Managing A Compromised Website

From XMission Wiki
Revision as of 16:47, 27 December 2018 by Danzmo (talk | contribs) (How to start)
Jump to: navigation, search

XMission has notified you or you have found that your website has become compromised. This can not only be frustrating but it can affect your online business as well as your host provider. Hacked or compromised websites can cause Spam or Malicious email to be sent under your business name as well as prevent your site from loading or redirect users to a non-associated website. We want to assist by providing a few “how-to” if it happened to you.

Not all hacks are the same, so when looking into options, please keep in mind:

  • Symptom’s change from time-to-time.
  • Scan’s may not find everything on its first pass.
  • Database’s may also be hacked.
  • HTML Code is also vulnerable.

If you don’t feel like you can understand the symptoms, reaching out to a Web-Security team can provide better help.

Common Symptoms

To help you understand here are some common compromise symptoms:

  • XMission has notified or disabled your site.
  • Google, Bing or other search engines have blacklisted your site.
  • Your site has been flagged for distributing malware or spam.
  • A consumer has notified you that their desktop virus software is flagging your site.
  • Behavior that was not authorized (i.e., creation of new users, etc…)
  • You can visibly see that your site has been hacked when you open it in the browser.

Below you will find a some steps that may help you start working through the compromise process. Again, not all compromises are the same, some of these suggestions may not assist in cleaning your site.

How to start

  1. Create a Backup
    Backups are critical, and should be performed regularly to ensure the operation of your online business keeps moving forward. Before you do any work on your website, create a local backup of your site. This should apply when working on your site all together (page updates, new content or compromises). XMission does keep backup’s but they should not be relied on as our backups can also contain the compromise you are experiencing.
  2. Deactivate and Remove non-used or not needed Plugins and Themes
    Check your CMS Dashboard for installed Themes and Plugins.
    If there is any listed that your website is not using remove them. You should only have one theme and the required plugins to allow your site to render.
  3. Remove any “old” code/installations
    If you have re-developed or re-designed your website, it is common to keep the old site available for reference. However its common that the old code is how hackers gain access to your site. Instead of keeping old directories or .old file extensions.
  4. Check users and roles
    Most development today allows for different user access and they can be given limited role access. It is recommended to check all your user accounts and ensure that they have the correct role for their usage. Only administrators and developers should have full access. Any other account should be limited to writing blog’s or subscribers.
  5. Re-install your CMS Core
    (PLEASE: refer to your CMS instructions to complete this process correctly)
    CMS Development like WordPress allows you to reinstall the WordPress Core files and not affect your development. This can help remove any compromised code affecting its integrity. You will want to make sure you reinstall the same version or newer software your website is currently using. (if a older is used it will most likely to kill your website).
    For WordPress Development, be sure not to use the reinstall options in your dashboard. Use your SFTP application to drag and drop the versions. You can replace the following directories safely:
    1. /wp-admin
    2. /wp-includes
    * Replace WordPress Core
    * Replace Joomla Core
    * Replace Drupal Core

Post Compromised Suggestions

Now that you believe you’ve cleaned up your website and it is no longer compromised. You should not stop there. Preventing your site from being compromised again, is the next step you want to ensure is completed. What should you do to prevent getting hacked again?

  1. Change your passwords
    Do not keep your site’s passwords the same after being compromised. Changing all passwords associated with your development is a must. XMission suggests using passwords that are no less then 12 characters and they should have Capitals, Numbers and Special Characters in them. Remember to change all User and Database Password.
  2. Update!!!
    Keeping your CMS Development updated will ensure that found vulnerabilities by the programmers will have the require security patches installed. Hackers are specifically locate files that are out-of-date and use the known vulnerability to gain access to your site. Setting Auto-Updates is strongly recommended if your CMS Supports it. XMission’s Shared Hosting Platform has a WordPress Tool Kit that allows you to set Auto-Update and security Harding. It is recommend to complete use this kit and secure your website. (For more information please visit our WordPress Toolkit Help page)
  3. Security Plugin’s
    There are Website Security Plugin’s available for most CMS Development. You can get Free or Paid versions and it is strongly recommend to install them. XMission currently recommends to use Sucuri Web-Security or WordFence Web-Security. These tools will assist with blocking malicious log-in attempts and can notify you of website changes.