Managing A Compromised Website
XMission has notified you or you have found that your website has become compromised. This can not only be frustrating but it can affect your online business as well as your host provider. Hacked or compromised websites can cause Spam or Malicious email to be sent under your business name as well as prevent your site from loading or redirect users to a non-associated website. We want to assist by providing a few “how-to” if it happened to you.
Not all hacks are the same, so when looking into options, please keep in mind:
- Symptom’s change from time-to-time.
- Scan’s may not find everything on its first pass.
- Database’s may also be hacked.
- HTML Code is also vulnerable.
If you don’t feel like you can understand the symptoms, reaching out to a Web-Security team can provide better help.
Common Symptoms
To help you understand here are some common compromise symptoms:
- XMission has notified or disabled your site.
- Google, Bing or other search engines have blacklisted your site.
- Your site has been flagged for distributing malware or spam.
- A consumer has notified you that their desktop virus software is flagging your site.
- Behavior that was not authorized (i.e., creation of new users, etc…)
- You can visibly see that your site has been hacked when you open it in the browser.
Below you will find a some steps that may help you start working through the compromise process. Again, not all compromises are the same, some of these suggestions may not assist in cleaning your site.
How to start
- Create a Backup
- * Backups are critical, and should be performed regularly to ensure the operation of your online business keeps moving forward. Before you do any work on your website, create a local backup of your site. This should apply when working on your site all together (page updates, new content or compromises). XMission does keep backup’s but they should not be relied on as our backups can also contain the compromise you are experiencing.
- * NOTE: You will want to ensure that you are creating backups of both your Web-Hosting Files and Database.
- Deactivate and Remove unused or unneeded Plugins and Themes
- Check your CMS Dashboard for installed Themes and Plugins.
- Remove unused and inactive plugins and themes, especially ones you do not recognize or recall installing. You should only have one theme and necessary plugins installed. Additional, dormant themes are potential attack vectors.
- Remove any “old” code/installations
- If you have re-developed or re-designed your website, it is common to keep the old site available for reference. However, the old code is a potential backdoor for hackers to gain access to your site. You should download then remove old code from the server if you need to archive it.
- Check users and roles
- Many Content Management Systems (CMS) allow for different user access levels. It is recommended to check all your user accounts and ensure that they have the correct role for their usage. Only administrators and developers should have full access. All other accounts should have an access level that does not permit editing of critical files.
- Re-install your CMS Core
- (PLEASE: refer to your CMS instructions to complete this process correctly)
- WordPress allows you to reinstall the WordPress Core files without affecting your website layout and content. This action will remove any compromised code affecting in the core files, the most likely attack vector. Make sure you re0install the same version or newer software than your website is currently using.
- For WordPress Development, DO NOT to use the reinstall options in your dashboard -- Use your SFTP or FTP application to drag and drop the new files and folders in place.
- * Replace WordPress Core
- * Replace Joomla Core
- * Replace Drupal Core
Post Compromised Suggestions
Now that you believe you’ve cleaned up your website and it is no longer compromised. You should not stop there. Preventing your site from being compromised again, is the next step you want to ensure is completed. What should you do to prevent getting hacked again?
- Change your passwords
- Do not keep your site’s passwords the same after being compromised. Changing all passwords associated with your development is a must. XMission suggests using passwords that are no less then 12 characters and they should have Capitals, Numbers and Special Characters in them. Remember to change all User and Database Password.
- Update!
- Keeping your CMS Development updated will ensure that found vulnerabilities by the programmers will have the require security patches installed. Hackers are specifically locate files that are out-of-date and use the known vulnerability to gain access to your site. Setting Auto-Updates is strongly recommended if your CMS Supports it. XMission’s Shared Hosting Platform has a WordPress Tool Kit that allows you to set Auto-Update and security Harding. It is recommend to complete use this kit and secure your website. (For more information please visit our WordPress Toolkit Help page)
- Security Plugins
- There are many Security Plugins available for popular CMS installation. Most offer Free or Paid versions and it is strongly recommend to install at least one security plugin. XMission currently recommends Sucuri Web-Security or WordFence Web-Security. These tools will assist with blocking malicious log-in attempts and can notify you of changes to files and user accounts.