At some point, your law firm website is going to go down. It might be a hosting outage, an expired domain, a botched plugin update, a billing lapse, or a security incident. The cause doesn't matter as much as what you do in the first hour. Most attorneys have no plan for this, and that's how a two-hour outage turns into a two-day one. This is your emergency plan.
Step One: Confirm It's Actually Down
Before you panic, confirm the problem is real and not just your browser or network. Go to downforeveryoneorjustme.com and enter your URL. If it says the site is up for everyone else, the problem is local: try clearing your browser cache, switching browsers, or checking on your phone using mobile data instead of your office WiFi. A DNS change that hasn't fully propagated can look like a site being down from certain locations.
If the site is confirmed down for everyone, move quickly.
Step Two: Check the Obvious Causes First
The most common reasons a law firm website goes offline are not dramatic. Work through this list before assuming the worst.
Hosting account billing. Log in to your hosting control panel and check for any overdue invoices or expired payment methods. Hosts will suspend accounts, sometimes with very little warning, over a failed credit card charge. If your card expired and auto-renewal failed, this is probably your answer. Pay the invoice, give it a few minutes, and check again.
Domain expiration. Go to lookup.icann.org and look up your domain. Check the expiration date. If it lapsed, log in to your registrar and renew it immediately. DNS can take a few hours to propagate after renewal, so the site won't come back instantly, but it will come back. This is why auto-renewal and an up-to-date payment method on your registrar account matter more than most attorneys realize.
SSL certificate expiration. If your site loads but shows a browser security warning rather than being fully unreachable, your SSL certificate has likely expired. Most visitors will not click through a security warning, so this is functionally an outage. Log in to your hosting panel and renew or reissue the certificate. On most modern hosts, SSL is automated through Let's Encrypt and renews every 90 days without you doing anything, but occasionally the renewal fails silently.
A recent change broke something. If someone updated a plugin, changed a setting, or modified the site recently, that change is the most likely culprit. Log in to your WordPress dashboard if you can still access it and check the activity log or recent updates. If a plugin update broke the site, deactivating that plugin may restore it immediately.
Step Three: Contact Your Host
If none of the above explains the outage, contact your hosting provider directly. Have your account information ready: username, the domain name, and a description of what you're seeing. Ask specifically whether there's an active incident on their infrastructure, whether your account has been suspended, and whether there are any error logs associated with your account.
Good hosts have status pages. DigitalOcean's status page shows real-time infrastructure incidents. If your host has one, check it before calling. If there's a known outage, there's nothing to do but wait and monitor for resolution.
If your host's support is slow, unresponsive, or unhelpful during an active outage, that is useful information. The quality of support during an emergency is one of the most important factors in choosing a host, and it's one most people only discover after something goes wrong.
Step Four: Check for a Security Incident
If your site has been hacked or compromised, the symptoms can look like an outage: the site may redirect to something else, show a blank page, display an error, or simply not load. Log in to your hosting panel and look at your file manager or FTP access. If you see unfamiliar files, recently modified core files, or files with names that look random or suspicious, you may be dealing with a malware injection.
A compromised site needs to be cleaned properly, not just taken offline and restored from a backup without understanding what happened, because the same vulnerability will be exploited again. If you're on WordPress, the Wordfence Security plugin can scan for malware and identify modified files. If the infection is serious, you may need professional help to clean it without losing legitimate content.
This is also why backups matter. A clean backup from before the compromise is the fastest path to recovery. If you don't have recent backups, that's the first thing to fix after this incident is resolved. Your host may have automated backups available in your control panel, but verify this now rather than discovering it doesn't exist when you need it.
Step Five: Communicate if the Outage is Extended
If your site has been down for more than a couple of hours and you cannot quickly resolve it, consider whether any clients or prospective clients are likely to be affected. A client who tries to reach your contact form during an active matter and gets nothing is a client who may assume you're unreachable. Make sure your phone number and email address are working and that your Google Business Profile is up to date so people can still find a way to contact you while the site is restored.
You do not need to announce the outage publicly. But if a client specifically tells you they tried to reach you through the site and couldn't, acknowledge it directly and give them a direct contact method going forward.
After the Outage: What to Fix So it Doesn't Happen Again
Once your site is back up, use the incident as a forcing function to address the gaps that made it worse than it needed to be. Most outages are made significantly longer by the absence of a few basic safeguards that take less than an hour to put in place.
Set up uptime monitoring. UptimeRobot is free for up to 50 monitors and will send you an email or text the moment your site goes down. Without monitoring, you find out about outages when a client tells you, which is already too late. With monitoring, you find out within minutes, before anyone else does.
Enable auto-renewal everywhere. Your domain registrar, your hosting account, and your SSL certificate (if it's not automated) should all have auto-renewal enabled with a current payment method. Set a calendar reminder to verify this once a year. Expiration-related outages are entirely preventable.
Verify your backups. Log in to your hosting control panel and confirm that automated backups are running and that you can actually restore from them. A backup you have never tested is not a backup you can rely on. Download a recent backup and confirm the files are intact.
Know your credentials. You should have immediate access to your hosting control panel login, your domain registrar login, and your WordPress admin login without having to hunt for them. Store these somewhere secure, like a password manager, and make sure at least one other trusted person has access in case you're unreachable during an incident.
Keep WordPress and plugins updated. Outdated software is the most common vector for security compromises. Enable automatic updates for minor WordPress releases and review your plugin list periodically to remove anything you're not actively using. Fewer plugins means a smaller attack surface and fewer things that can break during an update.
The Underlying Issue
Most of the attorneys I've worked with who have experienced a serious website outage had one thing in common: they didn't own their own hosting or have direct access to their own infrastructure. Their agency or developer held the accounts, and when something went wrong, they had to wait for someone else to respond. If your hosting account, domain, and backups are all in your own name with your own credentials, you can act immediately. If they're not, you're dependent on someone else's availability and motivation during your emergency.
This is one of the reasons I set up every client's infrastructure in their own name from day one. If we ever stop working together, or if something goes wrong at two in the morning, you can log in and handle it yourself or hand the credentials to whoever you need to. That's how it should work. If you're currently in an arrangement where you don't have direct access to your own hosting and domain, that's worth fixing before the next outage, not after. Get in touch if you'd like help getting there.
Comments