Cleaning Up a Hacked Website
Your website is hacked. What do you do?
This article refers to defacement hacks, where the content of web pages are changed or replaced by the hacker, or your traffic is redirected to somewhere else, without your consent.
It contains a general step-by-step method to clean up your website. Provided your website is on a Unix/Linux web server. (I have no experience cleaning up Microsoft IIS web servers.)
What you find here is good procedure for cleaning up many, if not most, website defacement hacks. Specific types of hacks may require other steps.
As to how they got in to hack your site – perhaps through FTP, perhaps through the account's web hosting control panel, perhaps through WordPress admin, or perhaps some other means.
As to how they got the necessary password in the first place, it could be
Trial and error with software that guesses passwords.
Intercepting email containing the password.
A virus/trojan/malware infection on your machine.
A virus/trojan/malware infection on the machine of someone else who has one of your passwords stored on their computer.
A key logger.
Or perhaps another way.
It's hard to tell, really. Because there are so many ways log-in credentials can be obtained. (The basic security article has some information about basic personal computer security. Not comprehensive, but important.)
Cleaning Up the Hacked Site
Below is a table of the steps for a general clean-up of the site. The steps that apply to WordPress sites and those that apply to Non-
There are three sections.
-
What to do immediately, even before cleaning up the site.
-
Cleaning up the site.
-
What to do after cleaning up the site.
What to do Now, Before Cleaning Up the Site
Things to do immediately are those to try to ensure however the password was obtained is not repeated, that the password they have is invalidated, and to let the hosting company know what happened.
| Step | Action |
Non- |
WordPress Website |
|---|---|---|---|
| 1 | Change FTP and SFTP passwords. |  |
|
| 2 | Change the account's web hosting control panel, generally cPanel or Plesk. | |
|
| 3 | Change the WordPress admin dashboard/control panel password. | |
|
| 4 | Notify your hosting company about what happened. They may have suggestions based on their experience and perhaps based on experience gained from helping another of their clients' sites that had the same type of hack. | |
|
| 5 | Run a good and up-to-date virus/trojan/malware security software to clean any infections. (The basic security article has some information about basic personal computer security. Not comprehensive, but important.) | |
|
Cleaning up the Site
The table continues with suggested website cleanup steps – unless you get other instructions from your hosting company or find authentic specific cleanup information for the specific hack your website is suffering from.
Before continuing, create a new subdirectory on your computer. It is where you will put files downloaded in the following steps. To avoid confusion when talking about subdirectories, we'll call this new subdirectory on your computer the "destination directory."
Create subdirectories within the destination directory as needed to mirror the subdirectory path from where a file is downloaded.
The downloaded files should all contain only text. Even so, it is a good idea to scan them for virus/trojans/malware before opening them. Certainly, do not open files with .exe or other file name extension that is executable on your computer. Renaming files with executable extensions so they have a .txt extension may reduce their danger, although that's not guaranteed.
The files downloaded into the destination directory are for a record, in case you or someone else needs them to try to determine exactly what happend. If any files are to be changed and re-uploaded to the server, make a copy of the file and change/upload the copy. Don't change the original.
Viewing the file lists and traversing through the server's directories, and downloading/uploading, can be done with SFTP, FTP, or other server file management software.
| Step | Action |
Non- |
WordPress Website |
|---|---|---|---|
| 6 | Check the document root directory (the directory on the server where the domain's main or index file is located) to see if it contains any index files you have not put there. Generally, only one of the following is in the document root directory – index.html, index.htm, index.php, or index.shtml.
If others are present on the server and you didn't put them there, download the files to your destination directory and then delete the extra files from the server. |
|
|
| 7 |
Check to see if .htaccess files have been added or changed in the document root directory and each of its subdirectories. For every .htaccess file recently updated (when the hack was done or just before):
i. Download the .htaccess file to your destination directory. ii. Open the .htaccess file in a plain text processor like NotePad or TextWrangler to see if anything has changed or something has been added. Compare with the old version of those files if you have backups. iii. Any .htaccess files that were changed, make a copy so you keep the original downloaded file for a record in case you need to refer to it later on. Clean up the copy and upload to the server, overwriting the hacked one. |
|
|
| 8 | Check to see if WordPress template files have been changed recently (when the hack was done or just before). For every template file that has changed:
i. Download the template file to your destination directory. ii. Inspect the files to see if anything has been changed. If backups are available, they may be used for the comparisons. iii. If changed, make a copy so you keep the original downloaded file for a record in case you need to refer to it later on. Clean up anything that shouldn't be there and upload the template file to the server, overwriting the changed one. |
|
What to do After cleaning up the Site
After cleaning up the website, take action to completely close the door the hacker used.
| Step | Action |
Non- |
WordPress Website |
|---|---|---|---|
| 9 | Change the account's FTP, SFTP, and web hosting control panel passwords. Yes, do it again, even though you did it before cleaning up the site, in case the cracker somehow managed to listen in to your cleanup activity. | |
|
| 10 | Change the WordPress admin dashboard/control panel password again – in case the cracker somehow managed to listen in during your cleanup activity. | |
|
| 11 | Update to the latest version of WordPress if the latest version is not yet installed. | |
|
| 12 | Update to the latest version of other password-using software on the server that may have been the access point for the hack. | |
Now you can relax. But keep an eye on your pages.
The above is just a general clean-up sequence. Depending on the hack, it might come back. In which case, it may be prudent to hire an expert to clean it up and restore security.
This is an article to bookmark. And to tweet and facebook, as it could very well save someone's sanity, or at least reduce the stress level, maybe even leave a few hairs on the head.
Hacker Alert Software
In the WebSite's Secret membership area is Files Monitor software. It stores each file size or a hash of each file's content for comparison during subsequent scanning.
When a discrepancy is found during scanning, an email alert is sent to wherever you have specified.
During site clean-up, the alert email can be invaluable, as it lists files that have changed, files that have been added, and files that have been deleted. Recovery may be faster, which is essential for keeping site visitor disgust to a minimum. And for providing real content to search engine spiders instead of the hacked content.
The Files Monitor software can be set up to run every day or more often. It is good software to have. Get your membership here. Then download and install the software.
Will Bontrager
