Your website on the internet is under constant attack. Getting hacked is only a matter of time. The internet is filled with hostile hackers working hard every second to hack your site and leverage it for their own purposes. They design their malware in such a way that if you don’t take careful steps, you will end up making the situation worse.
Therefore it becomes important to know what to do if your site gets hacked. In fact, a set of calculated steps, if taken carefully, can even control the damage done to your site.
We have done the dirty work for you. And came up with the following checklist. Applying this checklist can save your website from a complete debacle.
Here they are:
1. Keep Your Calm
The most important thing for you to do is maintain your calm before proceeding to do anything. Your website is hacked but it can be recovered. Further, if you follow the correct steps in a systematic manner it would ensure minimal damage. Just follow along this guide and you will have your site up and running again in a couple of days.
2. Take Site Down
Defacement and appearance of obscene content after a hack is common. This could harm your site’s reputation as well as yours. Therefore, put your site into maintenance mode to check further damage.
In maintenance mode, your website is not available to any other person but the admin. The website is offline and the admin can perform tasks like fixing a security flaw, implement changes to design or as in our case recovering from a hack.
CMS like WordPress doesn’t offer features like Maintenance mode so you will have to install a third-party plugin.
For a more general approach you can configure your htaccess file as follows:
- Access your website through an FTP, cPanel or SSH.
- Find you htaccess file. It lies inside the root directory.
- Add the following lines to it:
# redirect all visitors to alternate site but retain full access for you
ErrorDocument 403 http://www.alternate-site.com
Order deny,allow
Deny from all
Allow from 99.88.77.66 #the admin ip2. BackUp your site
you need to take a backup of your site in its current hacked state. This could help you perform the hack’s forensic analysis on it at a later stage. Also, it is recommended to avoid the use of the browser (explained in the next point) to visit your website, we will use ssh to backup your site.
2.1 Backing Up Your Site’s Files
Follow these steps to backup your site with the help of Rsync with SSH.
- Access your server with SSH
- Install Rsync with `sudo apt-get install rsync`
- run the command `sudo rsync -av delete /website-root/ backup/`
- Run the command to create a zip file `zip -r backup.zip backup/`
The above command will create a zip backup for your site.
2.2 Backing Up Your Site’s Database
The method to backup your MySQL database is similar to the previous method with some command changes:
- Login into the server via ssh
- Login into the SQL database `mysql -u USERNAME -p`
- Once into the database run this command `mysqldump –all-databases > dump.sql`
3. Avoid using the browser to view pages
Once you have taken your site down you need to be careful while you visit it for analysis purposes as you can end up spreading the malware more and make the situation worse.
Malware are often spread by exploiting vulnerabilities (Zero Day) on the web browsers. Opening an infected page on your web browser may infect your system as well and end up contaminating your local network too.
Analyze the files using the terminal. A text editor can also come handy in confirming there is no malicious code present on your site source files. Then you can use your web browser to visit your site.
4. Change Password
If you are still able to login with your credentials it means that the hacker has not changed or has no access to them. Therefore, now is the best time to change credentials for every user account on your site. This includes the password to your admin panel, MySQL database, hosting account, Linux servers, root password, etc.
To change the password to your Linux server, SSH into the Linux server and run the following command:
“passwd”
This will ask for the current password, the new password and thus will change your password.
To change the password to WordPress, Joomla dashboards follow these guides:
If you are running PHP custom site, change the password in MySQL query according to your database and you are good to go.
It is also recommended to use password managers such as LastPass, KeePass or BitWarden if you are using CMSs based websites. These tools generate long and secure passwords randomly.
5. Diagnose For Vulnerabilities
Now that you have secured your site, it’s time to find out what was exploited in the first place that led to the attack. Hacker commonly exploits the following vulnerabilities in a site:
- User Configurations
- Zero-Day Bugs
- Improperly Sanetanzing the User Input
- Vulnerable Third-Party Plugins
You should by comparing the backup created after the site was hacked to last good backup and see if there is any injected code in the code-base. You should also check the log files for maliciously crafted SQL requests or any other suspicious activities.
Vulnerabilities in the third-party plugins are most often exploited to gain unauthorized access to your website in CMS such as WordPress, Joomla, and OpenCart. You can refer to these hack removal guides for top CMS:
These guides will be of great help in cleaning the hack manually.
Else, you can always opt for a professional malware cleanup. For this, you can go for Priority Malware Cleanup by security experts at Astra Security. They enjoy a reputation of record turnaround time (usually between 6-8 hours) in the industry.
Additionally, a dedicated security solution such as Astra can also help you keep a check on the oncoming traffic, and other cyber attacks (including XSS, CSRF, LFI, RFI, Spam injection, OWASP Top 10 and more)
Conclusion
Getting your site hacked can cause a dent in your and your website’s reputation. Therefore it is important to respond with a systematic approach towards the hack removal process to minimize the damage caused by hackers.
Further, being proactive is any day better than being reactive. Invest in a trusted security solution like Astra avoid getting hacked in the first place.