The unthinkable has happened. Your web site has been hacked. What do you do? Where do you start? Do not worry. All's not lost, and you will be able to bounce back. Every day, hundreds of sites face the same predicament, and many are able to get back to their original glory. All you need to do is follow the below steps, and all will be alright in the end.
Of course, the first step is to tell the person in charge. Inform the individual or company hosting your site as soon as you find out that your page has been hacked. In most circumstances, your web host will know how to fix the problem much better than you would. Also, it is likely that the hosting company has multiple customers on the same server, so your host will want to check out their other customer’s sites to make sure they, too, were not hacked.
In addition, do some research of your own, and look for reputable online resources or helpful forums or online communities that could assist you. Lastly, in this specific step, seek out the assistance of security experts if necessary. Ask around to see who companies people in your industry use. Seek referrals or someone who has a reputation established already. If you are not satisfied with the response you received from your original host, then try to find one who specializes in site recovery. It is always best to seek the assistance of those trusted in the field. If you want the job done right, find the people who know exactly what they are doing.
The next step would be to turn off your site. Take it offline and quarantine it until the problem is resolved. While yes, your site will not be able to serve content to your users, keep in mind that the content is likely worthless anyway since the site has been hacked. Point your web site’s DNS entries to a static page on a different server that utilizes a 503 HTTP responsive code.
It is always best to take your site offline so that you can complete administrative tasks first and without any interference. Also, people trying to access your site will not be confronted with malicious code or spam files. That keeps those users from receiving any viruses, as well. If you do not know how to take your site offline, have your third-party host do it. Let your host know you will need to toggle your site for testing purposes before taking your site offline.
Be warned that a few different solutions are actually not as helpful as they seem. Having your site return to just a 4xx or 5xx HTTP status code will not be enough to protect your users. Instead, a 503 status is a useful signal that your site is down temporarily but the response should definitely occur from outside your own server/site, which has been compromised.
You should also thoroughly review your user accounts on your site. Many hackers will create a new account, and if that is the case, note these account names, delete them, but be sure to keep them on hand for any needed investigation.
Lastly, it cannot be said enough but change all of your passwords for sites and accounts, including logins for database access, system administration, content management accounts and logins for FTP. Be sure the new passwords are not just small variations from what you had before to ensure the hacker will not come back and try again and potentially succeed.
3. Verify Ownership of Your Site
You will also need to verify ownership of your site in the use search console. “But it is my site. Why do I need to verify ownership?” It is quite possible that the hacker has verified ownership in the search console and messed with settings you have already made in your site. By verifying ownership and seeing what damage has done, only then can you determine the nature of the attack.
To verify, simply open a browser and navigate to Google Webmaster.
Click “Search Console” and sign in. Click “Add a site” and type in your site’s URL. Several verification methods are available, though the recommended method tab on the verification page shows the method that Google thinks will be best for you. Bring the site back online if you selected a method that requires access to your site. Click “verify,” and if it is successful you will get a message saying you are the verified owner. You can then take your site back offline for other work.
The next step is to verify your ownership on your search console. Navigate to the main Search Console page, which you can do by clicking on the “Search Console” logo. Find your site and click “Manage site.” Click “Add or remove users” and review the list of users and owners listed. If you see one you do not recognize, document the email address and then delete. Investigate in the search console for any changes that might have been made under the settings icon. Any unusual changes, make sure you both note them and remove them.
The severity of the hack can vary. Check out the information in the Message Center and Security Issues in the Search Console, because this information can assist you in figuring out the extent of the attack. A hacker can attack your site in a number of ways:
The ways you handle each type of hacking can differ. To see what type your site has been hit with, check messages in the Search Console. You may have received messages from Google on phishing, spam or malware. You will also see headings of what type of hack you have experienced under “Security Issues” in the Webmaster tools.
Now it is time for a more in-depth investigation. The hacker could have done a number of things to your site, including modifying existing pages, creating new “spammy” pages, writing functions to display spam on clean pages, or leaving “backdoors” to allow that hacker to re-enter your site at a later date.
You can first determine the files that have been created or modified by comparing to a good backup you have of your site. Also, check your access, server and error logs for any suspicious activity. Keep an eye out for failed login attempts, creation of unknown user accounts, command history, etc. You may not find anything here, however, if the hacker has already altered the records and logs for their own purpose. Check your configuration files for redirects, as well. Review for too lenient folder and file permissions, as well.
You may have more than one, and some may be easier to fix than others. Even if you find one, do not assume you are done. Keep searching because odds are there are multiple, depending on the sophistication of the hacker.
Antivirus scanners alone will not be able to locate vulnerabilities. Ideally you need a vulnerability scanner as well. Some possible vulnerabilities could be:
Just like anything else, you need to keep your site on the up-and-up, and the best way to do this is by cleaning and maintaining your site. Several steps need to be taken, however, before this can occur:
You can start by restoring your backup file, but be sure that the backup was created before the site was hacked. Install any software upgrades or updates available, including software for the operating system. Look through the software you do currently have on your server, and see what could be eliminated if needed. Change all of the passwords one more time to all accounts related to the site.
Nobody is perfect, and it is highly possible you are without a backup. That is okay; there is still hope. Make two backups of your site now, even though it is still infected. One will serve as a “clone version” or disk image of your site, which will aid you in restoring content. The other backup will serve as a file system copy from your server. Then clean the site’s content on the new backup file system, but make sure this is not on the server. Correct any vulnerability you find in passwords once more. Eliminate any widgets, plug-ins or applications the site no longer uses and move onto the next step.
Be sure what you are doing is a clean installation and not just an upgrade. You do not want to leave any files there from a previous version. Transfer the good content from your backup back to the system, and, of course, change those passwords if needed.
Make sure you can answer “yes” to these questions before you give yourself a pat on the back and go get a drink to celebrate:
Make sure you do have a long-term maintenance plan as mentioned above and keep vigilant. Not paying attention is just the wrong thing to do and will expose you to even more attacks in the future. If you answered yes to all of these questions, well, what are you waiting for? Get that site back online!
Wait, you are not done? Not quite. Your site might be back up and running, but you need to be reviewed by Google to have your site or page unflagged. You must have completed all of the steps mentioned above before requesting a review. When dealing with phishing, request the review at: google.com/safebrowsing/report_error/. For spam or malware, go to the Security Issues report given to you in the Search Console. Click to request a review, but you will need to provide more information to let Google know that the site was cleaned. That information will be needed before Google process your review request.
Now you must wait for your reviews to be processed. It depends on the type of review as to how long this will take. Malware reviews tend to only require a few days before a response is given. Spam hacking reviews can take up to several weeks due to the complex nature of the process. Phishing reviews take about one to two days to process. If, after the review, Google finds your site to be clean, all warnings from browsers and search results will be removed. If they do not, you will receive a security issues report in your search console.
If your request was approved, check your site. Does everything work as expected? Are your pages loading? If all is good, you can breathe easy. However, it is imperative you keep up and maintain your site. You do not want to fall into the same traps and be hacked again.