My website has been hacked! How do I fix it?
No matter which platform you’re using, and what anybody may tell you, any website can be hacked! Hacking essentially means someone has gained unauthorised access to your website server. However, people often use the word to mean any situation where your website has been inappropriately interfered with.
WordPress is the world’s most popular CMS platform with approximately 28% of all websites built using it. Purely as a result of the sheer volume of WordPress websites out there, it’s the most hacked CMS. That’s one of many reasons why it’s so important to learn to keep your site secure and prevent it being hacked.
Suppose we find ourselves in a worst-case scenario and someone has gained access to your WordPress website. What now?
Do not worry! All’s not lost, it’s not the time to shut up shop and go and live in a cave. You will be able to bounce back. Every day, hundreds of sites face the same dilemma, and most are able to get back to their original glory. All you need to do is follow the below steps:
Step 1: Take a deep breath & relax
Having your WordPress website hacked isn’t the end of the world. You won’t be the first and certainly, you won’t be the last. Being stressed or angry will do you no good and it takes your concentration and efforts away from recovering your website.
Step 2: Scan your local machine
Update all antivirus and malware tools you have, then do a complete system scan to see if your machine is compromised. This will eliminate your machine as a possible cause of the hack.
Step 3: Have you actually been hacked?
Go through this quick list of questions.
- Are you able to log in to your WordPress Admin Panel (yourwebsite.com/wp-admin)?
- Is your website displaying something other than you would expect (Images, Content)
- Is your website redirecting you to any other website?
- Does your WordPress website contain any illegal material usually something will be displayed on the homepage?
- Has Google already marked your website as insecure?
Record your answers to each question and make sure that you’ve noted everything for the next step below.
Step 4: Contact your hosting company
Most hosting companies are very helpful in times like this. They have faced these issues before so should well be equipped to help you. If your website is hosted on a shared server, your hosting provider should be able to provide you with answers like how the hack was started and how it spread. Also, there’s a good chance they can tell you where the backdoor to your website is, from where the hackers found their way in.
Step 5: Change all your passwords and usernames
Log in to your hosting account. While you’re in there, change all of your backend passwords (Cpanel, Email, FTP /MySQL) and the usernames and passwords for everyone who has access to your site. Make sure to delete any you no longer need.
Step 6: Restore the website to a previous version
In an ideal world, you’ve recently backed up your site a few days before and can quickly walk through a simple restoration. An important point to remember when you restore an old backup of your site, your entire website will revert back to that version. Any content that you published, images you added to a gallery or general changes you made to the website will be lost. However, that’s a small sacrifice to pay to gain a clean website and your business back on track. After you successfully restore the old version of your website, remember that it’s still vulnerable to attack!
Step 7: Time to update everything
Make sure you are using the latest version of PHP, WordPress, and all plugins and themes are up-to- date. Plugin and theme developers release updates for two main reasons – to improve functionality and to patch security flaws. You should always keep your themes and plugins up-to-date. Even if a plugin or theme is deactivated, it’s files could still allow someone to gain access to your site. Get rid of anything you don’t use. Be sure to take the appropriate steps to upgrade your theme safely so you don’t lose your customisations.
Step 8: Back up the site
At this point, you should now have a clean website again. Although you may have lost some content depending on when you last updated, it’s a small price to pay to know you have a clean site. Plugins like Backup Buddy or Updraft Plus can be great for this and a cool feature of the pro versions is that it can schedule backups automatically or as often as you want. Make sure you have a copy of the backup stored off-line in case this happens again.
Step 9: Change your passwords again
Yes, you changed the passwords at the start. Now do it again! Just to be safe. You need to update your WordPress password, Cpanel / Email / FTP / MySQL passwords, make sure it’s completely different to your old one and has a mix of letters, numbers, and characters for example. W£B51T£_P455W0RD is much harder to guess than if you used WEBSITE_PASSWORD.
Step 10: Install security software on your site:
There are some great WordPress security tools out there like Scurri and Wordfence. These can help you massively in avoiding being hacked again.
A redirect has been placed on my website – what should I do?
If your website has been hacked there is a good chance that attackers have inserted malicious code that redirects your website to another website to grab traffic, that’s just adding insult to injury – and can really damage your website reputation.
If your site is redirecting visitors to phishing or a malware site, you will possibly get blacklisted by Google! Google isn’t going to take any chances with its reputation, if your webpage(s) smell even the slightest bit fishy, it’s going blacklist you.
