Having your website hacked is one of the worst feelings in the world. It can do major damage to your site’s reputation, especially if Google puts a “This site may harm your computer” warning on it. You aren’t alone as a new website gets hacked every five seconds. There goes another one. And another. But breathe easy, HostDime has you and your website’s back. Follow these steps to fix your malware infested or hacked website.
HELP! MY WEBSITE HAS BEEN HACKED!
Find Out Exactly What Happened
The more you know about the hack, the more your host and the Internet will be able to help you. How did the hackers get in? Did this hack affect numerous sites, or were you the lone target? Was it a cPanel hack, FTP password entrance, remote file inclusion, or a code injection? Check to see if any of your data is missing, or if anything’s been added to your database, like strange uploaded files you don’t recognize. Once you have thoroughly checked your site, it’s time to ask for help.
Contact your host
Tell your host your site has been attacked and is currently down before you begin diagnosing the problem. Your host will make sure their other customers on the same server will not be compromised. They may also help find out what happened to your site and how to recover it.
If you are a HostDime client, please follow these instructions from HostDime’s Abuse Response Analyst Christian P:
Please open a ticket with our Abuse & Security Team and be specific on what you noticed was hacked, such as a defaced webpage, malware warnings, redirects, and so on.
During this time, it is vital that you avoid making any changes to any files and/or folders on the account so the timestamps stay in place for the investigation to proceed without delay. Look at it as a crime scene where a burglary was made, would you clean up the place before calling the police?
Once the investigation is completed the Abuse & Security Team will contact you via ticket reply.
Search Twitter and Google for Help
If your host’s support team informs you of nothing wrong with your server, it’s time to reach out to the Internet for relevant answers. Twitter is filled with mostly friendly programmers and IT experts ready to help you out. Briefly explain your hack in 140 characters, with accompanying relevant hashtags. You may be lucky enough to find someone who went through the same issue you’re going through.
If Twitter comes up short, do a few Google searches for your hacking problem. You may stumble upon a forum discussion describing your hack or a similar one. More than 75% of forum posts on webmaster help site Badware Busters receives a reply back.
Google has also created a comprehensive section of links and videos called Webmaster Tools to help you clean up your site, prevent malware infection, and fix your hacked site. If you haven’t already, sign up for Webmaster Tools. You will need this for verification and recovery soon.
Check Your User Accounts
Scan your site’s users accounts to see if there’s been a new user created. Delete that new account to prevent future damage from the hacker. Change the passwords for all your users and accounts. ALL YOUR PASSWORDS: FTP, database access, system administrators, and content management system accounts.
Take Your Site Offline
You must take your site offline for two important reasons. One, prevent the hacker from causing further damage to your site, and two, users do not want to come to a site that gives them a scary malware alert. Stop your webserver or point your website’s DNS entries to a static page on an entirely different server that uses a 503 HTTP response code. Google promises that having your site offline briefly will not affect future ranking of your site in search results. The 503 code is a useful signal that the site will be unavailable momentarily, and the signal will work because it’s outside your compromised site.
If you are unsure on how to take your site completely offline, again, contact your host for assistance.
GOOGLE COMES TO THE RESCUE OF YOUR HACKED SITE
Verify Ownership of Your Site
The majority of users find you site through Google, so if there’s a malware label attached to your site in search, no one will be visiting you. Start the road to recovery by verifying ownership of your site. Sign into Webmaster Tools using your Google account (or create a new one). Click add a site, enter in your site’s URL, and click continue. Use Google’s Recommended tab or use an Alternative method.
Bring your site back online if the verification method needs access to your site for a certain meta tag or file. Once you have clicked Verify, you’ll see a screen mentioning you’re the verified owner. You can then take your site back offline.
Back in Webmaster Tools, click Manage Site, then Add or Remove Users. Determine whether the hacker already claimed ownership of your site. If there is an user you are unaware of, delete them immediately.
