Let me guess how it happened, because I’ve heard this story so many times I could set it to music.

A few years back, someone built you a website. Maybe a mate, maybe a freelancer, maybe an agency that’s since changed names twice. It looked good, it did the job, and you got on with actually running your business — which is, after all, the whole point. Then somewhere along the way the updates stopped, the person who built it drifted off, and the passwords ended up in an email account you haven’t opened since. Now the site’s sitting there with a “Copyright 2021” in the footer, you’re not entirely sure you can log in, and every time you think about it you get that low-grade dread usually reserved for tax time.

If that’s you: welcome, you’re in extremely good company, and there is absolutely no judgement here. I’ve spent 12+ years in IT and I can tell you that website neglect isn’t a character flaw — it’s the natural result of nobody being given the job of upkeep. The better news is that it’s almost always recoverable, and the path back is far more orderly than it feels from the inside.

Here’s the exact process I follow when a business hands me a neglected site. You can do a lot of it yourself.

Step 1: Work out what you actually own

Before you touch anything, take stock. A website isn’t one thing — it’s three things wearing a trench coat, and you need to know where each one lives:

  • The domain — yourbusiness.com.au. Who is it registered with, and is it in your name? This is the single most important asset you have online. Websites can be rebuilt in weeks; a lapsed domain that a squatter picks up, along with ten years of Google history pointing at it, cannot.
  • The hosting — the server your site’s files actually sit on. Who do you pay? How do you log in? (If the answer is “I think Dave was paying for it,” you’re not alone.)
  • The website itself — the software (usually WordPress), its admin login, and all your content.

If you don’t know the answers, that is step one. Do a domain lookup on your own domain name, dig out old invoices, and search your email for words like “renewal”, “hosting” and “expiry”. Between those three you’ll usually piece together the map. This is exactly the detective work we do at the start of every recovery job, and I promise it’s routine — we’ve traced sites through three defunct agencies and a deceased estate. Yours will be fine.

Step 2: Get access back — calmly, and in your name

Lost logins are the most common blocker, and almost none of it is fatal:

  • Domain access: every registrar has a recovery process tied to the registrant email. If that email is long dead, they have an identity-verification path — it’s slower, but it works. You’re proving you’re the business owner, which you are.
  • Hosting and WordPress: password resets first; failing that, the host’s support can verify you as the account holder and restore access. Hosts deal with this constantly.
  • “My web guy vanished”: the classic. Still recoverable — you re-establish ownership directly with the registrar and the host. You don’t need the vanished developer’s blessing, and you don’t need to feel awkward about it. It’s your business.

The one rule that matters here: as you recover each piece, move it into accounts tied to an email address you control — not your developer’s, not an ex-staffer’s, not the Hotmail account from 2011. The end state of this whole exercise is you holding your own keys. If you only take one thing from this article, take that.

Step 3: Back it up before you change a single thing

The moment you have access, take a full backup — the site files and the database — and download it somewhere off the server. Not “there’s probably a backup on the host somewhere.” An actual copy, on your actual computer.

Why so insistent? Because a neglected site is a fragile site. Old software plus a big batch of updates can occasionally break things, and the difference between “minor hiccup” and “genuine disaster” is whether you have a restore point. Thirty minutes of backup discipline buys you the confidence to do everything that follows.

Step 4: Deal with security before cosmetics

I know the temptation is to fix the embarrassing stuff first — the old prices, the staff member who left in 2023. Resist it for one more step, because security is where neglected sites actually get hurt.

Here’s the thing nobody tells small business owners: hackers aren’t sitting there targeting you. Automated bots scan the entire internet, around the clock, looking for one thing — old software with known holes. It’s nothing personal; you’re just a door someone forgot to lock. And the data backs this up: in Sucuri’s 2023 Hacked Website Report, 39.1% of the compromised sites they cleaned were running an out-of-date CMS at the point of infection (Sucuri, 2023).

Nor is it a cheap thing to get wrong. The Australian Signals Directorate puts the average self-reported cost of cybercrime to a small business at $56,600 in FY2024-25 (ASD) — and that’s before you count the reputational bruise of your customers meeting a hacked site.

So, from your freshly backed-up position: update WordPress core, plugins and themes. Delete the plugins you don’t use — every one of them is a door, and fewer doors is better. Confirm the padlock (HTTPS) is active. Change the admin password to something strong and unique, and while you’re in there, make sure the username isn’t “admin”. If you discover the site has already been compromised, don’t panic — clean-ups are routine work too. Just don’t ignore it and hope.

Step 5: Now fix what your customers actually see

With the foundations safe, open your site on your phone — because that’s where your customers are. Worldwide, mobile is now 50.29% of all web traffic (Statcounter, May 2026), and I’d wager most owners of neglected sites haven’t looked at theirs on a phone in years.

Check the things that quietly cost you enquiries:

  • Are your phone number, hours and prices actually current? Tap the number — does it dial?
  • Does the contact form deliver to an inbox a human reads? Send yourself a test enquiry. (This one fails more often than you’d believe, and every silent month is a month of lost leads.)
  • Any broken links, missing images, or that telltale ancient copyright year in the footer?
  • Does it load quickly and hold together on a small screen?

None of this is glamorous, and that’s rather the point — it’s often a single day’s work, not a rebuild, and it’s the day’s work with the most direct payoff.

Step 6: Make the call — revive or rebuild?

Here’s where you get to make a decision from a position of control rather than avoidance, which feels remarkably good.

Revive if the bones are sound: the site’s modern enough, works on mobile, and was mainly suffering from neglect. Freshen the content, finish the fixes, and put it on a maintenance footing.

Rebuild if it’s on dead technology, can’t reasonably be made mobile-friendly, is slow beyond saving, or simply no longer represents the business you’ve become. Sometimes starting clean is genuinely cheaper than paying someone to wrestle an old build — I’ll happily tell you which side of the line you’re on, even when the answer is the cheap one.

Step 7: Make sure it never happens again

Websites don’t neglect themselves — they get neglected because nobody owns the upkeep. The fix is boring and effective: give someone the job. A simple care plan — updates applied, backups taken and tested, security watched, small changes handled — is the difference between a website as a one-off project that slowly rots and a working asset that just quietly does its job.

That’s it. Seven steps, no jargon, no shame. The site that’s been giving you background guilt for two years is usually about a fortnight away from being something you’re happy to put on a business card again.


We do website recoveries and takeovers all the time — lost logins, vanished developers, sites nobody’s touched since lockdown. If any of this sounded uncomfortably familiar, send it over: we’ll do a free, no-jargon health check, tell you honestly what state it’s in, and what we’d fix first. We’re in Campbelltown, we work across Macarthur and greater Sydney, and we answer our own messages.

Get a free website health check →

Figures quoted as published by Sucuri (2023), the ASD/ACSC (FY2024-25) and Statcounter (2026), sources linked inline.