Site Sanitization: Cleaning up a Hacked Website
We pride ourselves on having an extremely secure platform, but even the most secure hosting providers see hacked websites on a daily basis. Almost always, the goal of the hacker is to steal content, send spam, spread malware or conduct some type of phishing scam. Many times we’ll see a site administrator clean a site only for it to be hacked again a few days later, and then they come to us wanting to know why. We find that some additional steps that can secure a site and fend off attacks are often neglected. This blog explains why sites are hacked, steps for cleaning up a hacked site, and preventative measures that can be taken to secure the site moving forward.
Why sites get hacked
Vulnerable Extensions
There are several reasons a site can be hacked, but the culprit we identify most often is an outdated extension. Updating extensions is critical because hackers can easily identify vulnerabilities in older versions, which are like a wide open back door to the site. If you’re using a Joomla site, it’s best practice to visit the Vulnerable Extensions List frequently. If you see an extension you’re using on this list, download and install the patches immediately. If no patches exist, disable the extension and find something to replace it.
Outdated Applications
Another reason we see sites hacked is because the site itself is an older version of the application, like Joomla 1.5 for example, which is no longer supported with security patches. We provide a managed hosting platform, which means we’ll update versions for you when a new STS (short term support) version becomes available. When a new LTS (long term support) version becomes available, it’s up to site administrators to upgrade on their own. It’s definitely best practice to stay current with the most recent version of your application.
Compromised Passwords
We also see compromised administrator passwords. Hackers have the ability to run a few scripts to determine if you’re using a simple password like a name or birth date or if you’re using something generic like “admin” or “admin123”. You wouldn’t believe how many times we see people actually use the word “password” for their password. You also have to be careful about who you share the password with.
Compromised Computers
Even though we cannot scan your personal machine, we do encounter users whose computers has been infected with a virus, spyware, or malware. Attackers who use these surveillance or malicious softwares are looking for personal information that can be exploited and they’ve been known to steal passwords and sell them to other groups who want to attack your site. Be sure to check your your machine weekly with a reliable scanner. I recommend using Microsoft Security Essentials, a free program for Windows versions Vista, 7, 8 and 8.1. Linux and Mac users are not immune to attacks, and I recommend speaking with someone about how you can best secure your machine.
Cleaning up a hacked site
There are a number of steps that need to be taken to clean up a hacked website. If you’re unfamiliar with the items on this list, you can contact your web hosting provider for more assistance.
- Begin by changing all the passwords associated with the site. This includes administrator, ftp and mysql passwords.
- You can put your site in offline mode to temporarily avoid the hacked pages from being displayed to site visitors. This will take the site down completely and isn’t a permanent fix.
- Look to see if any additional files have been upload to the root directory (public_html or httpdocs) of the site and delete them.
- Check to see if there are any .php files in the media folder. Hackers maybe upload PHP scripts to the folder.
- Scan your site with Sucuri SiteCheck to see if there is any malware, blacklisting, spam or defacements on the site.
- Access your server logs to determine the activity of the hacker. Learn how to enable access logs on our platform.
- If there are specific pages on the site that have been hacked, you can use Google Webmaster Tools to request the URL be removed from indexed content.
- Make a list of any 3rd party extensions or templates you’re using in the site and check with the developers to see if any updates are available.
- Be sure that you’re using the most recent version of the application.
- If none of these options work, and you have a backup of the site available, you can restore the site from a backup before the hack occurred and then start troubleshooting.
Avoiding a hacked site in the future
The suggestions we have for avoiding a hacked site in the future should be performed on a regular basis.
- Replace old passwords with something complex. Pick a password that contain a random mix of numbers, punctuation marks, upper and lowercase letters.
- Stay current with the version the application you’re using and make sure you’re in the information loop so you receive notification when newer versions become available.
- Keep a list of the 3rd party extensions you’re using in the site. Check in with developers frequently to see if updates are available.
- Take frequent snapshots (backups) of your site. This is important during the update process too. Take a snapshot of the site before you update an extension and if the site breaks, you can easily revert back to the previous point without losing content. Learn how to manage snapshots on our platform.
- Consider using two factor authentication if you’re using a Joomla site.
- Browse through various security extensions for the site. Popular Joomla security extensions include Admin Tools, jSecure and more. WordPress security plugins include Wordfence, Bulletproof Security, Simple Firewall and more.
- If you’d like to make your site 100% hack proof, consider using our Web Application Firewall. This feature, accessible through the Cloud Control Panel, will lock your site and database down at the server level. You can select which database tables you’d like to lock, but this feature isn’t ideal for every site.
CloudAccess.net Sanitization Services
If all of this is a little intimidating, don’t panic. We offer a site sanitization service for any site hosted with CloudAccess.net. Our team of programmers and system administrators will clean an application and remove the hacked files and scripts for you. We’ll update the site and make it as secure as possible by taking preventative measures. Learn more about our Site Sanitization services.
