Managing A Compromised Website
XMission has notified you or you have found that your website has become compromised. This can not only be frustrating but it can affect your online business as well as your host provider. Hacked or compromised websites can cause Spam or Malicious email to be sent under your business name as well as prevent your site from loading or redirect users to a non-associated website. We want to assist by providing a “how-to” if it happened to you.
Not all hacks are the same, so when looking into options, please keep in mind:
- Symptoms change from time-to-time.
- Scans may not find everything on a first pass.
- Databases may also be hacked.
- HTML Code is also vulnerable.
If you don’t feel like you can understand the symptoms, reaching out to a Web-Security team can provide better help.
To help you understand here are some common compromise symptoms:
- XMission has notified or disabled your site.
- Google, Bing or other search engines have blacklisted your site.
- Your site has been flagged for distributing malware or spam.
- A consumer has notified you that their desktop virus software is flagging your site.
- Behavior that was not authorized (i.e., creation of new users, etc…)
- You can visibly see that your site has been hacked when you open it in the browser.
Below you will find a some steps that may help you start working through the compromise process. Again, not all compromises are the same so some of these suggestions may not be applicable when cleaning your site.
How to start
- Create a Backup
- * Backups are critical, and should be performed regularly to ensure the operation of your online business keeps moving forward. Before you do any work on your website, create a local backup of your site. This should apply when working on your site all together (page updates, new content or compromises). XMission does keep backups but they should not be relied on as our backups can also contain the compromise you are experiencing.
- * NOTE: You will want to ensure that you are creating backups of both your Web-Hosting Files and Database.
- Deactivate and Remove unused or unneeded Plugins and Themes
- Check your CMS Dashboard for installed Themes and Plugins.
- Remove unused and inactive plugins and themes, especially ones you do not recognize or recall installing. You should only have one theme and necessary plugins installed. Additional, dormant themes are potential attack vectors. XMission strongly recommends using as few plugins as possible to mitigate risk.
- Remove any “old” code/installations
- If you have re-developed or re-designed your website, it is common to keep the old site available for reference. However, the old code is a potential backdoor for hackers to gain access to your site. You should download then remove old code from the server if you need to archive it.
- Check users and roles
- Many Content Management Systems (CMS) allow for different user access levels. It is recommended to check all your user accounts and ensure that they have the correct role for their usage. Only administrators and developers should have full access. All other accounts should have an access level that does not permit editing of critical files.
- Re-install your CMS Core
- (PLEASE: refer to your CMS instructions to complete this process correctly)
- WordPress allows you to reinstall the WordPress Core files without affecting your website layout and content. This action will remove any compromised code in the core files, the most likely attack vector. Make sure you reinstall the same version or newer software than your website is currently using. Regularly upgrading to the newest WordPress code is highly recommended.
- For WordPress Development, DO NOT to use the reinstall options in your dashboard -- Use your SFTP or FTP application to drag and drop the new files and folders in place.
- * Replace WordPress Core
- * Replace Joomla Core
- * Replace Drupal Core
Post Compromised Suggestions
Now that you believe you’ve cleaned up your website and it is no longer compromised. You should not stop there. Preventing your site from being compromised again, is the next step you want to ensure is completed. What should you do to prevent getting hacked again?
- Change your passwords
- Do not keep your site’s passwords the same after being compromised. Changing all passwords associated with your development is a must. XMission suggests using passwords that are no less then 12 characters and they should either have multiple words strung together or mix Capitals, Numbers and Special Characters in them. Remember to change all User and Database Passwords.
- Keeping your CMS Development updated will ensure that found vulnerabilities by the programmers will have the require security patches installed. Hackers often locate files that are out-of-date and use the known vulnerability to gain access to your site. Setting Auto-Updates is strongly recommended if your CMS Supports it. XMission’s Shared Hosting Platform has a WordPress ToolKit that allows you to set Auto-Update and security Harding. It is strongly recommended to use this toolkit and secure your website. (For more information please visit our WordPress Toolkit Help page)
- Security Plugins
- There are many Security Plugins available for popular CMS installation. Most offer Free or Paid versions and it is strongly recommend to install at least one security plugin. XMission currently recommends Sucuri Web-Security or WordFence Web-Security. These tools will assist with blocking malicious log-in attempts and can notify you of changes to files and user accounts.