A step-by-step look at how we contained a live DoS attack, cleaned a compromised WordPress environment, and rebuilt the GRA Empowerment Foundation website with a stronger, more secure architecture.
Introduction
The GRA Empowerment Foundation is a nonprofit organization focused on community impact, youth development, and social initiatives. Like many modern organizations, its website plays a central role in communicating programs, sharing updates, and supporting its work online.
Recently, the foundation’s website began experiencing repeated downtime. At first, it appeared to be a routine hosting issue occasional traffic spikes causing the site to slow or briefly go offline.
But the pattern quickly became unusual.
Traffic levels were inconsistent with normal user behavior, and outages became more frequent. A deeper investigation revealed the real issue: the site was under a Denial-of-Service (DoS) attack, and malware had already infiltrated the WordPress environment.
Core files had been compromised, and parts of the hosting environment were infected. Without real-time monitoring in place, the attack progressed unnoticed until it began affecting availability.
What started as downtime quickly escalated into a full security incident.
The Challenges
The situation exposed several immediate risks.
Abnormal traffic spikes were overwhelming the server, resulting in repeated outages. At the same time, malicious scripts had been injected into WordPress files, and the hosting environment itself showed signs of compromise.
The website also lacked real-time monitoring tools, meaning alerts were never triggered when suspicious activity began.
This combination created both security risk and operational instability.
My Approach
1. Containing the Attack:
The first step was to prevent further damage. Traffic logs were reviewed to spot malicious patterns, and suspicious IP addresses were blocked. Infected directories were contained within the hosting environment to stop the malware from spreading.
This established a controlled area for investigation and cleanup.
2. Removing the Malware
Once the attack was contained, a full malware cleanup began. The WordPress installation was scanned across core files, themes, and plugins. Infected files were quarantined, and malicious scripts injected into the database were removed.
Clean WordPress core files were reinstalled to restore system integrity, and all platform credentials were reset.
Nothing was left in place without verification.
3. Strengthening Monitoring
With the website stabilized, new monitoring systems were introduced. Real-time uptime monitoring was implemented with automated alerts. Continuous security scanning was also added to detect suspicious activity and vulnerabilities early.
This ensured issues could be identified before escalating into visible downtime.
4. Rebuilding the Architecture
Rather than simply patching the existing system, the whole website architecture was redesigned.
The frontend was migrated to Next.js, while PHP components were retained only where necessary. Plugin dependency was reduced, and server configurations were hardened to improve resilience.
These changes reduced the platform’s attack surface while improving overall performance.
Result
The website was fully restored and has remained stable since the cleanup.
Performance improved after the rebuild, and the platform now operates with real-time monitoring and stronger security controls. The overall attack surface has been significantly reduced.
What began as a crisis ultimately became an opportunity to modernize the infrastructure supporting the foundation’s digital presence.
What We Learned
1. Preparation matters: Security incidents often expose weaknesses that go unnoticed during normal operations. Having a structured response process makes recovery faster and more controlled.
2. Monitoring is essential: Real-time alerts and automated scanning help detect issues early before they escalate into outages or deeper compromises.
3. Clean rebuilds can be better than quick patches: Re-architecting parts of the system reduced plugin dependencies and improved the platform’s resilience.
4. Security is ongoing work: Every incident provides insight into how systems can be strengthened to withstand future threats.
This case study is part of Growth Hub’s documentation of real-world web, product, and infrastructure improvements across client platforms.
