Help! My site has been hacked!
Table of Contents
It is every website owner’s nightmare. You wake up from a blissful night of sleep, pour yourself a cup of coffee, and sit down at your computer expecting to check your overnight order sales and the latest sports scores. Then you find out that your site has been hacked. Needless to say you don’t have any overnight orders and all of a sudden your favorite team is now the last thing on your mind.
How to tell if your site has actually been hacked
There are a couple of ways to figure this out:
- You open your site and see something else instead. If the hack is that obvious, your site will be defaced with other content – e.g. a message, saying for example “Your site has been hacked by [XYZ]”.
- You open your site and it redirects you to another website that has nothing to do with your business (a scam/phishing site about something different).
- You get a report from your web host. If you host your site at SiteGround, you’ll be able to see this report in your Client Area. In that report’s interface, there’ll be a tool that allows you to freely scan your website for malicious code and leftover backdoors. Even better, if you have SiteGround Site Scanner enabled, you will get an instant notification when it detects malicious content or activity on your site.
- You find out Google has dropped your website from search results. If you haven’t noticed anything obviously wrong with your site, but it has indeed been hacked, then eventually Google Safebrowsing will display a warning or the site will be removed from Google search results. That’s usually the last resort and it’s way better to detect hacks earlier, which is why we recommend always using Site Scanner or other site checker tools for early detection.
- If you have a Google Webmaster account, you get an official report from Google that your site has been hacked. In this case, you can check the Webmasters sections for more info. If you still haven’t added your website to Google Webmaster tools, it’s a good idea to do so.
Next Steps: How to repair your hacked website yourself
Ok, so you have confirmed that your site has been hacked. Pour yourself a cup of calming tea and let’s get to work.
Make a backup
The first thing you need to do is create a backup of your site. Yes, I realize your site has been compromised and we are going to try and fix that. But right now you need to preserve the evidence. So use your normal backup tool to create a backup of your site and store it somewhere safe and out of the way. Make sure you label it properly so that you don’t accidentally restore it at some point in the future.
If your site is hosted with SiteGround, you can use the website Backup tool to easily create backups and restore your site. For detailed information on how to do all that, follow the link.
Restore from the last working backup
At this point you do not know what caused your site to be compromised. You don’t know if someone bruteforced your password, or used a vulnerability in one of your plugins. So go back to the last known working and malware free backup and restore from it.
Your last working backup may not be your last backup. If you aren’t absolutely positive about when your site was hacked, go back as far as you can. Hopefully you have a minimum of 30 days backup available to you. This will give you the best chance of getting to a clean backup.
Scan your website
Your next step would be to scan your website for malware or other malicious code. There are many site scanning tools to choose from that can help you diagnose your site for malicious code, files, or other hacks. Pick one to do a quick scan of your website and to also check if your site comes up in one of the main blacklists online.
If you’re a SiteGround customer, you can go for the Site Scanner service. Follow the link to learn how Site Scanner protects websites.
Put your site into maintenance mode
Once you have your backup restored, put your site in maintenance mode. This will let you get to the admin side of your site but you won’t be endangering any of your site visitors with potential malware.
The easiest way to do this is by using the WP Maintenance Mode plugin. It allows you to activate maintenance mode from the admin interface.
First, download and install the WP Maintenance Mode plugin. Once activated, select Settings -> WP Maintenance Mode from the WordPress dashboard.
Install SiteGround Security and clean things up
Even at this stage the SiteGround Security plugin has one cool trick up its sleeve. Once you have it installed, click on its menu and go to “Post-Hack Actions”. All of these are important, but let’s take them in a little different order than they are shown.
- Log out all users
- Reinstall All Free Plugins
- Force Password Reset
That second one is the magic. If your site was compromised and the attacker uploaded their own copy of one of your plugins, this will clear that out.
Reset WordPress itself
You can log in to your WordPress admin and use example.com/wp-admin/update-core.php to re-install WordPress itself. Even if it says you are on the most recent version of WordPress, go ahead and re-install WordPress. This will overwrite any core files that may have been compromised in the attack.
It should be noted that even though we have now cleaned all of the code that runs your site, the attack may have altered your database. Even though we restored from an old backup, you need to check each post and comment to make sure that nothing has been inserted. This is a daunting task for some sites and the reason we hire professionals who have the proper tools to get the job done.
Next, go to your plugins menu and update everything that might be out of date. If you have paid plugins (and who doesn’t these days?) go pay the fee on each one of them and upgrade to the latest version or disable and delete them. Do not just disable them and do not leave unpatched plugins or themes on your site.
Review your passwords and policies
Earlier we logged out all users and forced a password reset for all users. This will help if the attacker compromised a user’s account. To make it harder next time, make sure that all of your admin and editor accounts have Two-Factor Authentication turned on. There are several good plugins out there both free and paid that will give you 2FA. If you’ve been following my instructions so far, you already have one of the best of them installed, SiteGround Security.
Go to the SG Security menu and select “Login Security”. From there, click the slider next to “Two-factor Authentication for Admin & Editors Users”. This will force all Admin and Editor accounts to turn on 2FA the next time they log in…including you. Yes, it adds one more step to logging into your site each morning and yes, some days you’ll play “Where’s my phone?!?” before you can get logged in, but the peace of mind is worth it.
Also, it’s a must to make all users use strong passwords. WordPress itself does not give you the option to enforce strong passwords but there are plugins you can get that will. I strongly encourage you to install one and make strong passwords a site policy.