In most of the cases, malicious redirects are made by hacking the .htaccess file. Also, after cleaning up the .htaccess file the malicious code is being added back to the file within 30 minutes. This is being done with “backdoor(s)” the hackers have placed on the website files.
Here is a step-by-step guide on how to discover and remove these malicious redirects:
1. Detect the symptoms:
- Your site has a malware warning screen
- Your site turns to blank page
- Your site gets redirected to some domain that is not your site
- Your site can’t be accessed from Google search
- Your site redirects you back to Google
- Your .htaccess file is infected
- Your .htaccess file keeps getting infected no matter if you edit it back. What these means is that someone hacked your site and modified your .htaccess file to redirect users coming from Google to a malware-infested site. Because of that, you end up blacklisted and losing users that can’t reach your site.
2. Detect the malware type
If you have the symptoms described above in most cases, it’s Blackmuscats or Conditional redirects malware. To confirm what malware infected your site, check the .htaccess files under the document root and perform a malware scan on the website files.
3. How to detect the malicious file?
It’s a good idea to check your website access logs. Check every folder for suspicious files and scan website files using a malware scanner.
How to fix it?
Fixing this redirection is very simple, you just need to delete these entries from your .htaccess file (you can have more than one, so check all your directories) and you are set. However, you still have to verify that you don’t have anything else hidden in there, so do a full scan of your website to make sure you are clean.
In addition to that, you still need to fix the problem that allowed you to get hacked. Most of the time it means updating your web application (WordPress, Joomla, etc), changing your passwords and cleaning your desktop.
Keeping Your Site Secure
In order to keep your site, secure you need to follow theses guidelines:
- Have your WordPress site core files been updated?
- Have your themes and plugins been updated?
- Use a Safe Secure WordPress Hosting Service, if possible choose one which can Manage your WordPress Site instead of just Hosting it.
- Remove any inactive themes or plugins you don’t plan to use on your site.
- Review your WordPress plugins and themes and check all of them are recently updated by its developers, if not you should seek alternatives and remove them from your WordPress Site.
- Never install nulled themes or plugins.
- Keep one or two admin accounts, downgrade the rest of your admin users to an author/editor.
- Remove all dev/demo setups of your WordPress installation outside your public directory.
Major hacks in 2017
2017 was a crazy year for critical infrastructure attacks, insecure databases, hacks, breaches, and leaks of unprecedented scale impacted institutions around the world—along with the billions of people who trust them with their data.
The WannaCry malware that infiltrated the UK’s National Health Service essentially locked down the entire NHS network, preventing workers from accessing their computers and delaying vital medical procedures. Fortunately, a flaw in its mechanism allowed experts to create a kill switch. One of the reasons for the hack was that NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software. You can read more here.
This one of the key examples why keeping your systems up-to-date. The more out of date they become, the more vulnerable you are to attack.
Taxi start-up Uber disclosed that it was subject to a massive data hack in 2016. Two individuals hacked the user data stored on a third-party cloud service. They managed to access the information of 50m Uber riders as well as 7m drivers across the world. The company attempted to cover it up by offering the hackers $100,000 not to release the information.
The start-up is currently being sued for negligence in a complaint representing the Uber drivers and customers in the US whose data was implicated. The company is currently doing damage control across the world as regulators launch investigations into what went wrong. You can read more here.
AS GDPR comes into effect in May 2018 if we look at Uber’s finances with a turnover of $6.5 Billion, the potential full fine could have been $ $1,300,000,000 – 20% of its annual revenue.
Security is one of the most important aspects of running a website. Not fixing a hacked website as soon as possible can cause a major disruption for you and your visitors and can put everyone who visits your site at risk. Knowing the warning signs, however, will help you catch the hack early and fix it as soon as possible.
Getting your website hacked is one of the worst things that can happen to your business in the modern online world. The age of file cabinets and paper documents is long gone, and now virtually all-important information is being shared and even stored online. However, it’s not the end of the world and can be fixed fairly easily and quickly using the steps above. WordPress is a great platform to use and it doesn’t look like it’s going away anytime soon, so you should definitely know how to protect it and what to do if the unthinkable happens.
If you need some more advice on how to protect your website from hacking, contact us today to arrange a call.
If you would like to work at CandidSky and develop your career prospects, take a look at our Careers website for available roles and find out what is like to work here.
And finally, take a look at our other blog posts to see what else we have been up to.