Public-facing website defacement or redirect
Your municipal website displays unauthorized content or redirects to a hostile site.
The scenario
Residents call to say the town website is showing political content, redirecting to a sketchy domain, or serving a fake login page.
Who this is for: Communications lead, IT lead, CAO.
First steps
- 1. Take the affected pages or site offlineFirst hour
Replace with a static maintenance page. Better to be down than to serve hostile content to residents.
- 2. Preserve the defaced state before restoringFirst hour
Screenshot every page; save the raw HTML; preserve server logs. Restoring from backup wipes evidence.
- 3. Check for credential theft via the fake login pageFirst day
If the defacement included a fake resident login, anyone who entered credentials in the window of compromise needs to be notified to rotate passwords.
- 4. Audit CMS, hosting, and DNS accessFirst day
Defacement is often a credential compromise on the CMS (Drupal, WordPress, CivicPlus, Granicus), the hosting provider, or DNS registrar. Rotate all three.
Continuity of service
- Direct residents to social media or a phone line for the duration of the outage.
- If essential services depend on the site (utility payments, permits), surface alternative channels prominently on the maintenance page.
Communication
Plain statement: site was altered, here's what residents should not click, here's what to do.
Regulator hand-off
- Notification only required if PII was exposed or stolen credentials are involved.
FAQ
Capture forensic evidence first — at minimum, screenshots and a copy of the defaced files. Restoring without evidence makes the post-mortem and any law-enforcement referral much weaker.