Introduction:
Discovering that your website has been hacked can be terrifying, but don’t panic! With the right steps, you can regain control, secure your site, and ensure that it doesn't happen again. In this tutorial, I’ll guide you through the process of handling a hacked website and show you the steps you need to take to restore and protect it. Let’s dive in!
Real-Life Scenario:
A few months ago, I was working with a client who had an online e-commerce store. They noticed their site was intermittently going down, especially during high-traffic sales events. After thorough investigation, we discovered that the website had been hacked. The hacker had inserted malicious code into the site, which was causing the service failures.
We had to act fast to avoid losing revenue and customer trust. Following the steps below, we were able to restore the website, secure it from further attacks, and implement preventive measures. Let’s go through the process of handling a hacked website step-by-step, using this scenario as a guide.
Step 1: Find the Core Issue
Before taking action, it's crucial to understand the cause of the hack. Start by checking for any suspicious activity, such as:
- Unusual files or scripts added to your website’s directories.
- Unexpected changes in your WordPress theme or plugins.
- Suspicious activity in your website traffic logs or admin login attempts.
In our case, after checking the server logs, we found that the hacker had gained access by exploiting an outdated plugin. This gave us the first clue about the attack vector.
Step 2: Find the Backup of the Folder
If you have a recent backup of your website files, restore it as quickly as possible. Typically, your website’s files are stored in the public_html folder or the root directory.
To recover from the backup:
- Locate your backup folder (either manually or using your web host’s control panel).
- Replace the infected website files with the backup files you have.
If you don’t have a backup, don’t worry—we’ll move to the next steps.
In our case, the client had an automated backup solution. We immediately restored the website files from the backup and started the process of checking for other issues.
Step 3: Find the Backup of SQL Database
The next step is to restore your SQL database. If you have a database backup, use it to restore the data to your website. Here's how:
- Login to your hosting panel (cPanel, Plesk, etc.)
- Access the backup section or phpMyAdmin.
- Restore the database backup to ensure that your website’s data is intact.
In the scenario I mentioned, we found that the hacker had not only altered the website files but had also injected some malicious entries into the database. We used the clean backup database to restore the website’s data.
Step 4: Restore Database Backup
Now, restore the database using the backup you’ve located. If your site has been compromised, it's essential to:
- Overwrite the current database with your backup.
- Double-check the backup for any changes or inserted malicious scripts before proceeding.
This step will restore your website’s content and functionality as it was before the hack.
Step 5: Change the wp-admin URL
One of the most common ways hackers gain access to WordPress sites is through the default wp-admin login page. Changing this URL can add an additional layer of security. To change the URL:
Test the new URL and ensure it works before locking out unauthorized users.
Install a security plugin like WPS Hide Login or iThemes Security.
Configure the plugin to set a new login URL.
Step 6: Change DB Password
To prevent hackers from regaining access, change your database password. Here’s how:
- Login to your hosting panel.
- Go to the MySQL databases section and select the database associated with your WordPress site.
- Change the database password and update it in the wp-config.php file on your server.
This step will ensure that your database is secured with a new password.
Step 7: Use .htaccess to Stop Download of Zip Files
Hackers often use zip files to upload malicious scripts or plugins. To prevent zip files from being downloaded or executed on your server, add the following lines to your .htaccess file:
# Block access to .zip files
<Files "*.zip">
Order Deny,Allow
Deny from all
</Files>
This simple rule will block all zip file downloads, helping prevent further attacks.
Step 8: Try to Find Automatic Hacking Plugin or Script
Many website hacks involve the installation of malicious plugins or scripts that allow hackers to control the site remotely. Here’s what you need to do:
- Scan your website for malicious plugins.
- Disable any plugins that you didn’t install or look suspicious.
- Delete harmful scripts or plugins from your server and ensure your website is running only the trusted and updated plugins.
In our case, we identified that the hacker had installed a hidden backdoor plugin that allowed remote access. After removing the plugin and scanning the entire site, we were able to eliminate the threat.
Step 9: Check Website Permissions (755)
Ensure that your website’s file permissions are set correctly. Improper permissions can give hackers easy access. The correct permissions for files and directories should be:
- 755 for directories
- 644 for files
To change file permissions, use FTP or your web host’s file manager.
Step 10: Check Website Ownership (Ubuntu)
If you are hosting your website on a server (especially with Ubuntu), ensure that the website files are owned by the right user. This is especially important for shared hosting environments.
To check ownership, use the following command in your terminal:
ls -l /path/to/your/website
Make sure the ownership matches the user who is responsible for managing the website files.
Step 11: Buy OBR from Outright Store
A reliable, secure, and optimized OBR (Optimized Backup & Recovery) solution can be a lifesaver during such incidents. Outright Store offers excellent backup solutions that integrate seamlessly with WordPress, so you can ensure your website is regularly backed up and protected.
Step 12: Bind Port 22 to Specific IP or Devices
Port 22 is commonly used for SSH access to your server. To further secure your website, restrict SSH access to specific IP addresses or devices. This can be done by adding the following to your /etc/ssh/sshd_config file:
# Restrict SSH access to specific IPs
AllowUsers user@your_ip_address
This step ensures that only authorized devices can access your server remotely, making it harder for hackers to gain access.
Conclusion:
Getting your website hacked can be scary, but by following these steps, you can restore your site, secure it from further attacks, and ensure that it runs smoothly. From finding backups to using security plugins and configuring server settings, these steps will guide you toward keeping your site safe in the future.
In the case of my client’s e-commerce store, following these steps not only helped restore the site quickly but also ensured it remained secure and operational during busy sale events.
Remember, prevention is key! Keep your website and server up-to-date, use strong passwords, and monitor your site regularly for unusual activity.
Related Post