Cyber blog

Category: Uncategorized

  • Do I Need to Tell Clients My Website Was Hacked?

    Do I Need to Tell Clients My Website Was Hacked?

    If your website’s been hacked, this question turns up very quickly, usually somewhere between panic and regret.

    Do I need to tell my clients?
    Am I legally required to?
    Will this blow up my reputation?

    Unfortunately, most advice online is either written by lawyers covering themselves, or by people confidently repeating things that simply aren’t true.

    So let’s slow it down and deal with reality instead of internet hysteria.

    A hacked website does not automatically mean a data breach

    This is the most important thing to understand, and it’s where a lot of businesses get misled.

    Your website being hacked does not automatically mean client data was breached.

    Under UK GDPR, the issue isn’t “was the website hacked”.
    The issue is whether personal data was accessed, exposed, altered, or put at risk.

    If no personal data was involved, there may be nothing to notify anyone about at all.

    Yes, really.

    What actually counts as a data breach under UK GDPR?

    In plain English, a data breach involves unauthorised access to personal data.

    Personal data includes things like:

    • Names
    • Email addresses
    • Phone numbers
    • Login details
    • Payment information

    It does not include:

    • Your homepage
    • Your blog posts
    • Your logo
    • Your About page looking a bit odd

    So the key question is not “was my site hacked”, but:

    Was personal data accessed or put at risk?

    Everything flows from that.

    When you usually don’t need to tell clients

    In many small business cases, notification is not required.

    Common examples:

    • A brochure site with no stored user accounts
    • A basic contact form that emails enquiries but doesn’t store them
    • No evidence of database access
    • No signs of admin accounts being abused

    If there is no personal data involved, or no reasonable risk to individuals, UK GDPR does not require you to notify clients just because your site was compromised.

    This surprises people. It shouldn’t, but it does.

    When you may need to notify clients

    There are situations where notification becomes necessary.

    You may need to notify clients if:

    • Personal data is stored in your website database
    • Customer accounts or admin accounts were accessed
    • Payment systems or client portals were involved
    • There is evidence data was exfiltrated or tampered with
    • Individuals could realistically be affected

    The legal test isn’t embarrassment or inconvenience.
    It’s risk to the rights and freedoms of individuals.

    If that risk exists, you need to take it seriously.

    What UK GDPR actually expects you to do

    Despite what some blogs imply, UK GDPR does not demand public confessions for every technical incident.

    What it expects is proportionate, documented decision-making.

    That usually means:

    • Investigating what happened
    • Establishing what data was involved
    • Recording the incident internally
    • Assessing the risk to individuals

    If there is a risk to individuals, you may need to:

    • Notify the ICO within 72 hours
    • Notify affected individuals if the risk is high

    If there isn’t, you document your reasoning and move on.

    That documentation matters more than panic emails.

    If you do need to notify clients, what should you say?

    This is where people often make things worse.

    If notification is required, it should be:

    • Clear
    • Factual
    • Calm
    • Free of speculation

    Explain:

    • What happened (briefly)
    • What data was involved
    • What you’ve done to fix it
    • What, if anything, clients need to do

    Do not:

    • Guess
    • Apologise for things you don’t understand yet
    • Use dramatic language
    • Overpromise future security perfection

    Honesty is good. Over-sharing is not.

    Common mistakes that cause unnecessary panic

    These come up constantly:

    • Announcing a “data breach” without evidence
    • Copying US-based advice that doesn’t apply in the UK
    • Notifying clients before understanding the scope
    • Treating hosting warnings as legal conclusions

    Noise does not equal compliance.

    Calm assessment does.

    So, do you need to tell clients your website was hacked?

    Sometimes yes. Often no.

    If personal data was accessed or put at risk, notification may be required.
    If it wasn’t, it usually isn’t.

    The deciding factor is not fear, reputation, or worst-case thinking.
    It’s what actually happened.

    If you don’t know that yet, the right move isn’t to email everyone.
    It’s to find out.

