There has been a steady rise in cybercrime over the years. But in the last five years, there has been a sudden boom. This can be attributed to the spread of internet connectivity in large markets like India, Brazil, etc. According to some stats, 86% of websites contain at least one serious vulnerability that leads to their website getting hacked.
Another alarming stat is that companies take over 6 months to detect a hack! The consequences of a hacked website can range from simple defacement to attackers asking for a ransom. According to the book “Web Security, Privacy, and Commerce”,
It took a while for the crooks to realize that there was a lot of unprotected money floating around. The same is true on the Internet, but with each passing year, we are witnessing larger and larger crimes. It used to be that hackers simply defaced websites; then they started stealing credit card numbers and demanding ransom.
This article explains the basic steps to take as soon as your website is hacked and how to stay prepared for such attacks in the future.
1. Quick Recovery
When the first signs of a hacked website start to appear, firstly make a heuristic guess of what might have caused it. Was it a link you clicked yesterday? Was it a recent plugin you added? Although it will take time to know the true reason for the hack. But by having a rough idea, you can take certain crucial steps helpful in the short term. This idea can also be obtained from warning messages shown by Google or your hosting providers on your hacked website.
So, to protect against the damage, firstly login to your website’s admin dashboard. If you are unable to do so, that means the attacker has reset your login credentials. In that scenario, there are multiple ways to get back your password. If you are using a CMS for your website, the password reset feature can be helpful. Otherwise, you can also get the password for your website hacked via FTP or by running some SQL command. In case you are using a hosting provider then contact the customer service to get back the control of your website hacked.
Now that you have obtained the password to the admin dashboard, login, and change all the passwords (dashboard, database, FTP, etc) for every user. This time make sure that every password is longer than 12 characters with a good combination of uppercase and lowercase alphabets, numbers, and symbols ($,-,#, etc).
2. Damage Control
Now act upon your heuristic guess and for the moment disable the plugin, or delete the suspicious file or suspicious user entry, etc. Finally, put the website hacked in maintenance mode for the users. If you suspect that malware or phishing pages have been embedded in the website (also visible in Google warning messages), make the website completely offline to protect your customers.
Also, communicate the issue to your customers via social media platforms as hiding a hacked website can make it worse. Later on during further investigations, if any customer data breach is found, make sure to notify your customers to reset their password. Moreover, create a separate channel to address the issues of customers.
3. Find the Hack
Now that we have secured the website for the short term, it is time to investigate the cause of the website hacked. Some of the possibilities to investigate are:
- The website hacked was caused due to a social engineering attack i.e. phishing etc. In that case, ask if the web admin received any unsolicited emails.
- There was some configuration error on the behalf of the web admin. i.e. leaving a plaintext password file on the server, improper file permissions, weak password, etc.
- Inspect if the malware is hiding in your files or any new suspicious files that have appeared on your site recently. However, be careful before removing them as some may be system generated.
- Check for any recent file modifications.
- The vulnerability may be present in the CMS you are using. The chances of finding bugs in the core are less. So quite possibly it is the new theme or plugin you have used. Try searching the web for any known vulnerabilities in them. Or you can use automated tools to find any known bugs in the WordPress themes and plugins that you are using. If you used nulled themes to cut corners on expenditure then most probably it is what led to your website hacked.
The possibilities are many more. To narrow down the exact cause you can also use the Google Search Console or certain free automatic scanners like the one provided by Astra.
4. Fix the Website Hacked
Before cleanup make sure you take a backup of the website hacked. Now for the site cleanup:
- Replace the infected files with original ones from the official website of your CMS. Make sure your site does not break while doing so.
- Remove the nulled theme and plugins you were using.
- Clean up the database by searching through the tables for spammy words using a tool like PHPMyAdmin.
- Delete any suspicious users which you did not create.
- Delete the malicious code in the files by opening them in a text editor. If you are unsure of what it is doing, comment it out, and get help from security experts!
Despite all the cleanup attempts, sometimes the malware may stay hidden and the infection may reoccur. The malware typically uses functions like base64(), str_rot13(), etc so disabling them might help. But sometimes some plugins use the same functions so make sure the website hacked is working after disabling these functions. Malware removal is not the job of an average user so, if the infection recurs make sure to contact experts for malware removal.
5. Be Prepared for Future
Finally, after the cleanup is done make sure to remove your website from the blacklist of various search engines. Also taking some steps to harden the security of your website hacked may prevent future attacks such as:
- Keeping the website, server, plugins, etc up to date.
- Ensure that proper permissions are set for all the files and folders.
- Always keep a backup of your website in a location other than your server.
- Reduce the admin accounts to the minimal possible and ensure that all of them use a secure random password.
- Go for a full security audit of the website and patch security loopholes like open ports, server misconfigurations, etc discovered.
- Use a firewall or security solution of some sort to prevent the website hacked in the future.
Cleaning a hacked website is an intricate and tedious process. Hence the right combination of automation and manual expertise is needed. This article covers only the basic techniques of cleanup and there is a lot beyond that. Further, if you’re a newbie, it is not recommended that you take up the malware cleanup process all by yourself. The slightest wrong change such as space could break your website completely. So hire a security company to do the job while you sip your coffee and relax. The experts at Astra fix hacked websites in a record turnaround time of fewer than four hours. With plans affordable even for small websites and a year’s commitment to look after your website’s security, security problems will soon become a thing of the past for you.