Difference between revisions of "Managing A Compromised Website"

From XMission Wiki
Jump to: navigation, search
(How to start)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
XMission has notified you or you have found that your website has become compromised. This can not only be frustrating but it can affect your online business as well as your host provider. Hacked or compromised websites can cause Spam or Malicious email to be sent under your business name as well as prevent your site from loading or redirect users to a non-associated website. We want to assist by providing a few “how-to” if it happened to you.
+
XMission has notified you or you have found that your website has become compromised. This can not only be frustrating but it can affect your online business as well as your host provider. Hacked or compromised websites can cause Spam or Malicious email to be sent under your business name as well as prevent your site from loading or redirect users to a non-associated website. We want to assist by providing a “how-to” if it happened to you.
  
 
Not all hacks are the same, so when looking into options, please keep in mind:
 
Not all hacks are the same, so when looking into options, please keep in mind:
  
* Symptom’s change from time-to-time.
+
* Symptoms change from time-to-time.
* Scan’s may not find everything on its first pass.
+
* Scans may not find everything on a first pass.
* Database’s may also be hacked.
+
* Databases may also be hacked.
 
* HTML Code is also vulnerable.  
 
* HTML Code is also vulnerable.  
  
Line 21: Line 21:
 
* You can visibly see that your site has been hacked when you open it in the browser.
 
* You can visibly see that your site has been hacked when you open it in the browser.
  
Below you will find a some steps that may help you start working through the compromise process. Again, not all compromises are the same, some of these suggestions may not assist in cleaning your site.
+
Below you will find a some steps that may help you start working through the compromise process. Again, not all compromises are the same so some of these suggestions may not be applicable when cleaning your site.
  
 
== How to start ==
 
== How to start ==
  
 
# '''Create a Backup'''
 
# '''Create a Backup'''
#: Backups are critical, and should be performed regularly to ensure the operation of your online business keeps moving forward. Before you do any work on your website, create a local backup of your site. This should apply when working on your site all together (page updates, new content or compromises).  XMission does keep backup’s but they should not be relied on as our backups can also contain the compromise you are experiencing.  
+
#: * Backups are critical, and should be performed regularly to ensure the operation of your online business keeps moving forward. Before you do any work on your website, create a local backup of your site. This should apply when working on your site all together (page updates, new content or compromises).  XMission does keep backups but they should not be relied on as our backups can also contain the compromise you are experiencing.  
#: ''NOTE: You will want to ensure that you are creating backups of both your Web-Hosting Files and Database.''
+
#: * ''NOTE: You will want to ensure that you are creating backups of both your Web-Hosting Files and Database.''
# '''Deactivate and Remove non-used or not needed Plugins and Themes'''
+
# '''Deactivate and Remove unused or unneeded Plugins and Themes'''
 
#: Check your CMS Dashboard for installed Themes and Plugins.  
 
#: Check your CMS Dashboard for installed Themes and Plugins.  
#: If there is any listed that your website is not using remove them. You should only have one theme and the required plugins to allow your site to render.  
+
#: Remove unused and inactive plugins and themes, especially ones you do not recognize or recall installing. You should only have one theme and necessary plugins installed. Additional, dormant themes are potential attack vectors. XMission strongly recommends using as few plugins as possible to mitigate risk.  
 
# '''Remove any “old” code/installations'''  
 
# '''Remove any “old” code/installations'''  
#: If you have re-developed or re-designed your website, it is common to keep the old site available for reference. However its common that the old code is how hackers gain access to your site. Instead of keeping old directories or .old file extensions.  
+
#: If you have re-developed or re-designed your website, it is common to keep the old site available for reference. However, the old code is a potential backdoor for hackers to gain access to your site. You should download then remove old code from the server if you need to archive it.
 
# '''Check users and roles'''
 
# '''Check users and roles'''
#: Most development today allows for different user access and they can be given limited role access. It is recommended to check all your user accounts and ensure that they have the correct role for their usage. Only administrators and developers should have full access. Any other account should be limited to writing blog’s or subscribers.  
+
#: Many Content Management Systems (CMS) allow for different user access levels. It is recommended to check all your user accounts and ensure that they have the correct role for their usage. Only administrators and developers should have full access. All other accounts should have an access level that does not permit editing of critical files.
 
