Website Hacked? Now What? Don’t panic and follow these steps

Do you have a website? Has it ever been compromised? Statistics show that in the average lifespan of a site, at some point, it would inevitably be breached in one form or another. Naturally, this is not 100% guaranteed to happen, but we often neglect our security until it’s too late.

One of the most requested topics of discussion by far, this post’s goal is to shed some light on the most effective plan for clearing a malware infected website and hardening its security, additionally avoiding such future occurrences.

“My website has been breached!”

Imagine that you wake up on a beautiful Sunday morning, it’s your day off, you’ve made plans, the weather outside seems delightfully pleasant, and it looks like nothing is going to ruin your day until you then realize that your website has been hacked.

Stress and panic slowly ensue, your losing business, you need an immediate solution. From here on, these are the immediate steps you must follow to prevent further damage and restore stability to your website.

Battle Plan

The following should be done in the exact order as written.

Secure your installation

Before making any actual changes, you must firstly block out the attacker from regaining access to your website/files and viewing any changes you made in the effort to revoke his authorization. You can achieve this by:

Setting file permissions

This will prevent your files from being publicly accessible via browser during the timespan in which you are cleaning out your infestation. Websites are compromised most often via the website application itself, and this will undoubtedly prevent the attacker no matter how he has gained access or what backdoors he has set up. This can be done in several ways, either through the terminal using the “chmod” command or by going to cPanel > File Manager > going to the “public_html” folder or your corresponding addon domain folder for the compromised website > clicking Select All > clicking Permissions > Removing all the ticks until the end result is 0 – 0 – 0 and then clicking Change Permissions. This will render your website entirely inaccessible to the public, and it will no longer be able to load through a browser.

Block malicious IP(s)

Using the help of the cPanel module “IP Blocker” – go through the logs of your application, which whether in the application itself or some other form are always left in order to determine the IP(s) of the attacker and block them in order to prevent him further regain access. This is not a highly effective step, but it will still slow him down as nobody has an endless pool of Proxy/VPN IP addresses lying around. Through investigation of the access logs, you can distinguish the IP(s) of the attacker by filtering out all of the administrative application paths. Any IP address that has visited for example, in WordPress, the path “domainname.com/wp-admin/*****” or similar backend dashboard URL’s, and is not your own IP is a potentially the attacker.

Block external MySQL connections

Navigate to the cPanel’s “Remote MySQL®” option and remove anything under “Manage Access Hosts” unless those who you are certain that you have added yourself if any.

Remove ALL unused installed applications and their databases

Duplicate installations, development phases of the website, testing environments, unused subdomains, everything has to go. These are the bacteria plaguing your hosting and causing a huge threat to the recurrence of this event.

Removing the backdoors

If your website has been hacked, this has been done via some type of backdoor. The initial breach can have occurred due to many reasons like vulnerable plugins, outdated application version, simple passwords, etc, but a backdoor is used as the tool that the attacker can use to keep regaining access of your website. Malware removal is the hardest part of securing your website as the malware can be located in every file your site utilizes and there is no absolutely sure way to know if you have fully ridden yourself of it, but these steps will help to a large extent.

  1. Review recently modified files
    You can do this by running the terminal command “find ./ -type f -mtime -3” which will display the most recent file changes on your hosting for the last 72 hours. This may not always be absolutely accurate as most backdoor tools have the option to bypass timestamps and avoid this detection, but nevertheless, it will help you gather info on what files may have helped in the breaching of your website.
  2. Remove ALL unused themes/plugins
    Every application has a set of default themes that are installed with the application itself, they are worthless to keep around as if they are not in use they are only taking up the hosting storage space, same goes for plugins. You can remove them through your administrative dashboard for the application, and I would later also advise deleting their corresponding folder through the cPanel File Manager as if anything is left in the folder of a deleted plugin/theme it is most likely a hidden malware file.
  3. Update the application/themes/plugins you are using
    Backdoors can often be found stored in the code of the existing application, updating the application will rewrite all of the core files of the application itself, bringing it to the default code and removing any infected files. Also, the most breaches occur from outdated or unsecured versions of the application/themes/plugins so bringing them up to date will also reinforce your security by a large portion.
  4. Remove suspicious files/directories
    Everything that is not part of the application/themes/plugins/posts files has to go. Anything with a strange filename or peculiar file extensions is a red flag.

Updating existing credentials

  1. Update your cPanel password, change your FTP user accounts passwords and if they are not used I would strongly suggest removing them as a whole, Issue a new password for your application(s) administrative backends.
  2. Database Users
    Databases also have usernames and passwords that can be seen in clear text in the configuration files of the applications in order for the connection to be established between the platform and the MySQL of the hosting. These can be changed navigating to “MySQL® Databases” found inside the cPanel. Under “Current Users” there is an option called “Change Password”. After changing the database user password, the application must be updated with the new password in order to once more establish a connection and work. In WordPress, for example, the configuration file is called “wp-config” and it can be found in the main folder of your WordPress installation. Editing this file will allow you to change the password with the newly generated one.
  3. Password Resets
    All large platforms such as WordPress, Magento, Opencart and so on have an “Account Recovery” option, found somewhere on the backend login page. The e-mails are stored in the database and are subject to change. For WordPress, the default table is called “wp_users” and the first account is often the administrative account. Check whether the email for this account has not been tampered on all of your existing databases, as the attacker may at any time regain full access if he has changed it to an existing email to which he has access to. If it has, then through the cPanel module “PHPMyAdmin” open up the corresponding table for storage of registered users, find your admin account and edit the email value back to an email that you have access to.

Unconventional Solutions

When all in doubt fails, you may want to consider starting in a fresh, up to date installation of the application environment and only copying over the content posts which will be fully rid of any infections. This will guarantee that there are no infected files left and minimize the risk of being hacked in the future.

Under no circumstance would I even consider restoring to an earlier backup as a “solution to the problem,” as this will not remove the vulnerable spot from which your website has been breached. Backup restoration is only to be used if your website has been severely damaged, and once restored you would then proceed to follow the guidelines of this post starting from the beginning.

Daniel G.

Daniel works in Customer Sucess at FastComet. A self-described 'massive geek' and cybersecurity enthusiast, Daniel draws on his skills to research, understand, and disseminate Performance Monitoring complex topics to reach FastComet's technical audience.