You’ve had your website hacked and you’re wondering “How the firetruck did that happen?”. It’s not such a simple question to answer but you must fix and secure your site as soon as possible.
If you’re currently in this situation right now, please take a deep breath and try to calm yourself. Yes, it can be stressful and you may be worried about damage to your business or reputation but this is a time when you need to be strategic and not just run at brick walls.
Google has put together a site to help webmasters fix a hacked site. The tasks range from user experience of beginner right through to advanced.
View Google’s Help For Hacked Sites
To scan your website for malicious software hacks, use the free scanner at Sucuri
Most Common Website Hacks
In my experience as a webhost, the most common type of website hack is done through exploiting flaws in popular Content Management Systems (CMS) such as WordPress and Joomla. While I’m not bad mouthing these two CMS’s as the only culprits, it’s their popularity that makes them an easy target for hackers.
Since WordPress and Joomla are open source, that means hackers can simply download the code and study it, test it and exploit any security flaws they discover. Not only that, but these CMS’s also enable the user to download 3rd party plug-ins and add-ons. This is where the trouble starts.
Third-party plug-ins can often be coded by bad programmers who do not care about security. Their plug-ins can have gaping holes for hackers to just breeze right in and take over your website.
Only install TRUSTED 3rd party plug-ins that have HIGH RATINGS from other users.
Step #1. Scan Your Computer
When your website was hacked, was your first thought to go ahead and change all passwords? You’re only half right, but you’ve just taken a false leap and it’s vital to be strategic about every move you make. If your computer is infected, it is possible that changing your website passwords will not help because the hacker could be notified about the password change – so, what did you achieve?
You may think your computer is virus-free but are you sure without thoroughly checking first? Are you aware that there are objects on your computer that a virus scanner will not pick up? They are called trojans or malware and you need to use a separate piece of software to scan for them – not a virus scanner.
Download and install this free software from Malwarebytes. Run a full system scan and accept any prompts to delete bad objects found.
Now you should also scan for viruses. I’ve used both AVG and Avast that offer free versions.
Additionally – you can never be too careful here – scan using Microsoft Security Essentials
Step #2. Restore Your Website From Backup
You’ve got a clean copy of your website, right? You don’t?! Ouch!
If you have a WordPress website, backing up your entire installation is as easy as installing a plugin called BackupBuddy
If you paid for your website to be designed by a firm, ask your website developer if they have an original copy. Since they created it for you, they should have it. The quickest remedy for this hack may be as simple as uploading the original files to the server.
If your web developer has dropped the ball, speak to your web host. Most web hosting providers have some form of backup. Depending on the time that has passed since the hack, your host may have an archived copy from before the problem began. If they do, you’re in luck. Ask them to restore the website files.
NOTE: Just because you have restored the website files does not necessarily mean you have fixed the problem. The hacker’s code may be residing in the database. We’ll get to that.
If you have successfully restored clean website files and your website does not have a database, you can skip to Step #7.
If you’re in the unfortunate position where you do not have an original/fresh copy of your website and neither do your web designer or web host, put the kettle on and pour yourself some calming matcha green tea, strap yourself in and get ready for a rough ride.
This is about to get technical and you may need professional help. The rest is not for beginners unless you are confident enough to pull out your trusty Sherlock Holmes magnifying glass and delve into the website code itself.
In some cases, your web host may be able to help but the tech support staff of larger hosts simply are not trained to do this sort of thing. Smaller hosts may not have enough experience.
Personally, I’ve never had any formal training. I’ve learned through years of experience dealing with website hacks and server attacks. It’s near impossible for a beginner to effectively clean a hacked website and I’ve seen unfortunate folks throw their hands up and actually walk away from their online business – seriously – because of a hack.
Please don’t walk away. You’ll get through this.
If you have no-where to turn, go to the professionals. Sucuri is web monitoring and malware clean up service who do this stuff every day. Their pricing is quite reasonable and they are fast and professional.
If you’re the adventurous type and enjoy snorkeling and deep oceans of code, let’s go diving.
Step #3. Dive Head First Into Code
I’m afraid I have to be quite general in my advice because each host’s system might be slightly different. Each hack is slightly different. My advice to you – try to understand from a technical level what I’m explaining so that you can proactively investigate where the hack may reside. This is not for beginners.
Login to your web hosting provider’s control panel and access the online File Manager. Your host may be running Plesk or CPanel. Both have a file manager where you can see the list of your website files. If not, you’ll need to login through FTP.
First, take a backup of the website files and database. Don’t be a cowboy and start editing files without having a local copy to restore in case you make a mistake.
In the online file manager, sort the order of files by date
Any file that has been touched by a hacker will have a recent timestamp. The files may include html, php, js, htaccess and even images gif, jpg, png. Also look for unusual zip and tz files. You’ll need to go through every folder and sub-directory including in public_html or httpdocs and also cgi-bin.
