Site Restoration & Security Migration
Incident Date: October 10, 2025
Plan Created: October 17, 2025
Last Updated: October 17, 2025
Classification: INTERNAL USE ONLY
This document outlines the comprehensive plan to restore WASH Institute web properties and implement long-term security measures following the October 10, 2025 security incident. Three distinct sites require different approaches based on urgency, technical requirements, and business needs.
Strategy Overview:
Incident Timeline:
Sites Affected:
Immediate Actions Already Taken:
washinstitute.org/urban - WordPress Installation
⚡ URGENCY: MEDIUM
Back online temporarily on compromised server. In discussions with original developers about handling the migration to isolated server.
Current Status:
Required Action:
This WordPress installation needs to be migrated to an isolated, secure server environment (completely separate from the compromised custom PHP site) to eliminate vulnerability exposure. WASH Institute is currently in discussions with the original developers to determine if they can handle the migration.
Implementation Checklist
Note:
WASH Institute is in discussions with the original WordPress developers about handling the migration. This checklist serves as guidance for whoever performs the migration.
Recommended WordPress Security Plugins
The following security plugins are highly recommended for comprehensive WordPress security:
1. Wordfence (4.9/5 stars)
Cost: Free (Premium from ₹10,000/year)
2. Patchstack (5/5 stars)
Cost: Free (Premium from ₹400/month)
3. Defender Security (4.5/5 stars)
Cost: Free (Pro from ₹3,000/year)
Recommendation:
Install at least one of these plugins immediately after migration. Wordfence or Patchstack are preferred for their comprehensive protection.
Ongoing Maintenance Requirements (Short-Term)
To maintain security on the new server, the following must be performed regularly:
Weekly Security Scans
Automated vulnerability scanning and malware detection
Monthly Security Audits
Manual review of security configurations and access logs
PHP & WordPress Updates
Apply critical security updates immediately; test others monthly
Plugin Updates
High risk - monitor and update promptly to avoid vulnerabilities
Estimated Ongoing Cost:
₹1-2.5 Lakh/year + significant time investment
Long-term Strategy:
Eventually migrate to Payload CMS platform for dynamic content with static generation. This is a long-term goal requiring significant development effort - to be evaluated as separate project after immediate security concerns are addressed.
mtu.washinstitute.org - Custom PHP Site
⚡ STATUS: OFFLINE
Ready for static conversion and deployment
Recommended Approach:
This site can be quickly restored as a static site, eliminating all PHP execution vulnerabilities and providing a secure, performant, zero-cost solution.
Benefits of Static Deployment
Implementation Checklist
Estimated Cost: ₹0/year
Free hosting on Cloudflare Pages, minimal maintenance required
washinstitute.org [root domain] - Main WordPress Site
📋 URGENCY: LOW (Strategic)
Long-term migration project - not time-critical
⚠️ CRITICAL RECOMMENDATION
Do NOT make this site live via the GoDaddy Server. Only bring it back online after completing the migration to static hosting. The vulnerability that enabled the attack remains unfixed on the current server.
Migration Strategy:
Migrate to static HTML hosted on Cloudflare Pages
Ensure all files and assets remain accessible via the same URLs (use redirects to archive subdomain if needed)
Store assets in Cloudflare R2 (bucket storage)
Manage site content via GitHub for version control
All content changes made directly in code (developer-assisted updates)
Implementation Checklist (High-Level)
Forms Management
Most forms can be disabled. Critical forms can be recreated using:
Action Required:
Identify essential forms as you go. [See "In Campus Courses" on https://www.washacademy.org/]
Future Content Management:
If self-service content editing is required in the future, the existing Payload CMS + Astro/Next.js platform can be extended to manage this static content. This would be evaluated as a separate project after the immediate security concerns are addressed.
For now, content updates will be developer-assisted (make changes in code, commit to Git, auto-deploy).
Decisions Checklist
⚠️ Action Required
These decisions should be made as soon as possible to allow implementation to proceed. Priority 1 (Urban site migration) is pending discussions with original developers about who will handle the migration.
Resource Comparison
| Item | Current State | After Migration |
|---|---|---|
| Main Site Hosting | GoDaddy Server | Cloudflare Pages (Free) |
| Main Site Security | Ongoing maintenance required | Minimal - static files |
| MTU Hosting | GoDaddy Server | Cloudflare Pages (Free) |
| Urban Site Hosting | GoDaddy Server (vulnerable) | New isolated secure server |
| Urban Site Security | Vulnerable (no security measures) | Active security monitoring & updates required |
Key Resource Benefits After Migration:
Success Criteria
We'll know remediation is complete when:
This remediation plan addresses both immediate security needs and long-term architectural improvements. The three-tier priority approach ensures that the most vulnerable site (Urban) is secured immediately while laying the groundwork for permanent security through static HTML migration.
Key Points:
The recommended approach balances immediate business needs (Urban must stay online) with long-term security and cost optimization (static HTML migration). This strategy provides the best combination of security, performance, and maintainability for WASH Institute's web presence.