database contains passwords (even hashed ones), they will take those too — many users reuse passwords across sites, making them valuable on dark web markets.
What to do: Encrypt sensitive data at rest. Never store payment card details. Use strong, unique passwords. Implement rate limiting and IP-based access controls on admin areas.
First day: You probably do not know yet
Here is the uncomfortable truth: the average time to detect a data breach is 197 days, according to industry research's annual Cost of a Data Breach report. For small businesses without security monitoring, it is often even longer.
During this time, the attacker has free rein. They can come and go through their backdoor, exfiltrate data in small batches to avoid triggering bandwidth alerts, and slowly exploit whatever they have found. Your website continues to operate normally. Your customers continue to visit and submit their details.
Meanwhile, your stolen data may already be for sale on the dark web. Customer email addresses get added to phishing lists. If the attacker found email credentials, they may already be sending spam or phishing emails that appear to come from your domain.
What to do: Set up website monitoring that alerts you to file changes, unexpected admin logins, and database modifications. The faster you detect a breach, the less damage it causes.
First week: Discovery
Most small businesses discover a breach through one of three ways:
- A customer reports suspicious activity. A client receives a strange email from your domain. Someone notices unfamiliar charges after buying from your site. This is the most common way small businesses find out.
- Google blacklists your site. Google's Safe Browsing system flags your site as compromised. Visitors see a red warning screen instead of your homepage. Your search rankings drop.
- A security tool alerts you. If you have monitoring in place, it detects unusual file changes, new admin accounts, or database anomalies and sends you an alert.
The last option is the only one that gives you a chance to respond quickly. The first two mean the breach has already caused visible harm.
What to do: Take the site offline. Change every password — hosting, CMS, FTP, database, email, DNS. Engage a security professional to identify the attack vector, remove backdoors, and audit the full extent of the breach. Document everything for potential ICO reporting.
First month: The aftermath
The weeks after discovery are expensive and stressful. Here is what you face:
Incident response costs. Hiring a security professional to clean your site, close vulnerabilities, and verify the attacker is fully removed typically costs £1,500 to £5,000 for a small business website. A full rebuild costs more.
Customer notification. Under the GDPR, if personal data was accessed, you must notify affected individuals "without undue delay." For 500 customers, that means 500 emails or letters explaining what happened, what data was affected, and what steps they should take.
ICO reporting. If the breach involves personal data and is likely to result in a risk to people's rights and freedoms, you must report it to the Information Commissioner's Office within 72 hours of becoming aware of it. Failure to report is itself a breach that can attract fines.
Reputation damage. Customers who trusted you with their data now know that trust was violated. Some will leave. Others will hesitate before doing business with you again. Rebuilding trust takes months or years.
Lost revenue. Your site may have been offline for days during cleanup. Google warnings may have driven away potential customers. Email blacklisting means your legitimate emails are landing in spam folders.
What to do: Report to the ICO within 72 hours if personal data was involved. Notify affected customers honestly and promptly. Rebuild the website on a hardened foundation with ongoing monitoring. Consider credit monitoring services for affected customers.
The simple truth
Every stage of this timeline is preventable. The bot that scanned your site was looking for known vulnerabilities — problems that have documented fixes. The backdoor was planted because no one was watching for file changes. The data was stolen because it was not encrypted. The breach went undetected because there was no monitoring in place.
A basic security check catches the most common attack vectors in minutes. Ongoing monitoring catches the rest. The cost of prevention is a fraction of the cost of recovery. For a UK small business, prevention might cost £20 to £59 per month. A breach costs an average of £4,200 — and can reach tens of thousands.
Do not wait for the minute-by-minute timeline to become your timeline. Run a free security scan on your website today and find out where you stand.