In the security world, the following advice seems to be gold: keep templates and plugins up to date; use secure passwords and captchas; be careful whom you give access and to what; use a security conscious web host.
While those are all great tips and we encourage them, your website is still (and always will be) hackable. We’ve seen and helped clients with numerous hacks over the years, so we wanted to share some advice that goes beyond following security best practices.
As your user base and reputation grow, getting hacked becomes more likely and it really can happen to anyone. Therefore, the best thing you can do is to have a hack recovery plan. In case of disaster, you’ll know exactly what needs to be done, and who can do it for you. You won’t panic and make hasty decisions that may turn a crisis into a catastrophe.
1. Be the First to Know
You don’t want to find out about a hack from a random visit to your own site. You don’t want to see the red screen of death, with an unwelcoming message like “Danger: malware ahead!” or “This website may harm your computer”. You don’t want to see your homepage defaced (at the time of writing, a WordPress REST API Vulnerability is at large and defacing thousands of websites).
The worst thing about finding a hack by accident is that you probably won’t know how long it’s been there. You won’t be able to put the damage into perspective.
The solution is to set up one or several proactive tools that detect hacks and notify you.
Front-end/Source Code Monitors
There are tools that monitor the front-end of your site for uptime and content changes, such as Pingdom. There are also tools that monitor the source code of your website for hacks, such as our own HackAlert service. Both can be setup to send various notifications and the options here are endless.
Google Search Console Alerts
Although you cannot count on it for an early warning, Google’s Search Console detects a plethora of hacks. Set up your site and make sure to enable email alerts in the preferences. It’s a good idea to keep an eye on Google’s security status regarding your site. Best of all, it’s free.
2. Make a Backup
You will need a backup copy of the hacked site to be used later when removing malicious code. Make a backup and save it before going into maintenance mode.
That being said, make sure your site is backed up regularly and several copies are kept at all times. A clean copy can also be of help when later recovering your site. Your web host will usually make backups for you, but there are plenty of tools and plugins to set up backups yourself.
3. Get the Access Logs
Another thing to be used in the recovery of your site is access logs. Talk to your host whether they can provide them and how far back in time. Some attacks are difficult to find and may require logs from 6 months ago. If you host cannot provide that, set up log keeping yourself. At SiteGround, and probably other cPanel hosts, logs can be downloaded from the Raw Access Logs tool.
4. Have Maintenance Mode Ready
Going into maintenance mode as soon as possible is important. Search engines constantly check the HTTP status of your site and what content it is serving to visitors. Having your site down or serving malicious content will obviously damage your rankings.
This is why it’s a good idea to have a simple HTML maintenance page ready before you ever get hacked. You’ll be able to enable it quickly, while your site is being cleaned, minimizing damage in the eyes of both visitors and search engines.
The best way to enable maintenance mode is by using .htaccess to redirect all requests to an html page. This way, any malicious files left on your domain will become inaccessible and will forward to the said page.
5. Clean the Website and Vulnerability
To clean your website, you can either restore from a clean backup or remove the malicious code from files and databases. Whatever the method of cleaning, you will have to make sure the vulnerability is eliminated afterward.
Restoring a Clean Backup
This is the fastest, easiest and cheapest option that most people will be able to perform on their own with their backup tool. However, it comes with some disadvantages. If you are running a website that is updated frequently, you may lose some data (e.g. an online store might lose some orders). Also, you can never be sure that the backup you are restoring is completely clean.
Remove the Malicious Code From Files and Database
This is the more effective option, but it can prove extremely difficult depending on the hack. If you are not completely sure what you are doing, it’s best to use a 3rd party cleaning service. Identifying and removing attacks is well beyond this blog post.
Eliminate the Vulnerability
This is where the access logs come into play, however, once again this can become a difficult task that you should be confident with when performing it on your own. At the end of the day, you need to know the malicious code was removed from your files and database, together with the vulnerability used to access and modify those files and database.
SiteGround customers can order a thorough hack repair from our partner Sucuri, by going to User Area -> Support -> Website Security.
6. Return to Live
At the end of the process, you should change all passwords of all users, tools, and devices that have access to your site (cPanel, FTP, SSH, etc.). Make sure the same is done by all website collaborators. Do this before you go live.
Another thing you should consider at this point is your website users and visitors. Analyze the situation and find out if any of their data was exploited during the attack. If yes, it’s a good idea to communicate it, along with a password change and any other needed actions to users.