Quoting Douglas Adams, ‘Don’t Panic’. You think you’ve been hacked and you’re worried about what to do. Let me run you through what we recommend!
All’s not lost, and you will be able to bounce back. Every day, hundreds of sites face the same predicament, and many are able to get back to their original glory. All you need to do is follow the below steps, and all will be alright in the end.
INFORM YOUR HOST
Of course, the first step is to tell the person in charge. Inform us of the hack as soon as you find out that your page has been hacked (email in to firstname.lastname@example.org ). In most circumstances, your web host will know how to fix the problem much better than you would. Also, it is likely that the hosting company has multiple customers on the same server, so your host will want to check out their other customers sites to make sure they, too, were not hacked.
QUARANTINE THE SITE
The next step would be to turn off your site. Take it offline and quarantine it until the problem is resolved. While yes, your site will not be able to serve content to your users, keep in mind that the content is likely worthless anyway since the site has been hacked. Point your web site’s DNS entries to a static page on a different server that utilizes a 503 HTTP responsive code. You can also take it off-line by logging into cpanel and changing the public_html folder to something else (try public_htmlold)
It is always best to take your site offline so that you can complete administrative tasks first and without any interference. Also, people trying to access your site will not be confronted with malicious code or spam files. That keeps those users from receiving any viruses, as well. If you do not know how to take your site offline, let us know and we’ll do it. Let us know you will need to toggle your site for testing purposes before taking your site offline.
Be warned that a few different solutions are actually not as helpful as they seem. Having your site return to just a 4xx or 5xx HTTP status code will not be enough to protect your users. Instead, a 503 status is a useful signal that your site is down temporarily but the response should definitely occur from outside your own server/site, which has been compromised.
You should also thoroughly review your user accounts on your site. Many hackers will create a new account, and if that is the case, note these account names, delete them, but be sure to keep them on hand for any needed investigation.
Lastly, it cannot be said enough but change all of your passwords for sites and accounts, including logins for database access, system administration, content management accounts and logins for FTP. Be sure the new passwords are not just small variations from what you had before to ensure the hacker will not come back and try again and potentially succeed.
FILE SYSTEM DAMAGE ASSESSMENT
Now it is time for a more in-depth investigation. The hacker could have done a number of things to your site, including modifying existing pages, creating new “spammy” pages, writing functions to display spam on clean pages, or leaving “backdoors” to allow that hacker to re-enter your site at a later date.
You can first determine the files that have been created or modified by comparing to a good backup you have of your site. Also, check your access, server and error logs for any suspicious activity. Keep an eye out for failed login attempts, creation of unknown user accounts, command history, etc. You may not find anything here, however, if the hacker has already altered the records and logs for their own purpose. Check your configuration files for redirects, as well. Review for too lenient folder and file permissions, as well.
IDENTIFY YOUR VULNERABILITY
You may have more than one, and some may be easier to fix than others. Even if you find one, do not assume you are done. Keep searching because odds are there are multiple, depending on the sophistication of the hacker.
Antivirus scanners alone will not be able to locate vulnerabilities. Ideally you need a vulnerability scanner as well. Some possible vulnerabilities could be:
- Weak or reused passwords
- Virus-infected administrator’s computer
- Permissive coding practices
- Out-of-date software
CLEAN AND MAINTAIN YOUR SITE
Just like anything else, you need to keep your site on the up-and-up, and the best way to do this is by cleaning and maintaining your site. Several steps need to be taken, however, before this can occur:
Locate support sources to help you when dealing with loss of confidential information. If you have been attacked by phishers, it is highly likely that confidential information has been taken. You may want to consider all business, legal or regulatory responsibilities you have with respect to your retained information and files before you start cleaning out the site.
You will need to remove the new URLs created by the hacker, if any. However, be careful in your removal of pages. Do not remove any good pages that were simply damaged by the hacker. Only remove the ones you never want to appear in search results.
You could also look into expedited processing by Google’s Fetch as Google feature in Search Console to submit these pages to Google’s index.
ARE WE DONE YET?
Make sure you can answer “yes” to these questions before you give yourself a pat on the back and go get a drink to celebrate:
- Did I take all the proper steps if the hacker walked away with users’ personal information?
- Is my site using the most current and securest software?
- Did I remove all unnecessary or unused applications or plug-ins?
- Did I get rid of all of the hacker’s content?
- Is my content restored safely?
- Is the root cause vulnerability that allowed this whole thing to happen resolved?
- Do I have a plan to keep my site safe?
- Make sure you do have a long-term maintenance plan as mentioned above and keep vigilant. Not paying attention is just the wrong thing to do and will expose you to even more attacks in the future. If you answered yes to all of these questions, well, what are you waiting for? Get that site back online!
REQUEST A REVIEW
Wait, you are not done? Not quite. Your site might be back up and running, but you need to be reviewed by Google to have your site or page unflagged. You must have completed all of the steps mentioned above before requesting a review. When dealing with phishing, request the review at: google.com/safebrowsing/report_error/. For spam or malware, go to the Security Issues report given to you in the Search Console. Click to request a review, but you will need to provide more information to let Google know that the site was cleaned. That information will be needed before Google process your review request.
Time to Wait
Now you must wait for your reviews to be processed. It depends on the type of review as to how long this will take. Malware reviews tend to only require a few days before a response is given. Spam hacking reviews can take up to several weeks due to the complex nature of the process. Phishing reviews take about one to two days to process. If, after the review, Google finds your site to be clean, all warnings from browsers and search results will be removed. If they do not, you will receive a security issues report in your search console.
All systems are a go!
If your request was approved, check your site. Does everything work as expected? Are your pages loading? If all is good, you can breathe easy. However, it is imperative you keep up and maintain your site. You do not want to fall into the same traps and be hacked again.