Hacked Drupal Website? Here's How You Can Clean Drupal Site.
June 25th, 2018
One of the objectives of cWatch website security tool is to help enterprise administrators clean their business websites, check for hacks (if any), and remove the discovered malware infections. In this page, we present you with the guidelines using which you can clean as well as fix your Drupal-powered website.
Please Note: These guidelines do not offer the solution for every malware infection you may encounter. Instead, they offer generic steps to be followed (a checklist, to be more precise) while checking websites for malware infection.
Process Overview: Clean Hacked Drupal Site
Cleansing an infected website involves many steps. Therefore let's take a brief overview of the steps involved in this process before we delve into the details.
I. Check Whether Your Website Is Hacked
- Scan Your Website Using cWatch
- Look For Changes In Your Website Files
- Audit User Logs
II. Removing The Hack
- Clean The Hacked Files
- Clean The Database
III. Recommended Post-Hack Actions
- Update and Reset
- Configure BackUps
- Scan Your Administrator Computers
- Adopt Various Preventive Measures
I. Check Whether Your Website Is Hacked: Obviously this is the first step: scanning your website using cWatch. To do this, login into cWatch using your credentials >> select the domain you wish to scan >> choose vulnerability tab >> click Start Scan button. A message will be displayed by cWatch indicating whether your website is hacked or not. If your website is hacked, then
Look For Changes In Your Website Files: When a website gets hacked, there are usually trails left behind by hackers – like modified files – which signal your website's status. So always check whether the files within your website have been modified or not. If things are the same, then your website is probably safe; if not, it's time for website cleansing.
How To Check For Modified Files? Simple. Compare your current website files with the backed-up (good) ones and check whether there are any differences between them. You can use tools like git status (a file version control system) for this purpose.
To Use Git For Checking Website Related Changes
- Connect to your server over SSH and run the following SSH command: git status
- Identify and compare new files with the good ones
- Navigate through your web directory and look for anything unusual
- Audit User Logs: Next, check for any unusual user activity. Especially with administrator accounts. To check for malicious users in Drupal, log into your Drupal admin interface >> click People on the menu >> Review the list >> Remove any unfamiliar (or suspicious looking) users. Also, check Last Access Time of legitimate users. Because this will indicate any anomalous behavior on the part of your users.
II. Removing The Hack: Not that you've discovered the hack (if any), it's time to remove it. This usually involves two important processes: cleaning the website files and the database.
How To Remove Malware From Your Drupal Powered Websites?
Log into your web server via SFTP or SSH > Search for suspicious files you previously noted down > Confirm whether they are indeed malicious > after double-check, remove any unfamiliar or suspicious code from your custom files.
Note: ensure you taken a backup of the site before implementing the changes.
You Should Also:
- Check for backdoors (installed by hackers or otherwise) which might have been exploited for the purposes of hacking and remove them.
- Check whether your website has been blacklisted by Google, McAfee, Yandex and other such authorities and let them know your site is now clean.
III. Recommended Post-Hack Actions: Ensure you take the right security measures now that some of its vulnerabilities have been exposed. Although website hacks can be painful and frustrating, they are nevertheless a learning experience and can teach you a lot about malware detection, prevention, and malware removal.
What Security Measures You Can Take To Get Your Website Back On Track?
- Update and Reset: Most website hacks happen as a result of outdated software. Therefore ensure your website and other extensions it might be supporting are updated. To update Drupal extensions, login into Drupal admin interface >>click Reports>>check Available Updates. You should also reset user credentials, clear any active sessions and clear cache as well.
- Configure Backups: Now that your website is clean, take a backup of it. Remember that a sound backup strategy is core to your security posture. Therefore back it up in offsite locations, ensure automatic backup as your website runs, back it up on cloud and external hard drives as well.
- Test The Restore Process: A backup process which is not tested well enough is a backup process which may fail when deployed in real-time. Therefore test your backup/restore process as many times as possible and ensure it works well.
- Scan Your Administrator Computers: Scan all your administrator computers which are used to access the Drupal dashboard with the appropriate antivirus software program. Because an infected admin computer may well end up infecting your website once again. Therefore don't miss out on this step.
- Carrying out regular security reviews – regular security reviews can go a long way when it comes to malware detection, malware prevention, and malware removal.
- Implementing strong password policies – your passwords should be an ideal mix of alphabets, symbols, and special characters, making them hard to guess.
- Limiting Login Attempts – restricting login attempts can reduce illegitimate user access greatly.
- Enforcing Automatic Logouts after a period of inactivity – never allow inactive session to carry out without interruption. Enforce automatic logouts.
- Deploying SSL/TLS Encryption – encrypt your website using SSL/TLS certificates which ensure data encryption, server authentication, and data integrity.
- Regulating User Permissions appropriately – users should not be given access to more than what they deserve. Only elite super admin should be given unrestricted access to the entire website.
- Deploy Specific Security Tools - which can protect your website against DDoS Attacks, Brute Force and other such popular attacks targeting websites.
Other Security Measures: Some of the other security measures include: