A hacked website is not notable news; it has become an almost common thing. So, what to do if you have a hacked website? How can you work on recovering things and bouncing back? Well, it is not that difficult. Here is a look at some easy steps that will help in the recovery process:
Step 1 – Inform your hosting company; do some research of your own.
The first thing that you need to do is contact your hosting company or the person who is hosting your website. The host should be able to fix it for you and they could also check if there are other hacked websites on the server. Doing some research of your own is also good. You could look for tips on online forums, communities, etc and you could contact experts/specialists who could be of help.
Step 2 – Turn off and quarantine your website
Turn off the hacked website. Until the website is healthy again, quarantine it. You could also point your website’s DNS entries to a static page on a different server that utilizes a 503 HTTP responsive code. Taking your hacked website offline will benefit you, as well as the visitors. You can complete all administrative tasks without any hindrance and the users of your website would continue to remain uninfected. It also helps control the spread of the malware.
Also remember to review user accounts on your website since hackers could create new accounts, which need to be deleted. It is also better to change all passwords for all your websites and accounts, including the login credentials for database access, FTP, system administration, etc.
Step 3 – Re-confirm ownership of your hacked website.
Yes, it’s your website. Still, you must verify the ownership of the site in the user search console. Hackers sometimes mess with the settings and hence verifying ownership helps you determine the extent of damage done and understand the nature of the attack.
Verify your website ownership by opening the browser, navigating to Google Webmaster, clicking “Search Console”, signing in, clicking “Add a site” and typing in your site’s URL. Though there are several verification methods, use the one that is recommended on the verification page. Bring your site online, verify it, and take it offline again. Now verify ownership on search console by navigating to the main Search Console page, finding your website, clicking on “Manage Site”, clicking “Add or remove users”, and reviewing the list of users and owners listed. If there is any user you do not recognize, delete it after documenting the email address. Also check the search console for any changes that might have been made under the settings icon. Make note of and remove any unusual changes found.
Step 4 – Figure out the severity of the attack.
Check the information in the Message Center and Security Issues in the Search Console to figure out the severity of the attack. Figure out if the attacker has distributed malware or disbursed spammy content. Additionally, check if the hacker is doing any phishing from your website. Check for messages from Google and see the headings of hack types under “Security Issues” in the Webmaster tools.
Step 5 – Assess file system damage.
A hacked website will often result in massive file damage. When assessing this, compare a good backup to the current files. Check access logs, server logs, and error logs. Additionally, look out for failed login attempts, creation of unknown user accounts, etc. Check configuration files for redirects and check file permissions too.
Step 6 – Identify the vulnerability
Try to find out the vulnerability or vulnerabilities that could have led to the attack. Remember, there could be more than one issue, so do not limit yourself to detecting just one vulnerability. Use a vulnerability scanner.
Step 7 – Clean and maintain your website.
This is important. Before you begin the cleaning, locate support sources to check if confidential information has been lost. Remove all new URLs created by the attacker. But do not remove any quality pages due to damage. Remove those that needn’t appear ever in search results. Submit pages to Google’s index using Google’s Fetch in Search Console.
Step 8 – Clean the server.
Restore from a backup that was created before the hack happened, install software updates/upgrades, eliminate software that’s not needed, change passwords again to all accounts related to the hacked website.
In case you do not have a backup, make two fresh backups, even if your website is still infected. Now clean the website’s content on the new backup file system, ensuring this is not on the server. Correct vulnerabilities you find on passwords, eliminate widgets, applications, and plug-ins that the website does not use anymore.
Go for a clean installation, transfer the good content from your backup to the system, and change passwords again if needed.
Step 9 – Check it again!
It is always good to do a re-check. Check if you have removed all unnecessary applications/plug-ins/widgets and ensure that are using the latest and securest software. Check if you have removed all the content the hacker had added. Also check if you have restored your content safely. Make sure you have done away with the vulnerability that caused the attack and also ensure that you have a good website security plan in place.
Step 10 – Request Google for a review.
Request for a Google review, to have your website/web page unflagged. You can request review pertaining to phishing at google.com/safebrowsing/report_error/. If it is related to spam or malware, you must go to the Security Issues report given to you in the Search Console and click to request a review.
Depending on the type of reviews, it could take a few days or sometimes a few weeks for the response to come. Google will remove all warnings from browsers and search results if things are all fine. If not, you will receive a report in your Search Console.
Lastly, check your website to see if everything is working fine. Now relax, but remember, security should always be top on your list of priorities. A hacked website can happen to anyone and can often just be the tip of the iceberg.