For files you find that have a recent timestamp, view the contents – the PHP or HTML code. Even with a hacked file, the code may look normal and that is why you need to look closely.
Start at the end of the file. If you see weird looking javascript or an iframe, you’ve found the hacker’s code. Save the weird code to a file for later. You’ll need it.
Look for any links that reference unknown domains or externally hosted javascript. Save those URLs to a file too.
Remove any weird code from every file you discover. In some cases, this in itself may be a monumental task – several hours of work.
Step #4. Check The Database
If you are using a CMS, you’ll have a database. You’ll need to gain access through your webhost’s control panel.
If you have the type of hack that has inserted code or text into blog posts, check the page source and locate the dodgy code. You’ll need to search the database for that code. Also search for the links, javascript or iframe code you may have found when you were checking the files.
What I do first is to save a backup of the database to my computer, for example into a .sql file. Make 2 copies of it because you will be editing one of them, store the other for safe-keeping. Open the database file in a text editor and search for the dodgy code. Remove all instances of the code from the database – it may be in there many times.
Once you’re confident you have killed all bad code, remove the online database (or drop all tables), then re-insert your clean database. This is an advanced step. Check with your web host if you’re unsure.
Step #5. General Server Scan
I’ve seen some hacks where PHP code is disguised as an image. The best way to search for this type of hack is to ask your web host to run this command (for linux servers only):
grep -iro --include=*.{jpg,gif,png} '<?php' /var/www/vhosts/domainname.com/
The last part “/var/www/vhosts/domainname.com/” should be replaced with the host’s directory structure.
Any images that are discovered in the above scan are dodgy and should be deleted.
Also, perform a second scan to search for a portion of the dodgy code you discovered in the files or page source.
grep -iro --include=*.{js,htm,html,php} 'insert dodgy code here' /var/www/vhosts/domainname.com/
This scan should tell you if you have missed any files that still need to be cleaned.
Step #6. Update Your CMS
If you’ve made it to this step, you deserve a slap of the back, a firm handshake and a cold beer. Well done. The hard work is over! Your website is now clean – hopefully.
However, let’s not get too comfortable just yet. At this point all we have done is get your website back to it’s original state. The vulnerability still exists and if you just stop now, you’re giving the hacker a free pass. You still need to FIX the underlying problem.
If you’re running WordPress, Joomla or any other CMS, you should update the software to the latest version. In most cases, this is easily done by logging into the CMS admin section and clicking Update.
If your website has been heavily customized, performing a CMS update may be more problematic. If you are unsure, speak to your web designer.
Step #7. Website Hardening
We’re still talking technical here. On the server, we need to look at the permission levels of all folders used by your website. The permissions allow a user to either read, write or execute files within the folder. There are also certain levels of user such as owner, group, public. This may not mean much to you, but that’s OK.
A hacker will look for folders that have permission levels set to full read/write/execute, or 777 attributes.
Through your control panel file manager, find all folders that have full permissions and change them to 755 attribute. NOTE: You may find that some CMS’s may not be able to upload files after doing this. Just do a quick test to make sure you can still upload.
Step #8. Change ALL Passwords
You’re on the home stretch and the only thing left to do now is change ALL passwords:
- WordPress / Joomla / CMS admin password
- Webhost Plesk / CPanel / control panel password
- FTP password
Read our article How To Create An Unhackable Password You’ll Remember
Step #9. Back Up Your Clean Website
You can breath a sigh of relief. If there is just one lesson to take away from this ordeal, it has to be this:
BACK UP YOUR WEBSITE !
Do it now. Get a backup of all website files and your databases. Save it to your computer harddrive. Save another copy onto a USB stick and put it in your desk drawer.
If you have a WordPress website, I recommend using BackupBuddy which automatically backs up all website files and databases. You can choose whether to email the backup to you, FTP it to another location, save it to dropbox or upload it to BackupBuddy’s servers for safe keeping.
Step 10. Monitor Your Website
No-one is immune to hacking and if you’ve experienced it once, you really do not want to experience it ever again. The sad reality is that you might!
For peace of mind, monitor your website with Sucuri Security who will alert you to problems and also clean the hacked code for you.
Always keep a virus scanner running on your PC.
You may think it’ll never happen to you … until it does.
Disclaimer: Links to 3rd party sites included within this article denoted with /go/ in the URL may result in commission being earned if you decide to make a purchase.
Posts related to Website Hacked? 10 Things You Need To Do Right Now
How To Submit Your Website To Search Engines Without The Hassle
How To Change Domain Name Without Impacting SEO
How To Speed Up Your Blog Like A Pro
How To Use Bitcoin QR Codes
Tags: website hackedwebsite virus
