The Small Webmaster's Guide to a Hacked Website

As the owner of a small web site, having your site fall victim to an attack may not be the one thing that keeps you up at night. After all, you have to worry about so many other things: can potential visitors or customers find your site, is your content relevant and timely, is your site optimized, etc. And who would want to hack your site anyways right?

Featured Blog Posts

Top Jordan website back up after hacking

AMMAN — Jordan's most popular news website, Ammonnews, said it was shut down ... read more ...

Khodorkovsky's website attacked amid announcement of sentencing

... read more ...

Who is Minding Your Data in the Cloud?

In a recent post titled Data Security Considerations in the Cloud, problems related to who ... read more ...

Help! My Website's Been Hacked

Unfortunately, attackers target small sites more than they do larger ones, and for good reason:

If your site was hacked in a malicious manner, you have two options. You can sit around and think back on all the ways you should have hardened your site against attacks, or you can start cleaning up the mess and get your site back on track.

What to do

If you have realized that hindsight is 20/20 and prefer not to dwell on the mistakes that were made, you are ready to get your site cleaned up. This is not an easy task, but it is a necessary one. The following steps should be performed in the order they are written to help prevent the situation from getting any worse.

Hardening your site

The first task is to secure your site so that you are no longer vulnerable to attack. It would be a waste of time to clean up your site only to have the attacker come right back in and damage your site again.

Take your site off-line

This is essential because of two reasons. First, if the search engines crawl a site that is loaded with malware, it is going to be flagged as such causing visitors to avoid your site and causing your search engine page ranking to plummet. The second reason is that a visitor or customer may land on your site only to find that it has infected their computer with malware. In this instance, you can be sure they won’t be back. People can accept a web site being down for a while, but they won’t accept your site causing damage to their computer. Serving a 503 error page with some readable content for visitors will take care of this.

Scan the computers that are used to login to your site

The most common way attackers access your site is by stealing your site’s FTP and administrator credentials through malware on your computer. When you login, keystroke loggers can send this information from your local computer to the attacker to give them free reign of your web server. Update your virus definitions and your spyware definitions and run a full system scan with both programs. When you are done, download and run Malwarebytes AntiMalware to make sure your computer is clean.

Change your passwords, all of your passwords

Start with your email accounts and then change your FTP, administrator, database, and any other passwords you have. Anyone else who has access to your website through FTP or admininstrative Make sure to use strong passwords so that the attacker has a hard time using a brute force tool against your site to regain access.

Assess the situation

What type of attack took place? Were pages defaced? Is your site hosting malware? Is your site hosting illicit links? Has data been stolen? These are the things you need to think about. Odds are, if any pages were defaced then your site probably isn’t being used to house malware or suffering from a link injection because the defaced pages scream out, “Hey admin! I’ve been attacked!” The other types of malicious hacks work better when the admin isn’t aware that their site has been attacked. Of course don’t rule out the possibility of other problems if your site was defaced.

Update your third-party software

If you are using WordPress, Joomla!, Drupal, Moodle, or any other software you are using. Most of these third-party applications are free/open source so attackers have access to their code where they can find the vulnerabilities that exist. When these vulnerabilities are exposed, the developers update the software to plug up the security holes. In addition to your software, make sure that any plug-ins, components, modules, or other add-ons are updated as well.

Contact your hosting provider

While there is often not much they can do to help you, you can see if they will scan the server for rootkits and backdoor programs.

Repairing the damage

Now that you have blocked the attacker from getting back into your site, it’s time to start cleaning up the mess he made. If you don’t want to clean up the problem files, you can opt to delete the installation and then start fresh. However, unless you have backed up all of your site’s content, you will have to rebuild this as well. Additionally, you will need to check content pages for malicious links and files as the restore will put them right back into your site.

  1. Inspect your files. Using an FTP program, inspect your files to see if anything has been added or modified. This is very time consuming because you have to go through each directory. Start by looking at the date the file was last modified. If you know, or suspect, that the date shown was not the date you modified the file, it is worth looking into. Check these files for links that you are not familiar with, JavaScript, and iFrames. Once you have inspected the files by date, start looking for files and directories that don’t belong. If you are running a third-party application, download a fresh copy and extract the contents so you can use it as a comparison.
  2. Look at the file permissions. This also helps to harden your system because the attacker may have reset the file permissions to give her access to your site at a later date. Commonly, folder permissions should not be set to anything higher than 755 and html/php files should be set no higher than 644. Permissions set to 777 should be investigated more closely.
  3. Check all outgoing links. Make sure that your site does not contain any malicious links or links to malicious sites.
  4. Bring your site back online. Don’t forget this step!
  5. Contact Google. By filling out a reconsideration request you can have Google reconsider your site and restore your page rankings if you suffered a drop due to your site being hacked. Any other sites that list malicious web sites, like malwaredominlist.com, should be contacted as well.

You can look for clues that point to who the attacker is and from where the attack was launched but keep in mind, a) they probably have used one or more jumps to hide their location and b) all the poking around you have done has modified your site to the point that any evidence most likely can’t be used. This is ok because unless your hosting provider chooses to pursue legal action, you are not to find much of a response from law enforcement by reporting it on your own as jurisdictional issues arise.

Protect your site in the future

Now that you have brought your site back online, keep it safe. Install security add-ons, make sure everything is constantly updated, make sure your computer is malware free, etc. You may want to consider enabling log archiving so you can review these from time to time. They will give you a great look into what is going on within your web site. Also, consider a host that makes use of a Web Application Firewall to help mitigate against many of the common threats that lead to a compromised web site.