Help! My site has been hacked!
Table of Contents
It is every website owner’s nightmare. You wake up from a blissful night of sleep, pour yourself a cup of coffee, and sit down at your computer expecting to check your overnight order sales and the latest sports scores. Then you find out that your site has been hacked. Needless to say you don’t have any overnight orders and all of a sudden your favorite team is now the last thing on your mind.
How to tell if your site has actually been hacked
There are a couple of ways to figure this out:
- You open your site and see something else instead. If the hack is that obvious, your site will be defaced with other content – e.g. a message, saying for example “Your site has been hacked by [XYZ]”.
- You open your site and it redirects you to another website that has nothing to do with your business (a scam/phishing site about something different).
- You get a report from your web host. If you host your site at SiteGround, you’ll be able to see this report in your Client Area. In that report’s interface, there’ll be a tool that allows you to freely scan your website for malicious code and leftover backdoors. Even better, if you have SiteGround Site Scanner enabled, you will get an instant notification when it detects malicious content or activity on your site.
- You find out Google has dropped your website from search results. If you haven’t noticed anything obviously wrong with your site, but it has indeed been hacked, then eventually Google Safebrowsing will display a warning or the site will be removed from Google search results. That’s usually the last resort and it’s way better to detect hacks earlier, which is why we recommend always using Site Scanner or other site checker tools for early detection.
- If you have a Google Webmaster account, you get an official report from Google that your site has been hacked. In this case, you can check the Webmasters sections for more info. If you still haven’t added your website to Google Webmaster tools, it’s a good idea to do so.
Next Steps: How to repair your hacked website yourself
Ok, so you have confirmed that your site has been hacked. Pour yourself a cup of calming tea and let’s get to work.
Make a backup
The first thing you need to do is create a backup of your site. Yes, I realize your site has been compromised and we are going to try and fix that. But right now you need to preserve the evidence. So use your normal backup tool to create a backup of your site and store it somewhere safe and out of the way. Make sure you label it properly so that you don’t accidentally restore it at some point in the future.
If your site is hosted with SiteGround, you can use the website Backup tool to easily create backups and restore your site. For detailed information on how to do all that, follow the link.
Restore from the last working backup
At this point you do not know what caused your site to be compromised. You don’t know if someone bruteforced your password, or used a vulnerability in one of your plugins. So go back to the last known working and malware free backup and restore from it.
Your last working backup may not be your last backup. If you aren’t absolutely positive about when your site was hacked, go back as far as you can. Hopefully you have a minimum of 30 days backup available to you. This will give you the best chance of getting to a clean backup.
Scan your website
Your next step would be to scan your website for malware or other malicious code. There are many site scanning tools to choose from that can help you diagnose your site for malicious code, files, or other hacks. Pick one to do a quick scan of your website and to also check if your site comes up in one of the main blacklists online.
If you’re a SiteGround customer, you can go for the Site Scanner service. Follow the link to learn how Site Scanner protects websites.
Put your site into maintenance mode
Once you have your backup restored, put your site in maintenance mode. This will let you get to the admin side of your site but you won’t be endangering any of your site visitors with potential malware.
The easiest way to do this is by using the WP Maintenance Mode plugin. It allows you to activate maintenance mode from the admin interface.
First, download and install the WP Maintenance Mode plugin. Once activated, select Settings -> WP Maintenance Mode from the WordPress dashboard.
Install SiteGround Security and clean things up
Even at this stage the SiteGround Security plugin has one cool trick up its sleeve. Once you have it installed, click on its menu and go to “Post-Hack Actions”. All of these are important, but let’s take them in a little different order than they are shown.
- Log out all users
- Reinstall All Free Plugins
- Force Password Reset
That second one is the magic. If your site was compromised and the attacker uploaded their own copy of one of your plugins, this will clear that out.
Reset WordPress itself
You can log in to your WordPress admin and use example.com/wp-admin/update-core.php to re-install WordPress itself. Even if it says you are on the most recent version of WordPress, go ahead and re-install WordPress. This will overwrite any core files that may have been compromised in the attack.
It should be noted that even though we have now cleaned all of the code that runs your site, the attack may have altered your database. Even though we restored from an old backup, you need to check each post and comment to make sure that nothing has been inserted. This is a daunting task for some sites and the reason we hire professionals who have the proper tools to get the job done.
Next, go to your plugins menu and update everything that might be out of date. If you have paid plugins (and who doesn’t these days?) go pay the fee on each one of them and upgrade to the latest version or disable and delete them. Do not just disable them and do not leave unpatched plugins or themes on your site.
Review your passwords and policies
Earlier we logged out all users and forced a password reset for all users. This will help if the attacker compromised a user’s account. To make it harder next time, make sure that all of your admin and editor accounts have Two-Factor Authentication turned on. There are several good plugins out there both free and paid that will give you 2FA. If you’ve been following my instructions so far, you already have one of the best of them installed, SiteGround Security.
Go to the SG Security menu and select “Login Security”. From there, click the slider next to “Two-factor Authentication for Admin & Editors Users”. This will force all Admin and Editor accounts to turn on 2FA the next time they log in…including you. Yes, it adds one more step to logging into your site each morning and yes, some days you’ll play “Where’s my phone?!?” before you can get logged in, but the peace of mind is worth it.
Also, it’s a must to make all users use strong passwords. WordPress itself does not give you the option to enforce strong passwords but there are plugins you can get that will. I strongly encourage you to install one and make strong passwords a site policy.
A lot of attackers will install their own user accounts hoping that you won’t notice. Now is the time to notice. Review the list of users at every level and see if you see anything out of place. On most sites, you should only have one or at the most two admin accounts. Look at those to make sure you recognize all of them. The same goes for any role that has elevated permissions like editing content.
Rescan your site
We’ve done what we can to clean things up. Now let’s see how things look. Go back to the scanning tool you originally used and rescan your site. You will probably still be in blacklists, but the malware should be gone.
If your site scanner gives you a clean bill of health, then the first part of your journey is done.
If on the other hand, the scanner is still detecting malware then at this point you are going to have to contact a professional. You’ve done all of the things that most non-technical or semi-technical people can do. Honestly, at this point I would be contacting a professional site cleaner to deal with it. My site is too important to me to risk it.
Scan your devices
Scanning your website is important as mentioned above, but it’s equally important to scan your devices as well. Scan your PC or other devices you use to make sure that if the respective device is infected with malware, you clean that up to prevent your site from being hacked again due to this same malware.