What to Do If Your Website Is Hacked?
Discovering your site has been hacked must feel a bit like discovering your home has been burgled. It can be upsetting, frustrating, and expensive, but you still need to deal with it. Here is what you need to know.
Use a website vulnerability scanner to find and deal with the malware
If you have more than one website on the same server, then it’s strongly advised to scan them too in case they have also been compromised (or are being targeted for future attacks).
Double-check your core files and your recently modified files
Look for any changes made in the last 30 days or so. Any changes to your core files should almost always be a source of concern as there is hardly ever any legitimate reason to change these. Any other changes should be considered in context, but, if in doubt, investigate
Check your Google Transparency Report
Go to the Safe Browsing Site Status website enter your URL and see what Google says about it. Bing Webmaster Tools will let you know what Bing thinks of your website, but, realistically its results are likely to be the same as Google’s.
Check if you need to preserve evidence
Depending on your jurisdiction, industry sector, and website usage, you may or may not have a legal/regulatory requirement to preserve evidence. For example, if you take debit/credit card payments directly on your own website (as opposed to linking to a payment gateway), then you will probably have to comply with PCI/DSS and hence be mandated to preserve evidence. Check exactly what is required of you and be sure to comply with it.
If you are not subject to a legal/regulatory mandate to preserve evidence, then you need to decide whether you wish to do so voluntarily. Remember that if you preserve the evidence, you can always dispose of it later if you wish. On the other hand, if you dispose of it immediately, you will not necessarily be able to recover it if you change your mind later. Because of this, you may wish to consider backing up your log files, file system, database, and any custom files and configurations.
Check if you need to inform anyone of the attack
As before, this will depend on your individual situation but in some places you may be required to report a breach, particularly if personal data has been stolen, or even just if there is a reasonable suspicion that it has been stolen.
Decide if you’re up to the task of repairing your website
There are three steps to repairing a hacked website. The first is to make sure that all malicious code is completely removed and the site put back in proper working order. The second is to close off any backdoors the hackers have left (for future attacks) and the third is to contact your hosting company, the search engines, and any other authority which might have blacklisted your site (e.g. security companies) to request a review.
Cleaning up a hacked website is unlikely to be a job for the faint-hearted or anyone with limited IT knowledge. It often involves editing code (especially PHP), manipulating database tables, and updating user accounts to name but a few of the tasks involved. In short, if you get it wrong you could potentially do more damage to your site than the original attack.
Similarly, removing the backdoors (and it usually is plural) inevitably left behind by hackers requires a decent level of security knowledge. First of all, hackers generally make some effort to disguise their work to make it harder to detect. Secondly, they generally use PHP extensions which are also legitimately used by plugins. This means that it’s painfully easy to make a mistake which can do even more damage to your website and delay its relaunch.
Once you have your site cleaned up, you can submit it for a review while you work on tightening its security so that this does not happen again. Technically this step only applies if your site has been flagged as a security threat but in practice, it is almost guaranteed that it will be.
Tighten up your security
Immediately change all administrator passwords, if necessary update all software, and sign up for a website vulnerability scanning service. Then go through your logs thoroughly until you work out exactly how the attack occurred and fix it. Then do a full security audit of your site to see if there are any other changes you need to make to keep yourself safe from future attacks.
How to see if a website is safe?
