What to do if your website is hacked

So you think your website has been hacked and you are trying to find out what to do next. This article is for you. PLEASE NOTE THIS IS NOT LEGAL ADVICE.

Step 1 : Malware or harmful programs?

What are the warnings that you’ve seen? Did you see a Google notification saying that your site may have malware or harmful programs?
Or have you noticed unusual behaviour from your website?
Make a note and screenshot where possible of all areas where you can see the issue. If you know how, open your browser in “Incognito” or “Private” mode to see if you notice anything else. Often hackers will be aware of your IP address (your computer identity) and will hide functions when your device is trying to access the site.
Use Google’s reporting tool to see if they have specific concerns here: https://transparencyreport.google.com/safe-browsing/search
Gathering up all of the different pieces of evidence of a hack is the first step.

Step 2 : Data breech concern?

Is there a significant data breech concern? If yes, then contact your server manager for your website and ask them to deactivate the server or just your website.

With GDPR you can not be too safe here. Often it’s better to deactivate the server until you have time to fully review Step 1 and try to identify the extent of the hack.

Step 3 : Backups of your website?

Do you have any backups of your website? It is often the case that the sites that are most venerable do not have a service maintenance agreement with a digital agency or an experienced in-house team. Backups are a critical tool in getting your website back to normal is a short space of time.

If you have a backup, consider how far back are you able to go. An infected website can have experienced infection weeks or even months before the actual event. However, this needs to be balanced against any regular updates or changes to your website.

Sometimes using a more recent version of your database paired with an older version of your websites core files is the best way to go. If you have any sort of backup, set this up on a new server and lock down the firewall so only approved traffic gets in/out.

If you do not have a backup then you may want to ask your server managers to see if they can set up a clone of your site on a server that has its firewall set up to block any incoming or outgoing traffic without your specific IP address.

Step 4 : Recorded the evidence of the hack.

In step 1 you will have recorded the evidence of the hack. If any of this evidence was evident on the website itself (i.e. not a Google notification) then right-click on that specific part of the website where the malware appears and see if you can copy an unusual section of code or text.

You can then use this to run a search through the website database to look for similar infected data.

Alternatively, run a clone of the website on a secured machine and run an anti-virus scanner through it.

If you are using a content management system like WordPress the you can also install anti-malware plugins to scan for unusual files.

You can also scan your website using tools like this one: https://sitecheck.sucuri.net/

Step 5 : Identify what type of website infection you have.

What you are trying to do in this step is to identify what type of website infection you have and the extent of the damage done.

There are many different types of malware.

  • Are users being redirected to somewhere else?
  • Are you noticing blog posts, links or keywords that are not your own?
  • Are any JavaScript files infected?
  • Has your website been defaced?
  • Are the hackers trying to steal user credentials?
  • Are there any new website users?
  • Can you see, through site analytics or a similar tool, any attempted access from unusual locations?
  • Is it just your website overall seems to be very slow?
  • Does your database appear compromised?

Depending on the response to the above questions you need to make a decision on if you should rebuild your site or if you are comfortable with just repairing it.

Step 6 : Repairing your website.

If you want to continue with repairing your website then you should compare your website core files with either an old backup and/or a matching version of your content management system. Core files are rarely updated in most cases so changes here would indicate a high level of access from the hacker.

If you are comfortable doing so, you can use the command line interface to compare files quickly or alternatively another way is to review manually though the file explorer and identify any difference in file size or date modified. (This is not 100% accurate but gives a good indication)

Step 7 : PCI compliance actions.

Do you store card information from customers who make purchases on your website? If yes, you may want to contact all customers and ask them to check for any unusual activity. Typically, the hackers will try and complete card transactions within the first day. You should also contact your payment service provider.

Depending on your compliance level, you may need to consider taking PCI compliance actions.

Step 8 : Update user login.

Update all user login details. Delete any unknown or inactive users.

Step 9 : Search the PHP code.

If you know how, search the PHP code on your site for the following functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

Some of these may be legitimate usage by systems on your site so test removal one by one.

Step 10 : Unusual or encrypted code.

This is a longer process but go through every file in your file manager on your website. Look for any unusual or encrypted code. Often all code needs to be deleted at the same time to avoid reinjection.

By this stage, you should have identified all the infected code on your site and removed it.

Step 11 : Update your CMS to the latest level.

You need to update your CMS to the latest level. Look at all the plugins on your site and delete any that have not received a security update within the past 3 months or that have a low amount of active users. Run antimalware scanners and see if you can identify any remaining code issues.

You need to set up a strict Firewall and lock down access to only countries where you expect to get traffic from.

Consider using a system like Cloudflare to help prevent brute force attacks.

Step 12 : Google Search Console.

Use Google Search Console to run a venerability scan on your site and to remove any active restrictions from Google.

Step 13 : Regular backups on your website.

If you didn’t before, set up regular backups on your website. Ideally you would keep a store of these going back at least a few weeks.