# '''Re-install your CMS Core'''
 
# '''Re-install your CMS Core'''
 
#: ''(PLEASE: refer to your CMS instructions to complete this process correctly)''
 
#: ''(PLEASE: refer to your CMS instructions to complete this process correctly)''
#: CMS Development like WordPress allows you to reinstall the WordPress Core files and not affect your development. This can help remove any compromised code affecting its integrity. You will want to make sure you reinstall the same version or newer software your website is currently using. (if a older is used it will most likely to kill your website).  
+
#: WordPress allows you to reinstall the WordPress Core files without affecting your website layout and content. This action will remove any compromised code in the core files, the most likely attack vector. Make sure you reinstall the same version or newer software than your website is currently using. Regularly upgrading to the newest WordPress code is highly recommended.
#: For WordPress Development, be sure not to use the reinstall options in your dashboard. Use your SFTP application to drag and drop the versions. You can replace the following directories safely:
+
#: For WordPress Development, DO NOT to use the reinstall options in your dashboard -- Use your SFTP or FTP application to drag and drop the new files and folders in place.  
#:# /wp-admin
 
#:# /wp-includes
 
 
#: * [https://codex.wordpress.org/Upgrading_WordPress#Step_1:_Replace_WordPress_files Replace WordPress Core]
 
#: * [https://codex.wordpress.org/Upgrading_WordPress#Step_1:_Replace_WordPress_files Replace WordPress Core]
 
#: * [https://www.itoctopus.com/how-to-reinstall-joomla Replace Joomla Core]
 
#: * [https://www.itoctopus.com/how-to-reinstall-joomla Replace Joomla Core]
Line 50: Line 48:
  
 
# '''Change your passwords'''
 
# '''Change your passwords'''
#: Do not keep your site’s passwords the same after being compromised. Changing all passwords associated with your development is a must. XMission suggests using passwords that are no less then 12 characters and they should have Capitals, Numbers and Special Characters in them. Remember to change all User and Database Password.
+
#: Do not keep your site’s passwords the same after being compromised. Changing all passwords associated with your development is a must. XMission suggests using passwords that are no less then 12 characters and they should either have multiple words strung together or mix Capitals, Numbers and Special Characters in them. Remember to change all User and Database Passwords.
 
# '''Update!'''
 
# '''Update!'''
#: Keeping your CMS Development updated will ensure that found vulnerabilities by the programmers will have the require security patches installed. Hackers are specifically locate files that are out-of-date and use the known vulnerability to gain access to your site. Setting Auto-Updates is strongly recommended if your CMS Supports it. XMission’s Shared Hosting Platform has a WordPress Tool Kit that allows you to set Auto-Update and security Harding. It is recommend to complete use this kit and secure your website. (For more information please visit our WordPress Toolkit Help page)
+
#: Keeping your CMS Development updated will ensure that found vulnerabilities by the programmers will have the require security patches installed. Hackers often locate files that are out-of-date and use the known vulnerability to gain access to your site. Setting Auto-Updates is strongly recommended if your CMS Supports it. XMission’s Shared Hosting Platform has a WordPress ToolKit that allows you to set Auto-Update and security Harding. It is strongly recommended to use this toolkit and secure your website. (For more information please visit our [[WordPress_Toolkit | WordPress Toolkit]] Help page)
 
# '''Security Plugins'''
 
# '''Security Plugins'''
#: There are Website Security Plugin’s available for most CMS Development. You can get Free or Paid versions and it is strongly recommend to install them. XMission currently recommends to use Sucuri Web-Security or WordFence Web-Security. These tools will assist with blocking malicious log-in attempts and can notify you of website changes.
+
#: There are many Security Plugins available for popular CMS installation. Most offer Free or Paid versions and it is strongly recommend to install at least one security plugin. XMission currently recommends Sucuri Web-Security or WordFence Web-Security. These tools will assist with blocking malicious log-in attempts and can notify you of changes to files and user accounts.
 +
#:* [https://wordpress.org/plugins/sucuri-scanner/ Sucuri for WordPress]
 +
#:* [https://wordpress.org/plugins/wordfence/ Wordfence for WordPress]
 +
#:* [https://wordpress.org/plugins/cloudflare/ Cloudflare for WordPress]

Latest revision as of 16:45, 16 January 2019

XMission has notified you or you have found that your website has become compromised. This can not only be frustrating but it can affect your online business as well as your host provider. Hacked or compromised websites can cause Spam or Malicious email to be sent under your business name as well as prevent your site from loading or redirect users to a non-associated website. We want to assist by providing a “how-to” if it happened to you.