    If you’re unsure

    That’s normal. Most business owners aren’t meant to be incident response specialists.

    The sensible first step is understanding:

    • What was accessed
    • What wasn’t
    • And whether any real risk exists

    Once you know that, the decision becomes a lot less dramatic and a lot more boring.

    Which, in situations like this, is exactly what you want.

  • Is My WordPress Backup Safe or Already Infected?

    Is My WordPress Backup Safe or Already Infected?

    If your WordPress site was hacked, the first thing most people do is panic, then sigh in relief: “Ah, at least I have a backup.”

    But here’s the catch: not all backups are created equal. Some can be just as compromised as the site you’re trying to save.

    Let’s look at how to tell if your backup is actually safe and what to do if you’re not sure.

    Why a hacked backup is a real problem

    A backup is only useful if it’s clean. Restoring a compromised backup can:

    • Reintroduce malware or backdoors
    • Reinstate modified spam content
    • Cause repeated reinfections
    • Waste your time and money

    So assuming your backup is automatically safe can turn a fix into a nightmare.

    Common ways backups get infected

    Even if you’re diligent, backups can still be compromised in several ways:

    1. Backing up an already infected site
      If malware is hiding in core files or plugins, a full backup captures it too.
    2. Database infections
      Hacks can leave hidden scripts or rogue admin accounts in your database, which get restored along with the site.
    3. Backup tools that don’t scan
      Some plugins simply copy files without checking for malicious code.
    4. Old backups
      Malware evolves. A backup from a few months ago might be clean, or it might contain undetected scripts that have lingered for ages.

    How to check if your backup is safe

    While no method is 100% foolproof without expert review, you can reduce risk by:

    • Scanning the backup: Use malware scanning tools on the backup files before restoring. Wordfence, Sucuri, or manual virus scanners can help.
    • Inspecting the database: Look for unknown admin users, strange tables, or suspicious scripts.
    • Checking plugin and theme files: Ensure versions are current and from trusted sources.
    • Testing in a safe environment: Restore the backup on a staging or local environment first, not directly to your live site.

    When to consider a fresh rebuild

    Sometimes the backup isn’t trustworthy, and cleaning it could take longer than starting fresh. Signs you might need to rebuild include:

    • Multiple previous hacks
    • No clear “clean” backup exists
    • Infection in core files, themes, and the database
    • Business-critical site where downtime must be minimised

    A rebuild isn’t always fun, but it ensures you’re not repeatedly reintroducing the same vulnerabilities.

    Best practices for future backups

    To avoid uncertainty in the future:

    • Keep multiple backups, separated by date and storage location
    • Use reputable backup tools with integrity checks
    • Store backups offline or in a secure cloud service
    • Test restoring backups periodically
    • Keep WordPress, plugins, and themes up to date

    This way, the next time a hack occurs, you’ll have a clean copy you can trust.

    Bottom line

    A backup is only as safe as the site and process that created it. Never assume it’s clean. Always scan, inspect, and test before restoring.

    When in doubt, it’s safer to review the backup with an expert or consider rebuilding rather than risk reinfection.

    After all, the whole point of a backup is peace of mind—not a recurring panic.

  • Should I Rebuild My Hacked WordPress Site? A Guide for UK Small Businesses

    Should I Rebuild My Hacked WordPress Site? A Guide for UK Small Businesses

    If your WordPress site has been hacked, there’s a moment that comes after the panic, after the password resets, after Googling “WordPress malware removal” for the fifth time.

    It’s this thought:

    “Should I just burn it down and rebuild the whole thing?”

    Short answer: sometimes, yes.
    Long answer: it depends. And no, your hosting company’s checklist doesn’t count as an answer.

    This article is for small business owners who don’t want to become accidental cyber security hobbyists. You want your site fixed, your business running, and your stress levels back below “eye twitch”.

    For businesses in Bromley and across South East London, a hacked site isn’t just a technical glitch—it’s a threat to your local reputation.

