At 11pm on a Tuesday, my phone rang.
It was a client. His company website — a business that had been operating for decades, with thousands of pages of product data, hundreds of blog posts written over years — was completely down. Not “slow” or “throwing a 404.” Down. The kind of down where you try to log into cPanel and find yourself locked out entirely.
The cause: ransomware.
What Ransomware Does to a Website
Most people associate ransomware with corporate networks and hospital systems. But shared hosting accounts are extremely common targets. When ransomware hits a website, it systematically encrypts files — your PHP scripts, your database, your media, your configuration files — and makes them completely unreadable without a decryption key.
In this case, the encryption had already started by the time I was called in.
The attackers wanted money. The website was inaccessible. Years of content were at risk.
What Every Other Developer Said
Before me, the client had shown the problem to a few developers. The response was consistent:
“The data is encrypted. There’s nothing to be done.”
“You’ll need to start from scratch.”
“This is very complex. It will take weeks and cost significant fees.”
I understand the instinct — ransomware is legitimately serious. But “there’s nothing to be done” is almost never the full truth. It just means the person saying it doesn’t want to look hard enough.
What We Actually Did
Ransomware doesn’t encrypt everything instantly. It works sequentially, file by file. If you catch it early enough, there’s a window — and this time, we did.
Step 1: Stop the spread. The moment I got access, I suspended all processes on the hosting account. No more encryption could occur while we assessed.
Step 2: Map what was intact. I went through the file system methodically — not panicking, just cataloguing. Database files: partially encrypted but recoverable with the right tools. Blog posts (which my client had spent years writing): largely intact. Product catalogue: recoverable. Media (images, videos): encrypted. Gone.
Step 3: Extract the recoverable data. Using database recovery tools, I pulled every blog post. Every product listing. Every category, every tag, every piece of structured content that existed before the encryption reached it. Nothing was left on the table.
Step 4: Diagnose the entry point. Ransomware doesn’t appear from nowhere. We found a vulnerable outdated plugin that had been sitting unpatched for eight months — the attacker’s entry point. That plugin, and all others like it, were identified and quarantined.
Timeline: under 24 hours from first contact to full recovery of all recoverable assets.
What Was Lost vs. What Was Saved
Saved:
- All blog content (hundreds of posts, years of writing)
- Complete product catalogue
- All structured data and SEO-relevant content
- Business information, contact details, all text content
Lost:
- Uploaded media files (images, banners, product photos)
- These files were encrypted before we could reach them
The media was painful — but it was replaceable. The written content was not.
The Real Lesson Here
This incident happened because of a chain of small neglects:
- A plugin hadn’t been updated in 8 months
- There were no recent backups
- No monitoring was in place to detect unusual file activity
- No one was watching
Every single one of these is preventable. Monthly maintenance — updating plugins, running backups, monitoring for anomalies — costs a fraction of what an attack like this costs in time, stress, and lost content.
The website is now being rebuilt from scratch at an enterprise level, with proper infrastructure, security hardening, and a backup system that runs automatically every 24 hours.
The client’s content survived. The attackers didn’t win.
If your website is on shared hosting, running WordPress with plugins you haven’t updated in months, and you have no backup from this week — you should be uncomfortable reading this. Because this exact situation can happen to you.
Klixo Studio offers website maintenance plans that include weekly backups, security monitoring, and plugin management. If you want your site protected, get in touch.