Blog | G5 Cyber Security

Website Hacked: What to Do

G5 Cyber Security

TL;DR

Your website has been hacked. This guide covers how to quickly contain the damage, investigate what happened, clean up your site, and prevent future attacks. Prioritise speed – every minute counts.

1. Immediate Containment

  1. Take it Offline: The fastest way to stop further damage is to temporarily take your website offline. This prevents attackers from modifying more files or stealing data. You can do this through your hosting control panel (e.g., cPanel, Plesk) or by changing DNS records to point to a temporary maintenance page.
  2. Change Passwords: Immediately change all passwords associated with the website:
    • Hosting account
    • FTP/SFTP accounts
    • Database credentials
    • CMS (Content Management System) admin accounts – WordPress, Joomla, Drupal etc.
    • Email accounts associated with the domain
  3. Contact Your Hosting Provider: They can provide valuable assistance and may have tools to help you identify and resolve the issue.

2. Investigation

  1. Check Website Files for Changes: Look for recently modified files, especially in core CMS directories or any custom code folders.
    • Use your hosting control panel’s file manager to sort by modification date.
    • Look for unfamiliar files with strange names.
  2. Review Server Logs: Access your server logs (usually through your hosting control panel). Look for suspicious activity, such as:
    • Failed login attempts
    • Unusual IP addresses accessing your site
    • Requests to files that shouldn’t be accessed directly
  3. Scan with a Security Plugin/Tool: If you use a CMS like WordPress, install a reputable security plugin (e.g., Wordfence, Sucuri Security) and run a full scan. 
    # Example using WP-CLI for WordPress:
wp scan --start
  4. Check Google Safe Browsing Status: Use Google’s Safe Browsing tool to see if your site has been flagged as malicious.

3. Cleanup & Restoration

  1. Restore from Backup: If you have a recent, clean backup of your website (before the compromise), this is the fastest and most reliable way to restore it. Ensure the backup is truly clean before restoring!
  2. Remove Malicious Code: If you can’t restore from a backup:
    • Carefully examine any modified files identified during your investigation.
    • Remove any suspicious code or scripts. Be very cautious – deleting the wrong code could break your website.
    • If unsure, seek professional help.
  3. Reinstall CMS Core Files: If your CMS core files were modified, reinstall them from a trusted source. 
    # Example for WordPress:
your_domain.com/wp-admin/upgrade/
  4. Update Plugins and Themes: Ensure all plugins and themes are updated to the latest versions. Outdated software is a common entry point for attackers.

4. Prevention

  1. Strong Passwords & Two-Factor Authentication (2FA): Use strong, unique passwords for all accounts and enable 2FA wherever possible.
  2. Keep Software Updated: Regularly update your CMS, plugins, themes, and server software.
  3. Use a Web Application Firewall (WAF): A WAF can help block malicious traffic before it reaches your website.
    • Cloudflare is a popular option.
  4. Regular Backups: Schedule regular, automated backups of your website and store them securely offsite.
  5. Limit Login Attempts: Implement measures to limit failed login attempts to prevent brute-force attacks.
  6. Security Scanning: Regularly scan your website for vulnerabilities using a security plugin or online tool.

5. Post-Incident Steps

  1. Monitor Your Site: Keep a close eye on your website for any signs of further compromise after cleanup.
  2. Inform Users (If Necessary): If user data may have been compromised, inform affected users and advise them to change their passwords. Consider legal obligations regarding data breach notification.
Exit mobile version