Dealing with a hacked website can be a very frustrating experience, and even more difficult if you don’t know the important steps to take in order to repair any damage done.
In this article we’ll discuss each step to take if your website has been hacked.
Step 1: Contact Your Website Designer/Developer
If you’ve previously worked with a reputable and experienced web design company, they will be able to diagnose the problem and will most likely be able to fix it.When website management issues happen, it is always a reassuring feeling to have a relationship with a web design company that you can trust.
Step 2: Quarantine Your Website
If you’re experienced in website management, you may be able to complete this step yourself. Otherwise, we recommend that you contact your web design company.
It’s important to take your website offline while you begin your clean up efforts.
You can make your homepage a simple index page that has some text letting users know what is happening, or remove all website files temporarily, just make sure you back them up first. By taking your website down, you will prevent further damage to potential website visitors. If you keep your website offline for too long it can have an affect on your search engine rankings, but only if it’s down for a few days or more.
While your website is in quarantine, the first thing to do is to check any user accounts that have access to the website, both via FTP and within the CMS (content management system) if applicable. For example, in your WordPress backend, you’d look under “Users” to make sure that all user accounts are correct and there aren’t any that could have been created by the hacker. It is also vital that you change all passwords for any users that have access to your website, FTP accounts and any CMS user accounts.
Step 3: Check Your Google Webmaster Tools Account
If you don’t have a Google Webmasters Tools account, we recommend that you set one up. An account like this will allow you to see several important pieces of data from your website, especially the important data that Google stores. like links to your website, malware alerts, etc.
If your website has been hacked, and you already have a Google Webmaster Tools account, you will most likely see a warning once you log in and view your “Messages”. It is important to also change any passwords for users within your Google Webmasters Tools account.
Step 4: Assess the Damage Caused
If Google Webmasters Tools’ message notified you that your website has been hacked with spam, then you will have to find the damaged files within your website and make the necessary changes to them. The best way to do this is to have shell/terminal administrator access to your website server including all files and databases. Again, an experienced web design company will be able to perform these steps for you in the recovery process.
Knowledge of shell/terminal commands will allow you to locate the damage files or database records, and repair them quickly and easily, depending on the type of hack. It is important to make a note of all files and records that have been affected during this discovery process. From your Google Webmasters Tools account, you will be able to see a list of some of the pages infected by the hacker’s actions. Copy the URL address of one of these pages and use Google to view the cached version of the page.
Perform a cache: Google search for the URL to see what Google previously crawled/indexed for the page
- In the Google Search box, type “cache:”, then the URL. Full example – cache:http://www.example.com/page.html
- The hacker’s undesirable content may be obvious from the cached result, but if not, click text-only.
- Take detailed notes of any damage you see and then use shell/terminal access to remove the damage.
There are several other more advanced steps you can take at this point, but it is best to contact your web design company to take care of them.
Next, we recommend you perform a site: search on Google to find more pages damaged by the hacker. The site: operator search, such as site:example.com, returns results limited to the pages that match the specified site. This will give you a full list of the pages of your website that Google has indexed. Often, you can easily see if the hacker has changed title tags for your pages as one of their spamming methods.
If you have a recent backup of your website files, you can use shell/terminal access to view any files that may have been modified more recently than your backup and that can lead you to hacked pages.
Also, it is wise to check your site’s folder and file permissions. Sometimes a hacker will change these permissions and will leave you open to future attacks. For example, 777 permission is “world writable access” and is too lenient for almost all folders and files.
Step 5: Identify the Vulnerability
Once you’ve performed the previous steps, you should now be able to understand, to some extent, what the hacker has changed.
First, we recommend that you use a virus scanner to clean your computer to ensure that any spam issues don’t continue to harm your machine. Next, check your website logs to see if there’s been any unusual activity. Often you can see a hacker’s attempts to log into your website with failed passwords.
If your website is using any sort of software, like WordPress, it is important that you always update to the lastest version of that software to guard your website from any known vulnerabilities.
Check your database (if your website uses one) to see if the hacker used an SQL injection to damage your website. Look through various database tables to see if there’s any unusual data that could have been placed there by a hacker.
Step 6: Clean Your Website
This is another time consuming part of the repair process but it is vital that you dig out every bit of damage caused by the hacker.
If you have a clean backup of your website files and the database, restore them and get your website back online. Consider eliminating any plugins or extensions that you don’t really need and update any software that has a more recent version available.
During this clean up stage, you can go even further in depth and attempt to clean out the website server (if you have admin access) with a full reinstallation of the operating system.
It is also recommended to again change all of your passwords related to the website at this stage. (FTP user accounts, CMS system user accounts etc)
Step 7: Create a Long-term Maintenance Plan & Double Check Site is Clean
The saying goes “You gain experience when you least need it” . Now that you’ve experienced a unfortunate hacking situation, let’s make sure you’re ready for it if there’s a next time.
- Make regular, automated backups of your website and database.
- Be vigilant about keeping software, plugins etc up to date.
- Make sure that all passwords related to your website are strong from now on.
Double-check that all of your website files and databases are now clean. Google recommends the following:
- Have I taken the proper steps if the cybercriminal obtained users’ personal information?
- Is my site running the latest, most secure version of software?
- Have I removed all unnecessary or unused applications or plugins that could make my site more vulnerable in the future?
- Did I restore my content and eliminate the hacker’s content?
- Did I fix the root cause vulnerability that allowed my site to be hacked?
- Do I have a plan to keep my site secure?
Once you are sure that your website is clean, let Google know that it’s ready to be reconsidered and once accepted, they will remove the warning that users see when your website has been compromised.
If you’re concerned about your website’s security, please contact us and let’s talk about a putting a plan together.