Unfortunately for many businesses, this can be a commonly asked question. According to an article in New York Times, there are two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked. No company is immune; in fact major players like BlueCross BlueShield, Sony, Target and Home Depot have been subjected to hacks. While preventative measures can be taken to ensure the security of a website, our article is focused on the steps to take to get your site running again once you’ve been hacked.
How does a website get hacked?
If there is certainty your website has been hacked (in some cases it’s quite obvious), it’s important to understand what could have led to the hack so you can avoid a reoccurrence. Hacking can occur due to multiple factors:
- guessing your password (occurs with weak usernames and passwords)
- malaware on your local computer could have captured login credentials to your website
- a security vulnerability in your website’s software or third-party integration (dated software is high risk and a leading cause for hacks)
- a hacked website that shares the same hosting environment as your website (always research hosting providers and learn about their security practices. Cheap hosting don’t always offer the premium services needed for a secure environment.
So, my website has been hacked? Now what …
A hacked website is not a trivial matter. Depending on the severity, things can be fairly complex to clean up. Below are several pointers on what to do once your website has been hacked:
- Don’t panic.
No matter how ugly this looks, there’s a solution.
- Contact your support team.
If the technical requirements are not being met internally, you may want to consider contacting your web host to see if they have any insights to give. We recommend hiring a web developer or programmer who has technical knowledge and experience to fix the problem.
- Scan your local computer for malaware or viruses.
You will want to be sure that your local computer(s) are free from any infections, malaware, spyware, Trojans, etc. Also be sure that your anti-virus software is up to date.
- Scan your website to identify all malware and security threats.
Several tools are available for scanning your website. The tool we recommend is Sucuri, one of our trusted partners. Sucuri does a great job of checking the integrity of your website’s core files and recently modified files, and confirms any unidentified user logins that could indicate a user account was hacked
- Take your website offline.
You can contact your web host to have them temporarily shut down your website while it’s being assessed and repaired, or if your administrative panel provides the option, you can turn it off yourself.
The Cleaning Process
Once the infected files have been identified, you can manually remove all malicious code from your website, or you can secure a basic plan with our trusted partners at Sucuri who will help provide full support needed to clean up all infected files found in the site’s core directory and database.
For Manual Clean-up
While we personally recommend professional support, If you prefer to do your own manual clean up, it’s strongly advised that a full backup of your website is performed BEFORE the manual removal of hacked data. To manually clean up your website, you’ll want to perform the following steps:
- Clean website files.
- Log into your server via SFTP or SSH.
- Create a backup of the site before making changes.
- Identify recently changed files.
- Confirm the date of changes with the user who changed them.
- Restore suspicious files with copies from the official repository.
- Open any custom or premium files (not in the official repository) with a text editor.
- Remove any suspicious code from the custom files.
- Test to verify the site is still operational after changes.
- Clean hacked database tables.
To remove a malware infection from your website database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DBor Adminer. To manually remove a malware infection from your database tables:
- Log into your database admin panel.
- Make a backup of the database before making changes.
- Search for suspicious content (i.e., spammy keywords, links).
- Open the table that contains suspicious content.
- Manually remove any suspicious content.
- Test to verify the site is still operational after changes.
- Remove any database access tools you may have uploaded.
- Secure user accounts.
Remove any unfamiliar user accounts, and keep full admin user access limited to one account while setting other user roles to the least amount of privileges needed (authors, editors. etc). All passwords should be reset.
- Remove hidden backdoors.
Hackers always leave a way to get back into your site. More often than not, multiple backdoors can be found on your hacked website. These files are embedded in files and closely reflect the names of core files but are located in wrong directories. Be sure to clean up any backdoors from a hack, otherwise there’s a good chance your site will be reinfected quickly.
- Remove malware warnings.
If your website is being blacklisted by Google, McAfee or any other spam authorities, request a review after the hack has been fixed.
- Update and reset configuration settings.
One of the leading causes to infections is out-of-date software. Any software, plugins, extensions and themes associated with your website should be updated to the latest versions. After completing updates, verify that your website is operational.
- Reset ALL access points (passwords) to your website.
It is very important that ALL passwords be changed on all access points to your website: FTP/SFTP, SSH, Administrative Panel, and your database.
- Set backups.
One of the things we strongly encourage for our clients is doing a consistent backup of your website’s core files and database … consider it a safety net. Having a good backup strategy is highly recommended, especially for frequent bloggers.
- Integrate a website firewall.
Website firewalls help to significantly reduce the amount of vulnerability to your website by providing a perimeter defense system that surrounds your website. These benefits include:
- Preventing a future attack
- Virtual security updates
- Blocks brute force attacks
- Mitigate DDoS attacks
- Performance optimization
As you can tell, dealing with a hacked website isn’t fun, but by taking the steps mentioned above, you can recover from it. We offer all the support needed to recover an infected site, so please contact us if your website has been hacked. We also provide website maintenance plans to offer peace of mind that your site is secure. We keep your website free from vulnerability, we maintain your technology by keeping software up-to-date with the latest releases, and we provide weekly up-time monitoring, backups and more. Contact us to learn more.