Uncovering a hack
We occasionally (and more frequently) get calls from people who have hacked sites that we didn’t build or host.
If you are in this situation, what to you do? How can you fix it?
In no certain order:
- Contact your host!
Most of the time the host has malware detection installed on their server to be able to track this down. Sometimes though the host doesn’t know. You should let them know so they can make sure other sites haven’t been compromised. You can also ask them for a backup of the site and restore it (see restoring below).
- Take your site offline
Stop the bleeding! This allows you to fix without hacker interference and hacker code won’t be exposed to your site visitors. You’ll need to contact your hosting provider most likely because you need a 503 response from outside your site/server.
- Start from the beginning
Your best guaranteed option is to do a fresh install and start from scratch.
- Restore from a backup
Please tell me you do scheduled backups. If not, contact us and we can help you. If you are lucky enough to be able to track down a hack date, you can restore from a previous (non-hacked version). Additionally, most hosts keep account backups that have your whole site, database files, etc. We keep at least 3 weeks worth.
- Look for FTP edit dates
Search with FTP and look at the modified date. If something looks off (or recent) traverse the directory. Those little hackers can be sneaky and sometimes the actual file doesn’t have a modified date.
- Investigate foreign files
If you made the site (or are a developer), chances are you’re familiar enough with a structure to know when a file just doesn’t make sense. For instance, in one site I investigated, I noticed there was a PHP file called “admin” inside an image directory. It didn’t make sense. It was a backdoor.
- Check byte size
If there are PHP files that have just a remote code injection query in them, look at the byte size and then run a command to find by the byte size. You’ll need SSH access.
- Search for code injection in your files
You’ll also need SSH access for this, but you can run a grep command to look for the offending injection.
- Change all passwords
Preventing hackers from accessing areas is a good start, but once they get access they can also create back doors in your file directories. Make sure you have changed logins for your FTP and site itself.
Make sure after you’ve removed the malicious content you’ve introduced proper security measures. These are the top reasons why sites have got hacked that we’ve seen:
- Outdated core or plugins
Outdated plugins and your CMS core are an easy target to hackers as they already know how to take advantage of the vulnerabilities in the code (The Open Web Application Security Project made a category for “Using Known Vulnerable Components” because it became so often used). Get a maintenance plan with your developer to keep your site updated on a regular basis. If you don’t have one, contact us. Your site is an engine. It’s not a sculpture to put on a shelf. It needs to be well-oiled and maintained. Updates are kind of like recalls. You can ignore them and your engine might work for a while, or it might blow up. Do you want to take the risk? If you’re using WordPress, bookmark this. It’s a list of known vulnerabilities.
- Inactive plugins
Just because it’s there doesn’t mean it’s a closed security hole. If you’re not using it, why have it?
- Poor passwords
SplashData takes stolen passwords made public yearly and compiles them in a popularity list. Would you believe “123456” was the most common password from the 3.3 million leaked passes with “password” coming in second? Recently I took a webinar about website security. The presenter showed that 90% of hack prevention is related to your password. Make sure your password is a strong password. Use a NEW password every time you have to make one. If it’s hard to remember, use software like 1Password or KeePass (free) to create one master password to access your other passwords. We love KeePass here. It also has password generation that helps you automatically create strong passwords too. If you can get past the Comic Sans, here’s a good article on making great passwords: http://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
- Security software installed but disregarded
We’ve seen a site with malware detection software actually note core file changes with catastrophic damage, but no one monitored the site (yet another reason to invest in regular maintenance with a developer). By the time we got to it the whole site (admin files, theme files, root) was compromised. The hackers even had managed to get a database backup.
- Plain bad code
If you’re building a CMS website, don’t have sensitive data being plugged in your theme directory (themes can be more easily breached than other areas, especially if a hacker gets control of the CMS administrator account or makes one). It should be made into a plugin. Sanitize data input and output. Prevent direct access to files.