How To Repair a Hacked Website?

Website security plays a vital role in the expansion of any online business. In recent years, cyberattacks have been on the rise with new variants of ransomware and crypto miners being discovered in the wild every month. This means that smaller businesses need to shell out more money to keep their online business secure and for hacked website repair. According to a report by Juniper Research,

Small businesses invest on an average, $500 per year in cybersecurity products. With many such businesses digitising, this will leave them vulnerable to newer forms of malware which require more advanced cybersecurity, beyond simple endpoint protection. In addition, the cost of breaches can exceed millions of dollars, dwarfing the turnover of such businesses.

According to another annual crime report by Cybersecurity Ventures,

Ransomware attacks occur every 14 seconds. The report also estimates that this number will increase to every 11 seconds by the year 2021.

Recently, more than 4,600 websites were hit by a malicious code which stole payment info and other user data. The sites compromised included e-commerce stores, blogs, e-learning sites. The malware infected the sites using the CDNs of Picreel and Alpaca Form. The stolen credit card info was being relayed to servers in Panama. The source code of the malware reveals the various functions declared in the malware which helps in collecting and relaying the data. More than 1200 websites are still infected with the Picreel malware variant and more than 3700 websites still contain the code from Alpaca breach.

With more and more sophisticated malware variants appearing every day, it is just a matter of time before your site may become the next victim. So, it is important to learn hacked website repair and take preventive measures.

Hacked Website Repair: Symptoms of a Hacked Website

  • Suspicious and unknown links, files, admin users, web pages, tables, scripts appear on your website.
  • Pop-ups and advertisements which redirect customers to fishy domains infect your site.
  • The website becomes slow and unresponsive.
  • Heavy load on the server even though the connections are very less.
  • Users complain about stolen credit card info from your website.
  • Gibberish content appears on your site as a result of the Japanese Keyword Hack or the Pharma Hack.
  • While using third party hosting, your account gets banned or disabled.
  • Search engines warn users against visiting your website.
  • Your website passwords are changed and logs show brute force logging attempts.
  • Unknown plugins and extensions installed on your server.
  • Multiple spam emails dispatched from your website’s mail server.
  • The website’s data is up for sale on internet forums.
  • Traffic logs from Wireshark or other packet capture tool show data being sent to suspicious domains.

Hacked Website Repair: Malware Removal

  • Step 1: Take a complete backup of your site. Thereafter, put your site into maintenance mode.
  • Step 2: Now look out for the source of infection. It could be a script, file or a web page. Look at the source code to determine base64 encodings. Make sure to check into any new plugins or extensions.
  • Step 3: If the website has been blacklisted by search engines, use the google console to see the cause of infection. Moreover, don’t forget to remove any unknown admins. If still there is no success, use online virus scanners like Astra.
  • Step 4: Delete the lines of malicious code from infected files. Delete and suspicious tables from the database. If it is a sensitive file and you are unsure of what the code does, simply comment it out and contact for help.
  • Step 5: When cleanup is done, don’t forget to submit your site to Google for blacklist removal. Moreover, it is necessary to determine the cause of the hack and patch it so that the infection does not reoccur. Look at the info graph given below for more info.
Hacked website repair tips

While these are generic hacked website repair steps, some CMS specific hacked website repair instructions are given below.

Need help with your hacked website repair? Clean your site now

OpenCart Malware Removal

To determine the source of infection, OpenCart users should check for core files integrity. This implies that the core files of OpenCart should not differ from the ones present in the official documentation unless they have been modified OCMOD/VQMOD for valid reasons. This can be done using the ‘diff’ command of Linux. Download the file from the official repository to a local folder and then compare them using the following command:

diff -r path/to/OpenCart/file.php /path/to/official/Opencart/file.php

Also, for OpenCart users, it is important to delete the install folder first. This can be found by simply navigating to the root folder. OpenCart users need to secure the catalog from attackers. This can be done by blocking access to certain sensitive files like .php, .txt of the catalog. To do so, append the following lines of code to the .htaccess file inside the catalog folder:

hacked website repair using .htaccess

Related article – The Ultimate Opencart Security Practices and Malware Removal Guide

Prestashop Malware Removal

For Prestashop hacked website repair, detection of infection can be done by looking into some commonly targeted modules. Firstly, log into your Prestashop store using any FTP client. Thereafter look for malicious code inside the following folders:

  • modules/homepageadvertise/slides
  • modules/homepageadvertis2/slides
  • modules/productpageadverts/slides
  • modules/columnadverts/slides
  • modules/simpleslideshow/slides

Keep an eye on any code which looks base64 encoded. It can be uncovered using the following Grep command of Linux:

find . -name “*.php” -exec grep “base64″‘{}’; -print &> infected.txt

This command would save all the base64 encoded instance inside the infected.txt file. From here, they can be decrypted using online tools and deleted.

