How to Clean a Hacked Magento Site?

If your Magento Site has been hacked, you have come to the right place to clean and fix your hacked site. For an eCommerce merchant, a hacked website means loss of trust in your website as well as monetary loss. Customers would not like to visit or conduct business interactions on any hacked website.

If your website is accepting credit card payments, then website visitors will not feel inclined to share their credit card details/credentials. In case data gets stolen and misused, then customers may file litigation suits that you may have to face. And you will also have to face implications regarding compliance to the Payment Card Industry Data Security Standard (PCI DSS) standards.

Magento is an open-source e-commerce platform. It is considered to have robust security features and is a secure and stable platform. However, Magento websites do get hacked.

First, confirm whether your Magento Site has been hacked and that it is not due to some hardware, operating system or software issues. Your Magento website must always be kept updated. Immediately check and update your Magento website to the latest compatible version. Outdated and buggy plug-ins and extensions could also have issues. Once you have done that check for the below-mentioned symptoms.

How to Clean a Hacked Magento Website

Hacked Website/Webstore – Symptoms of Compromise

  • Homepage Defacement – Your homepage has been defaced. This may be due to a hate attack or just for fun.
  • Your website host suspends your website for malicious activity
  • Major browsers blacklist/block your website
  • Unauthorized administrator accounts
  • Customers raise concerns over misuse of their credit card details
  • Your checkout page displays suspicious behavior
  • Increase in shopping cart abandonment
  • Unauthorized code in your website

Your Magento website has been hacked if it displays any of the symptoms listed above.


What You Have to Do to Clean and Fix your Magento website

Your defaced webpage can be fixed by restoring from a clean backup. Unless the defacement has been linked to a ransomware attack, fixing this type of issue is quite easy. However, your website would suffer from a bad reputation.

Immediately take a full backup of your server logs, database, and website files. You may probably be taking regular/automatic backups, but THIS backup is very important.

These logs are essential for analyzing the details of the compromise.

Verify admin/user accounts: Verify all user accounts as well as administrator accounts. Remove all accounts that you or other authorized personnel had not created. As a best practice, it is recommended to have only one administrator account. The hacker would probably have created an administrator account for conducting nefarious activities. Delete any other user accounts that are not required.

Check for modified files: The threat actors could have injected malware and hence you must check for any file modification. The core integrity could be compromised.

Updated Magento Software/Plug-ins and Extensions: Update your Magento, the plug-ins and the extensions that you are utilizing on your webstore. Maintain only those that are essential, and delete all others.

Shared hosting: In case you have hosted your website with a shared hosting provider, then you should consider opting out of it. Vulnerabilities in other websites on the same server could allow attacks on your website too.

Install Comodo cWatch Web Security:

  • Next, you must get Comodo cWatch Web Security. You have to purchase a license and install it on your system. A 30-day free trial license allows you to experience the capabilities of the product.
  • It features a strong web application firewall (WAF) that acts as a fortress to block all advanced persistent threats. SQL Injection, Cross-Site Scripting, Denial-of-Service (DDoS) and application targeting attacks are blocked.

Set up Comodo cWatch Web Security:

  • Enroll your Magento site. Next, choose/provide the appropriate HTTP protocol. You must provide details of the website certificate, and this completes the initial configuration.
  • The Comodo cWatch Web Security dashboard displays the name of your webstore/domain.

Configuration for cWatch scanning:

  • As mentioned in the cWatch interface, you will have to upload a .php file to your website to allow cWatch to scan your hacked Magento webstore.
  • This scan will detect all the malware and vulnerabilities on your website. You can then take appropriate remedial action.
  • cWatch features an automatic malware removal facility, wherein experts from Comodo Cyber Security Operation Center (CSOC) will check and remove all the malware.

Server Log/Activity Log Analysis

CSOC experts will analyze your logs, and provide a report on the malware and details about the hack.


Data Breach Detection

In case a data breach has been detected, then it is recommended that you warn your customers about possible compromise of their data.


Revoke Website Suspension

Once you have cleaned and fixed your website you must raise a request with your hosting company to revoke the suspension.


Backup and Restoration Policy

As a good backup and restoration policy, you must store your backups in at least two different locations.


Absolute Website Protection

Comodo cWatch Web Security is a cloud-based security solution fully managed by the Comodo Cyber Security Operations Center (CSOC). It is offered as a security-as-a-service delivery model (SaaS) model and provides 24/7/365 monitoring and support. The managed security services provide complete security for your website and it allows you to focus on your core business.


Webinar
Cyberstrategy for 2018: Time to Prepare for the Worst?