A lot of attackers will install their own user accounts hoping that you won’t notice. Now is the time to notice. Review the list of users at every level and see if you see anything out of place. On most sites, you should only have one or at the most two admin accounts. Look at those to make sure you recognize all of them. The same goes for any role that has elevated permissions like editing content.
Rescan your site
We’ve done what we can to clean things up. Now let’s see how things look. Go back to the scanning tool you originally used and rescan your site. You will probably still be in blacklists, but the malware should be gone.
If your site scanner gives you a clean bill of health, then the first part of your journey is done.
If on the other hand, the scanner is still detecting malware then at this point you are going to have to contact a professional. You’ve done all of the things that most non-technical or semi-technical people can do. Honestly, at this point I would be contacting a professional site cleaner to deal with it. My site is too important to me to risk it.
Scan your devices
Scanning your website is important as mentioned above, but it’s equally important to scan your devices as well. Scan your PC or other devices you use to make sure that if the respective device is infected with malware, you clean that up to prevent your site from being hacked again due to this same malware.
First and foremost, take a break. You’ve probably been at this for hours now. It only takes a few minutes to read about the steps I’ve described above. In reality, it takes hours to accomplish all of them properly. You’ve probably read about 100 other pages just like this one that gives you similar advice but may have other steps as well.
Stop. Breath. Relax.
Ok, now let’s take steps to try and make sure this doesn’t happen again.
Lock things down
There are a couple of things you need to lock or disable to prevent this from happening again:
- Lock and protect your system folders to prevent unauthorized or malicious scripts to be executed in your system folders.
- Hide your WordPress version from hackers that exploit vulnerabilities in WordPress versions.
- Disable themes and plugins edit option from the WordPress admin to prevent unauthorized access via the WordPress editor.
- Delete the default Readme.html file that is often used by hackers to compile lists of potentially vulnerable sites to be hacked or attacked.
You can do all of the above for WordPress websites with a few clicks in the SiteGround Security plugin, in the ‘Site Security’ section. If you go to the ‘Login Security’ section, it will also allow you to easily enable 2FA for admin and editor users, disable common usernames, limit login attempts, etc.
If you’re a SiteGround customer and have Site Scanner enabled for your website, you can also take advantage of its ‘Site Protect’ feature. It allows you to manage four different on/off options from its interface:
- Disable FTP file transfers to your website
- Disable SSH file transfers
- Disable file upload to your website via PHP
- Prevent the execution of malicious scripts on the server
All these give you time to review the website’s status and react accordingly, if needed.
Set up regular scanning
Another useful tip is to scan your site regularly to prevent malicious attacks at an early stage. This could save you time, money, and reputation the next time you have to deal with hackers. SiteGround customers have the option to purchase the Site Scanner service that detects and prevents upload of malware, warns you about potential threats at an early stage and in a timely manner, and gives you tools for reaction in case your site is under attack.
To get this service, go to Site Tools in your SiteGround dashboard. Click on “Security” and then on “Site Scanner”. Sign up to have your site scanned daily. Yes, it costs extra but you’ve just spent hours cleaning and repairing your site exactly because you didn’t have someone monitoring it for you.
Install a software firewall
If you want to take it a step further, there are some great “Software Firewall” plugins for WordPress that will lock things down even more. You may want to consider installing one of these and subscribing to their service.
One more step you can take to clean and further protect your site: Hire a professional
If your site is responsible for a non-trivial amount of your income stream, hire a professional security expert who knows how to clean WordPress sites.
A professional will cost you but, if you are uncertain about doing it yourself, they stand a much better chance of actually fixing the problem than you by yourself.
Getting hacked sucks. The best strategy is to build layers of security on top of your site.
Layer 1: Have sets of backups
If you don’t have backups, you can’t even begin to fix your site. Make sure you have 30 days of backups stored somewhere other than your web hosts backup system. SiteGround backs up my site every day and stores it in a place that is easy to get to and restore. That having been said, I also have a backup plugin that makes a separate backup and stores it on a server disconnected from everything else. These are my “secure” backups. Storing them on your own computer is fine. Storing them on a USB drive plugged into your computer is a good option. Storing them on something like Amazon S3 is an even better solution.
However you do it, make sure you have 2 sets of backups. Those that your hosting company makes for you daily, and those that you make yourself…daily.
Layer 2: Download SiteGround Security plugin:
This does the basics for you:
- Turning off unneeded headers and features
- Making it harder to guess passwords by limiting login attempts
All of these things make for a good base layer of security. If your site is your personal blog and you won’t lose any money if it gets hacked, this is probably good enough. However, if you derive income from your site, add a few more layers.
Layer 3: Activate SiteGround Site Scanner:
Scanning your site daily for bad content is an important layer. Make sure you have a trusted service like SiteGround scanning your site to make sure it is clean.
Layer 4: Maintain Good policies:
Review your policies like strong passwords and make sure you have good solid security policies. Additionally, limit the number of Admin accounts to the absolute bare minimum. If you have to grant someone admin access to get something fixed, make sure you disable and delete the account as soon as you can.
Layer 5: Get a Software Firewall Plugin
Finally, if you’ve done all the rest and still want another layer, invest in a Software Firewall Plugin. There are several of them out there, do your homework and find the right one for you.
No website is secure. However, you can make it so difficult to access your site that it’s not worth the effort and the attacker moves on to the next site on their list.