Drupal Malware Removal

For Drupal hacked website repair, firstly ensure that no unknown files are present in the /drupal-admin folder. Some suspicious files to look out for are: Marvins.php, db_.php, 8c18ee, 83965, admin.php, buddy.strength, dm.php. If you notice any such file delete immediately. Moreover, don’t forget to remove any unknown database users. To verify if any new user has been created after a certain date, use the following SQL command:

Select * from users as u AND u.created > UNIX_TIMESTAMP(STR_TO_DATE(‘May 15 2019’, ‘%M %d %Y ‘));

Here, it will display all the users created after 15 May 2019. When all the cleaning is done, clear the cache using the commands: drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7).

Related Article – The Ultimate Drupal Security Practices and Malware Removal Guide

PHP Malware Removal

For PHP hacked website repair, take a look at the database first. Take a backup of the database first. Use a tool like phpMyAdmin to look for any suspicious tables like ‘Sqlmap‘. Moreover, search inside the contents of the tables for any suspicious links, malicious code, etc. If found, delete that entry or delete the entire table if necessary. Thereafter check if the site is still running properly. If so, you have successfully removed the malware from the database.

To detect infection in the PHP files, use the following command to find base64 encoded malicious code:

find . -name “*.php” -exec grep “base64″‘{}’; -print &> output.txt

Apart from base64 encoding, some other obfuscation techniques like FOPO are also frequently used. Deleted any unknown PHP script. If you are unsure what the code does, comment it out and get help for malware removal. For PHP, it is important to disable the dangerous functions, which can help the attackers in Remote Code Execution. This can be done by this single command:

disable_functions = “show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval”

Sometimes error messages reveal sensitive info which can be used by attackers to compromise your site. To turn off such errors, add the following code to php.ini file:

display_errors=Off
log_errors=On
error_log=/var/log/httpd/php_error.log

This code disables displaying errors and instead logs them into a php_error.log file from where they can be used by you for troubleshooting. Last but not least ensure that all the input which is received by your server through PHP forms, values, etc are filtered. Unsanitized input can wreak havoc on your site. Go for a full security audit of your PHP site.

Need help with your hacked website repair?Drop us a message in the chat box

Related Article – The Ultimate PHP Security Practices and Malware Removal Guide

WordPress Malware Removal

For WordPress hacked website repair, inspect core files first as infection removal of these files is easy. Moreover, check from the system logs about any changes made to the files. This can help in identifying a malware infection. If there is an infection in the core file, simply replace it with a fresh one from the official repository. The same is applicable for theme files. However, avoid editing sensitive files and folders such as wp-content and wp-config.

If the malware has created new WordPress user accounts, they should be removed immediately. Look for any new and suspicious user account and proceed for its removal. To remove unknown users:

  1. Open the wp-admin dashboard and navigate to Users>All Users.
  2. From the checkbox select the user you wish to remove and expand the “Bulk Actions” dropdown.
  3. Finally, select the “Delete” option and then “Apply” the settings.
hacked website repair wordpress

Also, make sure to look in the image files as malware like the bak.bak/Favicon malware frequently targets WordPress sites. Inspect the wp-uploads folder and manually scan every image. To do so, copy the .ico files to a folder and change their extension to .txt. Now open these text file. If the content appears to be gibberish like in the image then the files are clean otherwise if the text file shows PHP code, follow the above-given steps for WordPress hacked website repair. Last but not least, don’t forget to disable XML-RPC in WordPress.

hacked website repair favicon

Hacked Website Repair: Preventive Measures

  • Rename the admin folder to some random user name. For instance, if earlier the URL to your admin folder was www.abc.com/admin/ rename it to www.abc.com/random123/. This can be done by the following tutorial.
  • If directory indexing is enabled, the hackers can view sensitive files and use it to hack your site. Therefore, disable directory indexing by adding the following code to the .htaccess file in each directory: Options -Indexes
  • It doesn’t matter which CMS you are using, make sure it is up to date. Keeping it updated from the official site is a healthy practice which can prevent website hacking.
  • Proper file permissions can protect your crucial files from the attackers. Always set the file permissions to 644 or 444. For sensitive files like config.php, index.php, admin/config.php, admin/index.php, system/startup.php set the permission to 444.
  • Ensure that there are no hardcoded or default passwords on the site. Always use reputed themes, extensions, and plugins.
  • Always go for a secure hosting plan instead of a cheap one. The plan may look cheap now but it can cost you heavy during hacked website repair. Also ensure that the server is configured properly and that there are no open ports, server misconfigurations on the server.
  • Using SSL not only secures the communication between the users and your site but also, helps you with SEO. Get an SSL certificate for your site and implement it on your server. Thereafter, ensure that the website always redirects to https instead of HTTP. To accomplish this add the following code to .htaccess file:

# Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Use a Security Solution to Avoid Manual Hacked Website Repair

The hassle of hacked website repair could have been avoided if a security solution or firewall was used in the first place. These days, there are plenty of options to choose from which provide not only a firewall but a complete security suite. Astra just fits your budget as it is highly scalable. Astra firewall can shield your website from any type of attack even if your site is vulnerable. While its malware scanner helps in hacked website repair and can detect a large number of malware variants.

Try it out yourself!

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Keen to learn almost everything that computers have to offer. Check out my Github profile for more info.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close