By Julia Sowells Senior Information Security Specialist at Hacker Combat,
A website getting hacked is no news today; it has become an almost common thing. So, what to do if your website is hacked? How to work on recovering things and bouncing back? Well, it’s not that difficult. Here’s a look at some easy steps that could help in the recovery process:
Step 1 – Inform hosting company, do some research of your own
The first thing that you need to do is intimate your hosting company or the person who is hosting your website. The host would be able to fix it for you and they could also check if other websites on the server have been affected. Doing some research of your own is also good. You could look for tips on online forums, community etc and you could contact experts/specialists who could be of help.
Step 2 – Turn off and quarantine your website
Turn off the website, quarantine it until the issue is resolved. You could also point your website’s DNS entries to a static page on a different server that utilizes a 503 HTTP responsive code. Taking your website offline would help you as well as the visitors. You can complete all administrative tasks without any hindrance and the users of your website would continue to remain uninfected. It also helps control the spread of the malware.
Also remember to review user accounts on your website since hackers could create new accounts, which need to be deleted. It’s also better to change all passwords for all your websites and accounts, including the login credentials for database access, FTP, system administration etc.
Step 3 – Re-confirm ownership of your website
Yes, it’s your website. Still, you must verify the ownership of the site in the user search console. Hackers sometimes mess with the settings and hence verifying ownership helps you determine the extent of damage done and understand the nature of the attack.
Verify your website ownership by opening the browser, navigating to Google Webmaster, clicking “Search Console”, signing in, clicking “Add a site” and typing in your site’s URL. Though there are several verification methods, use the one that’s recommended on the recommended method tab on the verification page. Bring site online, verify and take it offline again. Now verify ownership on search console by navigating to main Search Console page, finding your website, clicking on “Manage Site”, clicking “Add or remove users” and reviewing the list of users and owners listed. If there is any user you do not recognize, delete it after document the email address. Also check the search console for any changes that might have been made under the settings icon. Note down and remove any unusual changes found.
Step 4 – Figure out the severity of the attack
Check the information in the Message Center and Security Issues in the Search Console to figure out the severity of the attack. You can understand if the attacker has distributed malware or disbursed spammy content. You could also understand if the hacker is doing any phishing from your website. Check for messages from Google and see the headings of hack types under “Security Issues” in the Webmaster tools.
Step 5 – Assess file system damage
Assessing file system damage, compare a good backup to the current files. Check access logs, server logs and error logs, look out for failed login attempts, creation of unknown user accounts etc. Check configuration files for redirects and check file permissions too.
Step 6 – Identify the vulnerability
Try to find out the vulnerability or vulnerabilities that could have led to the attack. Remember, there could be more than one issue, so don’t limit yourself to detecting just one vulnerability. Use a vulnerability scanner.
Step 7 – Clean, maintain your website
This is important. Before you begin the cleaning, locate support sources to check if confidential information has been lost. Remove all new URLs created by the attacker, but don’t remove any good pages that were simply damaged during the attack. Remove those that needn’t appear ever in search results. Submit pages to Google’s index using Google’s Fetch in Search Console.
Step 8 – Clean the server
Restore from a backup that was created before the hack happened, install software updates/upgrades, eliminate software that’s not needed, change passwords again to all accounts related to the website.
In case you don’t have a backup, make two fresh backups, even if your website is still infected. Now clean the website’s content on the new backup file system, ensuring this is not on the server. Correct vulnerabilities you find on passwords, eliminate widgets, applications and plug-ins that the website doesn’t use any longer.
Go for a clean installation, transfer the good content from your backup to the system and change passwords again if needed.
Step 9 – Do a re-check of what all you have done
It’s always good to do a re-check, you can’t risk it once again. Check if you have removed all unnecessary applications/plug-ins/widgets and ensure that are using the latest and securest software. Check if you have removed all the content the hacker had added. Also check if you have restored your content safely. Make sure you have done away with the vulnerability that caused the attack and also ensure that you have a good website security plan in place.
Step 10 – Request Google for a review
Request for a Google review, to have your website/web page unflagged. You can request review pertaining to phishing at google.com/safebrowsing/report_error/. If it’s relating to spam or malware, you must go to the Security Issues report given to you in the Search Console and click to request a review.
Once all this is done, wait for the reviews to be processed. Depending on the type of reviews, it could take a few days or sometimes a few weeks for the response to come. Google will remove all warnings from browsers and search results if things are all fine. If not, you will receive a report in your Search Console.
Once things are approved, check your website to see if everything is working fine. Now relax, but remember, security should always be top on your list of priorities.
Julia is a security geek with almost 5+ years of experience, writes on various topics pertaining to network security.