This a short guide for webmasters who have discovered that their website has been hacked. Common examples of website hacks include:
- Taunting messages from the hacker(s) in question. These are typically hackers who are doing it for the reputation. i.e. They will plaster their name all over your website.
- Malware being served from your domain.
- Redirects to other unknown URLs.
- Content about viagra, etc showing up in Google listings for your domain. In this case, your website has been hacked and it is being abused by unscrupulous black hat SEOs.
What to do?
1. Calm Down.
The situation can be rectified and the damage can be reversed. Try to remain calm so that you can focus your energy on fixing the issue. Panicking will get you nowhere. It will only lead to rash decisions and costly mistakes.
Download a copy of everything on your website. This includes a backup of your database. Everything needs to be downloaded so that it can be analysed at a later stage. Scripts, images, CSS… everything. Download all of it to a folder on your local computer.
3. Take the site down.
For now, you will need to take the site down. This is all about minimizing the impact of the hack. If you are worried about your search engine rankings, then you will need to return a 503 HTTP response code for all indexed URLs. A 503 status code will tell search engine crawlers that your website is temporarily down due to maintenance or overloading.
4. Contact your host.
Your host will need to be informed about the breach, simply because:
- They might suspend your account if they discover that your site has been breached and that it is serving malware, for example.
- The issue could be on their side.
Describe the hack and let them know that you’re taking the necessary steps to rectify the situation. Also be sure to let them know that you’ve taken your site down.
5. FTP passwords.
Remove / alter every single FTP account that you have and replace them with accounts that have a different username and password. Make sure that these passwords are secure. Avoid usernames such as mywebsitename or admin.
At this stage, we’re not entirely sure if an FTP account was breached or not. We’re just cleaning up and securing all possible points-of-entry.
If you’re running a SSH shell, be sure to change the passwords every single user that has access. Disable unused accounts and install something such as Fail2ban, which will temporarily block IPs that have made too many failed login attempts. Make sure that you have disabled SSH access under your root account and avoid usernames such as admin and mywebsitename. Finally, be sure to take a look at this article on securing OpenSSH.
7. Everything has been compromised.
If you have the ability to do a fresh reinstall of the operating system on your web server, then you should take this option. After a security breach, you should assume that every single part of your system has been compromised.
If you do not have the ability to do this, then you should ask your host to do so.
If you manage to complete a fresh reinstall, then you should set up all FTP and SSH accounts with points 5 and 6 in mind.
8. WordPress, Drupal, etc.
If your website uses an open source solution such as WordPress or Drupal, then you should carry out a fresh reinstall of the software in question. i.e. Download the latest version and install it. Do NOT reinstall the old version of the site, which you should have downloaded in point one. The files on the old version of your website have been compromised and it is possible that core files have been modified in a way that gives hackers access to your site (backdoors, etc).
9. I own a custom-built site?
In this case, you will need to contact the person or the agency that developed your website. If you are that person, then you will need to examine your code, piece-by-piece and make sure that it is secure. Common vulnerabilities are often found in scripts that handle file uploads and user authentication. Note that the hackers may have injected their own code into some of your files, so be sure to review each file, line by line until you’re fully confident that they’re clean. A basic example can be seen below:
$args = $_GET['args'];
In the code above, anything in the GET variable “args” will be executed as PHP. Nasty stuff!
Plugins are great. However, they can also be vulnerable to hacks. Make sure that you keep your plugins updated at all times. As soon as a hack occurs, you should vet all plugins by checking to see if there have been any vulnerabilities reported in them. More often than not, you’ll find that one of your plugins has a vulnerability in it that gives an attacker write access to one of your folders.
11. Admin logins and brute force attacks.
Typically speaking, a brute force attack is carried out by an automated bot that will continuously bombard your admin panel with login attempts.
If you have an admin login for your website, be sure to secure it against brute force attacks. This can be done by adding a lock-out feature that will block attempts to login to an account whenever too many failed attempts have been made. For WordPress, you can use the WordFence plugin, which will block IP address for a set period of time. After installing it, you’ll realize just how common brute force attacks actually are. The Internet is full of bots that will crawl the web and target popular plugins and software.
Also make sure that you use a secure password and that you avoid using common usernames such as “admin”, “user”, “test” and “thenameofmywebsite”.
12. File and folder permissions.
Avoid 777 permissions at all costs,. If you can’t avoid using 777 permissions, then you will need to make sure that your usage of 777 is extremely limited and narrow. This topic is far too broad to be covered here, so make sure that you take the time to fully understand file/folder permissions in Unix-based systems.