Not all hacks are the same, so when looking into options, please keep in mind:

  • Symptoms change from time-to-time.
  • Scans may not find everything on a first pass.
  • Databases may also be hacked.
  • HTML Code is also vulnerable.

If you don’t feel like you can understand the symptoms, reaching out to a Web-Security team can provide better help.

Common Symptoms

To help you understand here are some common compromise symptoms:

  • XMission has notified or disabled your site.
  • Google, Bing or other search engines have blacklisted your site.
  • Your site has been flagged for distributing malware or spam.
  • A consumer has notified you that their desktop virus software is flagging your site.
  • Behavior that was not authorized (i.e., creation of new users, etc…)
  • You can visibly see that your site has been hacked when you open it in the browser.

Below you will find a some steps that may help you start working through the compromise process. Again, not all compromises are the same so some of these suggestions may not be applicable when cleaning your site.

How to start

  1. Create a Backup
    * Backups are critical, and should be performed regularly to ensure the operation of your online business keeps moving forward. Before you do any work on your website, create a local backup of your site. This should apply when working on your site all together (page updates, new content or compromises). XMission does keep backups but they should not be relied on as our backups can also contain the compromise you are experiencing.
    * NOTE: You will want to ensure that you are creating backups of both your Web-Hosting Files and Database.
  2. Deactivate and Remove unused or unneeded Plugins and Themes
    Check your CMS Dashboard for installed Themes and Plugins.
    Remove unused and inactive plugins and themes, especially ones you do not recognize or recall installing. You should only have one theme and necessary plugins installed. Additional, dormant themes are potential attack vectors. XMission strongly recommends using as few plugins as possible to mitigate risk.
  3. Remove any “old” code/installations
    If you have re-developed or re-designed your website, it is common to keep the old site available for reference. However, the old code is a potential backdoor for hackers to gain access to your site. You should download then remove old code from the server if you need to archive it.
  4. Check users and roles
    Many Content Management Systems (CMS) allow for different user access levels. It is recommended to check all your user accounts and ensure that they have the correct role for their usage. Only administrators and developers should have full access. All other accounts should have an access level that does not permit editing of critical files.
  5. Re-install your CMS Core
    (PLEASE: refer to your CMS instructions to complete this process correctly)
    WordPress allows you to reinstall the WordPress Core files without affecting your website layout and content. This action will remove any compromised code in the core files, the most likely attack vector. Make sure you reinstall the same version or newer software than your website is currently using. Regularly upgrading to the newest WordPress code is highly recommended.
    For WordPress Development, DO NOT to use the reinstall options in your dashboard -- Use your SFTP or FTP application to drag and drop the new files and folders in place.
    * Replace WordPress Core
    * Replace Joomla Core
    * Replace Drupal Core

Post Compromised Suggestions

Now that you believe you’ve cleaned up your website and it is no longer compromised. You should not stop there. Preventing your site from being compromised again, is the next step you want to ensure is completed. What should you do to prevent getting hacked again?

  1. Change your passwords
    Do not keep your site’s passwords the same after being compromised. Changing all passwords associated with your development is a must. XMission suggests using passwords that are no less then 12 characters and they should either have multiple words strung together or mix Capitals, Numbers and Special Characters in them. Remember to change all User and Database Passwords.
  2. Update!
    Keeping your CMS Development updated will ensure that found vulnerabilities by the programmers will have the require security patches installed. Hackers often locate files that are out-of-date and use the known vulnerability to gain access to your site. Setting Auto-Updates is strongly recommended if your CMS Supports it. XMission’s Shared Hosting Platform has a WordPress ToolKit that allows you to set Auto-Update and security Harding. It is strongly recommended to use this toolkit and secure your website. (For more information please visit our WordPress Toolkit Help page)
  3. Security Plugins
    There are many Security Plugins available for popular CMS installation. Most offer Free or Paid versions and it is strongly recommend to install at least one security plugin. XMission currently recommends Sucuri Web-Security or WordFence Web-Security. These tools will assist with blocking malicious log-in attempts and can notify you of changes to files and user accounts.