Website Files Changed – Possible Hack

TL;DR

Someone’s likely hacked your website and altered files in your public_html directory. This is usually a result of a vulnerability in your website software, plugins, or weak credentials. We’ll cover how to identify the problem, clean it up, and prevent it happening again.

What’s Happened?

Random folders and files being changed in public_html strongly suggests a cyber security breach. Here are common causes:

• Malware Upload: Hackers uploaded malicious code (often PHP scripts) to your server.
• File Injection: They modified existing website files, adding their own code.
• Defacement: Changing visible content on your site.
• Backdoor Access: Installing a way to get back into your system later.

Step-by-Step Recovery

1. Take Your Site Offline: Immediately put your website into maintenance mode or take it offline completely. This stops further damage and prevents visitors from seeing altered content.
   • Most hosting control panels have a simple ‘Maintenance Mode’ switch.
2. Backup Everything (Carefully): Before making any changes, create a full backup of your public_html directory and database. This is vital for recovery if something goes wrong.
   • Use your hosting control panel’s backup tools or an FTP client to download the files.
   • Important: Don’t restore this backup unless you are *certain* it doesn’t contain malware. Treat it as potentially infected.
3. Scan for Malware: Use a reputable website security scanner.
   • Many hosting providers offer built-in scanners (e.g., SiteLock, Sucuri).
   • Alternatively, use a plugin like Wordfence (for WordPress) or an online scanner like VirusTotal.
4. Identify Modified Files: Determine which files have been changed.
   • File Integrity Monitoring: If you have file integrity monitoring enabled (e.g., through Wordfence), it will show you a list of altered files.
   • Manual Comparison: Compare your current public_html directory with a clean backup (if available). Look for recently modified dates and unfamiliar filenames.

     ls -ltra public_html

5. Clean Infected Files: This is the trickiest part.
   • Replace with Clean Backups: If you have clean backups of the modified files, restore them.
   • Manual Editing (Advanced): Carefully examine and remove malicious code from infected files. This requires coding knowledge and can be risky.

     Look for obfuscated PHP code, unusual function calls, or attempts to include external files.

   • Reinstall Core Files: For CMS systems like WordPress, reinstall the core software. This replaces potentially compromised system files.
6. Change All Passwords: Change passwords for:
   • Your hosting account
   • Database users
   • CMS administrator accounts (e.g., WordPress admin)
   • FTP/SFTP accounts
7. Update Software: Update your CMS, plugins, themes, and any other website software to the latest versions.
   • Outdated software is a major security risk.
8. Review .htaccess File: Check your .htaccess file for malicious redirects or code.

   cat public_html/.htaccess

9. Strengthen Security (Prevention): Implement these measures to prevent future attacks:
   • Strong Passwords: Use strong, unique passwords.
   • Two-Factor Authentication: Enable 2FA wherever possible.
   • Firewall: Use a web application firewall (WAF) like Cloudflare or Sucuri.
   • Regular Backups: Automate regular backups of your website and database.
   • File Permissions: Set appropriate file permissions to limit access.

     chmod 644 filename

10. Monitor Your Site: Continuously monitor your website for suspicious activity.
    • Use a security plugin or monitoring service.