    Let’s talk it through properly.

    Is your WordPress site compromised? The ‘Clean vs Rebuild’ dilemma

    Most guides on fixing a hacked WordPress site focus on how to clean it. Scan this, delete that, replace some files, cross fingers.

    What they rarely explain is whether that’s actually the best option for a business website.

    Cleaning a hacked site can work.
    Rebuilding a hacked site can also be the smarter move.

    The problem is no one tells you when each option makes sense, because nuance doesn’t fit neatly into a support article.

    So let’s add some.

    should you rebuild hacked wordpress website

    5 Signs you should rebuild your hacked WordPress site

    Rebuilding sounds extreme until you realise how many unknowns come with a compromised site.

    Rebuilding is often the safer option if:

    You don’t know how the site was hacked

    If the entry point is a mystery, you’re guessing. Guessing with malware is not a strategy, it’s optimism.

    Hidden backdoors are very good at staying hidden. You clean what you can see, they quietly wait.

    The site has been reinfected before

    If you’ve “fixed” it once already and it came back, that’s your answer. Something fundamental was missed.

    The site is old and fragile

    Outdated themes, abandoned plugins, years of bolt-ons layered on top of each other. Even if you clean it, you’re putting fresh paint on damp walls.

    You don’t have a known clean backup

    And no, a backup from “around the time it happened” does not count. Restoring malware is not recovery.

    The site is business critical

    If your site handles enquiries, payments, bookings, or customer data, peace of mind matters more than squeezing every last penny out of the current setup.

    When does cleaning a hacked website make sense?

    This isn’t a rebuild sales pitch. Cleaning can be the right move if:

    • The hack is recent and obvious
    • You have a confirmed clean backup from before the breach
    • The site is simple and well maintained
    • There’s no evidence of database tampering or multiple backdoors

    In these cases, a proper clean followed by hardening can be perfectly reasonable.

    The key word there is proper. Not “run a plugin and hope”.

    The hidden business risks of a ‘quick fix’ cleanup

    This is the bit no one tells you.

    Ongoing anxiety

    Every update, every slow load, every odd email notification makes you wonder if it’s back. That mental load is real.

    SEO damage that lingers

    Spam pages, poisoned sitemaps, search warnings. Even after cleanup, recovery can take months if things weren’t handled correctly.

    Time you didn’t budget for

    Monitoring, rescanning, rechecking. Time you could be spending running your business instead of babysitting a website.

    Risk of silent reinfection

    The worst hacks don’t announce themselves. They wait. That’s how businesses get compromised twice.

    Rebuild vs Clean: the boring but useful comparison

    Cleaning

    • Faster upfront
    • Cheaper initially
    • Higher long term risk
    • Relies on finding every issue

    Rebuilding

    • More work upfront
    • Slightly higher initial investment
    • Clean slate
    • Known secure baseline
    • Better long term stability

    For brochure sites and side projects, cleaning often wins.
    For real businesses, rebuilds usually pay for themselves in reduced risk and stress.

    GDPR and reputation: A reality check for UK small businesses

    If your WordPress site collects personal data and it’s been compromised, there are GDPR implications whether anyone mentions them or not.

    There’s also reputation risk. Clients don’t care that “WordPress got hacked”. They care that your site did.

    Rebuilding isn’t about aesthetics. It’s about control, compliance, and confidence.

    So… should you rebuild your hacked WordPress site?

    If this is your main business website and you don’t know exactly how the hack happened, rebuilding is often the sensible choice.

    Not because cleaning never works.
    But because guessing is expensive.

    Sometimes the fastest way forward is to stop trying to save something that’s already broken.

    If you’re still unsure

    That’s normal. This isn’t a decision you make lightly.

    If you want, I can look at your site and tell you honestly whether a rebuild is necessary or whether a clean is enough. No drama, no upsell theatre.

    Because the goal isn’t to rebuild websites.
    It’s to stop you having this conversation again in six months.

    Get in touch if you want me to take a look at your website.