Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Cleaning Up a Hacked Website

Your website is hacked. What do you do?

This article refers to defacement hacks, where the content of web pages are changed or replaced by the hacker, or your traffic is redirected to somewhere else, without your consent.

It contains a general step-by-step method to clean up your website. Provided your website is on a Unix/Linux web server. (I have no experience cleaning up Microsoft IIS web servers.)

What you find here is good procedure for cleaning up many, if not most, website defacement hacks. Specific types of hacks may require other steps.

As to how they got in to hack your site – perhaps through FTP, perhaps through the account's web hosting control panel, perhaps through WordPress admin, or perhaps some other means.

As to how they got the necessary password in the first place, it could be

  • Trial and error with software that guesses passwords.

  • Intercepting email containing the password.

  • A virus/trojan/malware infection on your machine.

  • A virus/trojan/malware infection on the machine of someone else who has one of your passwords stored on their computer.

  • A key logger.

  • Or perhaps another way.

It's hard to tell, really. Because there are so many ways log-in credentials can be obtained. (The basic security article has some information about basic personal computer security. Not comprehensive, but important.)

Cleaning Up the Hacked Site

Below is a table of the steps for a general clean-up of the site. The steps that apply to WordPress sites and those that apply to Non-WordPress sites are marked as such.

There are three sections.

  1. What to do immediately, even before cleaning up the site.

  2. Cleaning up the site.

  3. What to do after cleaning up the site.

What to do Now, Before Cleaning Up the Site

Things to do immediately are those to try to ensure however the password was obtained is not repeated, that the password they have is invalidated, and to let the hosting company know what happened.

Step Action Non-WordPress Pages, Filesor Website WordPress Website
1 Change FTP and SFTP passwords. checked image checked image
2 Change the account's web hosting control panel, generally cPanel or Plesk. checked image checked image
3 Change the WordPress admin dashboard/control panel password.   checked image
4 Notify your hosting company about what happened. They may have suggestions based on their experience and perhaps based on experience gained from helping another of their clients' sites that had the same type of hack. checked image checked image
5 Run a good and up-to-date virus/trojan/malware security software to clean any infections. (The basic security article has some information about basic personal computer security. Not comprehensive, but important.) checked image checked image

Cleaning up the Site

The table continues with suggested website cleanup steps – unless you get other instructions from your hosting company or find authentic specific cleanup information for the specific hack your website is suffering from.

Before continuing, create a new subdirectory on your computer. It is where you will put files downloaded in the following steps. To avoid confusion when talking about subdirectories, we'll call this new subdirectory on your computer the "destination directory."

Create subdirectories within the destination directory as needed to mirror the subdirectory path from where a file is downloaded.

The downloaded files should all contain only text. Even so, it is a good idea to scan them for virus/trojans/malware before opening them. Certainly, do not open files with .exe or other file name extension that is executable on your computer. Renaming files with executable extensions so they have a .txt extension may reduce their danger, although that's not guaranteed.

The files downloaded into the destination directory are for a record, in case you or someone else needs them to try to determine exactly what happend. If any files are to be changed and re-uploaded to the server, make a copy of the file and change/upload the copy. Don't change the original.

Viewing the file lists and traversing through the server's directories, and downloading/uploading, can be done with SFTP, FTP, or other server file management software.

Step Action Non-WordPress Pages, Filesor Website WordPress Website
6 Check the document root directory (the directory on the server where the domain's main or index file is located) to see if it contains any index files you have not put there. Generally, only one of the following is in the document root directory – index.html, index.htm, index.php, or index.shtml.

If others are present on the server and you didn't put them there, download the files to your destination directory and then delete the extra files from the server.
checked image  
7 Check to see if .htaccess files have been added or changed in the document root directory and each of its subdirectories. For every .htaccess file recently updated (when the hack was done or just before):

i.
Download the .htaccess file to your destination directory.

ii.
Open the .htaccess file in a plain text processor like NotePad or TextWrangler to see if anything has changed or something has been added. Compare with the old version of those files if you have backups.

iii.
Any .htaccess files that were changed, make a copy so you keep the original downloaded file for a record in case you need to refer to it later on. Clean up the copy and upload to the server, overwriting the hacked one.
checked image checked image
8 Check to see if WordPress template files have been changed recently (when the hack was done or just before). For every template file that has changed:

i.
Download the template file to your destination directory.

ii.
Inspect the files to see if anything has been changed. If backups are available, they may be used for the comparisons.

iii.
If changed, make a copy so you keep the original downloaded file for a record in case you need to refer to it later on. Clean up anything that shouldn't be there and upload the template file to the server, overwriting the changed one.
  checked image

What to do After cleaning up the Site

After cleaning up the website, take action to completely close the door the hacker used.

Step Action Non-WordPress Pages, Filesor Website WordPress Website
9 Change the account's FTP, SFTP, and web hosting control panel passwords. Yes, do it again, even though you did it before cleaning up the site, in case the cracker somehow managed to listen in to your cleanup activity. checked image checked image
10 Change the WordPress admin dashboard/control panel password again – in case the cracker somehow managed to listen in during your cleanup activity.   checked image
11 Update to the latest version of WordPress if the latest version is not yet installed.   checked image
12 Update to the latest version of other password-using software on the server that may have been the access point for the hack. checked image  

Now you can relax. But keep an eye on your pages.

The above is just a general clean-up sequence. Depending on the hack, it might come back. In which case, it may be prudent to hire an expert to clean it up and restore security.

This is an article to bookmark. And to tweet and facebook, as it could very well save someone's sanity, or at least reduce the stress level, maybe even leave a few hairs on the head.

Hacker Alert Software

In the WebSite's Secret membership area is Files Monitor software. It stores each file size or a hash of each file's content for comparison during subsequent scanning.

When a discrepancy is found during scanning, an email alert is sent to wherever you have specified.

During site clean-up, the alert email can be invaluable, as it lists files that have changed, files that have been added, and files that have been deleted. Recovery may be faster, which is essential for keeping site visitor disgust to a minimum. And for providing real content to search engine spiders instead of the hacked content.

The Files Monitor software can be set up to run every day or more often. It is good software to have. Get your membership here. Then download and install the software.

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC