Firstly don't panic, although it is a traumatic experience for any site owner when malicious code is discovered, this guide will help website owners through what steps are needed to take. Perhaps you have been alerted that your site has become compromised by Google's webmaster tools search console. This indicates that you need to start cleaning the site immediately to remove malware or have a web developer look into it. It is usually after this detection that Google will start warning visitors to your site in search engines.
- Take your site off-line - Take your site off-line temporarily, at least until you know you have fixed things as it could be infecting your visitors with viruses and this is a security issue.
- Change your passwords - the application admin password, the hosting account, and the FTP passwords.
- Damage Assessment- It is a good idea to figure out exactly what the hacker(s) were after.
- Were they looking for sensitive information?
- Did they want to gain control of your site for other purposes?
- Look for any files, which have been recently modified or created that you cannot recognize or you haven't edited yourself. Scan your website for anything that looks odd or out of place.
- Check for any suspicious activity inside your Web Hosting Control Panel, such as newly created email accounts, FTP accounts, etc.
- Determine the scope of the problem — do you have other sites that may be affected?
- Order an emergency malware cleanup to fix the problem without the infection recurring. This will enable a remote scanner to continually monitor your website for malicious activity.
- The easiest and fastest way to recover from a hack is to restore your website through a website backup. If a backup is not available then a complete re-installation of all application(s) using a fresh and updated copy acquired from the software vendor. It is the only way to be completely sure you have removed everything the hacker may have done. If you do not have a backup service set up, it is worth contacting your hosting company support team to check and see if they have backup available.
- After the fresh re-installation, use the latest backup that has been made to restore your site. Do not forget to make sure the backup is clean and free of hacked content too.
- Update any software packages to the latest versions. This includes things such as plugins or add-ons, themes or any other type of third-party software installed.
- Restoring your online presence - Get your site back online and keep an eye on things, as the hacker may try again through a backdoor.
- To request removal from the list of reported phishing sites, use this form provided by Google: http://www.google.com/safebrowsing/report_error/
If you don't have a backup tool, after resolving the issue, we recommend adding Site Backup to your account.
How was your website hacked? Here are several possible reasons:
- If you have your FTP details stored locally on your computer, someone may have stolen them using various Trojan Horses, Spyware, etc. Several times in the past attackers used stolen FTP credentials to successfully pull off large-scale attacks.
A solution, in this case, would be to run a full scan of your computer and change your FTP credentials via the Files > FTP Accounts section of your Web Hosting Control Panel. Also, be careful when you enter login information on public computers.
- Someone used your hosting Control Panel password and hacked your website(s) - this case is quite similar to the one mentioned above and the solution here is an immediate update of the account password, which could be done via the My Account > Change Login Credentials section.
- If you are using scripts, such as Joomla, WordPress, etc., for the purposes of your website, the site may have been hacked using various methods like database injection, remote file inclusion, and many others. The problem is that all these are open source applications and anybody has access to their code, which allows hackers to find security holes, especially if the applications are not updated regularly and/or different add-ons with unknown origin are installed.
This is a topic that can be widely discussed and there are many materials providing more detailed information that can be found on the web. Many WordPress websites these days are hacked due to a brute force vulnerability with the xmlrpc.php file. Website security is essential to help reduce the risk of your website becoming hacked. If your website does show signs that it has been infected, it is important to clean the site immediately, if you need any help to clean a hacked website, we have an emergency malware removal service.
Tips for preventing your website from getting hacked
- Keep your website software and plugins up to date. There are often regular updates and security patches to apply.
- Hackers look for weaknesses, passwords are the regular targets and a strong password policy should be adopted.
- Sign up for our free SiteLock monitoring, or upgrade to paid plan and monitor and protect against threats, this will help you get notified about malicious files before they are reported to Google and other anti-abuse services.
- If you have a WordPress site, consider blocking access to wp-admin as a way to further secure your site.
- Maintain a regular and automatic website backup, this can help with a speedy recovery as mentioned above in case you receive a notice that you've been hacked.
- Implement .htaccess rules to further secure your website.