Determine How You Were Hacked
Once Verified, the geniuses at Google will post a message in your Webmaster Tools letting you know how your site was hacked. Either spam content decreased your relevance and quality in Google’s search, it was a phishing attack, or it was malware related.
Fortunately, last week Google released a series of videos to help webmasters recover their site after being hacked. If the Webmaster Tools message discusses “suspected hacking” or “phishing notification”, you were hacked with spam. Read this tutorial and watch this Google video which highlights spam techniques, how to investigate your site for spam, and how to find all the affected files.
If the Webmaster Tools message mentions “infected with malware”, then the hacker could be using your site to harm visitors with malware software designed to create havoc and steal information from your computer. Read this Google tutorial and watch the accompanying video, which discusses how to investigate the malware and finding out which files were affected.
Clean Your Server
Start by removing anything that was added by the hacker, then restore your latest backup. Install all software and program updates. Eliminate third party widgets you seldom use.
Perform a clean installation on your server. Transfer good content from the backup file copy to the recently installed server. Upload only the files you know are clean.
If you have newly updated clean pages, use the Fetch as Google feature to submit pages straight to Google for crawling.
Ask Google for a Review
Have you verified ownership? Have you cleaned your site of any trace of the hacker? Have you brought your clean site back online? If you answered YES to all of these questions, it’s time for a Google review. Reviews are approved if Google determines your site shows no signs of being harmful to visitors.
If you were a victim of phishing, complete the review here.
Phishing reviews take a day or two to process, which will cause the warning to be removed from the search engine.
If you were a victim of a malware attack, go into Webmaster Tools, then Heath, then Malware. Select Request Review, which will allow Google to scan your site with anti malware software. This process also takes a day or two to complete; this will remove your malware label. If the process finds malware still, the message will show you what URL’s are still infected.
If you were hit with spam, go to this reconsideration page. Write a paragraph or two explaining your spam situation. Then click “Request reconsideration”. Spam reviews can take a few days. Once your review is approved, the label will be removed in about 24 hours.
Hopefully your site is now hack-free! Now let’s make sure this doesn’t happening again.
HOW TO PREVENT A FUTURE HACKING
Backup All Data and Files
Save and back up your data as often as your schedule allows. This is important because you may be able to restore your latest backup if your site goes down. If your site includes regularly visited forums, backing up your data should be done daily, so the latest posts won’t disappear if a hack occurs.
Stop Using Generic Usernames & Passwords
A hacker’s job will be much easier if your log-in username is something like “admin”, “adminstrator”, or “site owner”. Try to make your username as unique as your password. Your new password must be very hard to guess. If you can memorize the password, it’s probably not secure enough. Fill your passwords up with some non-alphanumeric characters.
Protect the Comment Section
Comment sections are a great relationship between owner and consumer, but it’s also an easy place for hackers to invade. Validate the form input before any comment is accepted to strip out most HTML tags. WordPress has a keyword filter you can tinker with to prevent any malicious code.
Make sure you have the most updated programs on both your hosting account and desktop. Update WordPress and Joomla to the most recent version. Flash can also cause problems on your desktop if it’s not the latest update. These programs are used by millions, so it’s no wonder many hackers try to hack it.
Always keep an eye out for the latest fixes and releases for all active scripts. Monitor the web sites of the developers whose scripts you are running. Add their sites to your RSS feed to immediately get the bug fix patches and other tweaked releases. Don’t hesitate to install these because hackers will try to exploit recently outdated scripts with confirmed security flaws.
If one person on your server gets hacked or sends out harmful spam e-mail, there’s a possibility all websites and data on the server become compromised. Consider upgrading to your own secure dedicated server to prevent this potential disaster from happening again.
Follow HostDime for News, Tutorials, Contests, and Specials
This article was written by HostDime’s Content Marketer Jared Smith, with an excerpt from HostDime’s Abuse Specialist Christian P.