To fix a hacked website, you need to know that it has been com­pro­mised in the first place. That’s not always easy. If the attacker takes out your mon­i­tor­ing system, you need to look for other signs: unusual activity, browser or virus warnings, un­re­spon­sive services or web pages, a sudden surge of spam reports. Once you figure it out, you need to swiftly take steps to secure your site.

Why do websites get hacked?

There’s a saying in the cy­ber­se­cu­ri­ty field that goes, “if you don’t know, don’t guess”. Website hacking might be motivated by greed, revenge, or politics. But any system with weak security will even­tu­al­ly get hacked in a random botnet sweep.

The result will usually be one or more of the following four things:

Financial leverage is when an attacker uses their new position of power to get money. That might be via bank fraud, ran­somware, or by running scams on others from your domain.

Defacing and service denial is the most obvious website hack. The attacker sabotages the site to stop you from doing business or edits the website and automated emails to send harmful, spammy, or po­lit­i­cal­ly oriented messages.

IP theft is when the attacker wants to steal insider secrets, customer and vendor in­for­ma­tion, and other valuable data that would otherwise be private.

Spying and resource capture is a subtle website hack. The attacker wants to use your servers as a listening post, capturing in­ter­ac­tions as they happen. Later, they might hijack your systems to become part of a botnet, or as a fall guy for illegal activity.

Tip

You can protect your website from these attacks with My­De­fend­er from IONOS, which will let you detect and quickly recover from a malicious hack.

How do you diagnose a hacked website?

The first step in di­ag­nos­ing a hacked website is to find the security gaps that the hacker used to gain access. The actual vul­ner­a­bil­i­ty might be on the website itself, via a weak app, or by using a com­pro­mised email account.

In par­tic­u­lar, WordPress hacking has become more common. WordPress has severe vul­ner­a­bil­i­ties when you’re running old software, and site owners are often targeted by social en­gi­neer­ing campaigns.

If your hacked website isn’t running old software, it’s possible that they took advantage of in­suf­fi­cient cloud security. or they found a zero-day exploit to leverage. Or you’re just one of many people caught in the middle of a DoS or DDoS attack. Man-in-the-Middle attacks are also possible, but un­for­tu­nate­ly, they’re harder to spot.

Now that you know how it happens, you can look for signs of a hacked website. To spot malware and determine if you have a com­pro­mised website, watch out for the following:

Browser warnings

If your browser is warning you that it can’t access a secure version of the site or that the cer­tifi­cate isn’t valid, that site might have been hacked. Without a valid cer­tifi­cate, SSL and TLS stop working.

Website can’t be reached

The attacker might take the site offline, or your web host might disable your website due to sus­pi­cious activity. If the attackers gained access to the host’s network hardware or your domain registrar, they might have changed how the site routes or resolves as well.

Anti-virus software

Sometimes anti-virus software will spot the malware that a hacked website is trying to push on visitors. That’s a pretty clear sign.

Login not working

If you can’t log in despite knowing for a fact that your username and password are correct, someone may have taken over, renamed, or removed your user account.

Warnings about login attempts

A brute force attack generates thousands or millions of failed login attempts. Repeated warnings means that someone is trying to use au­toma­tion to breach your account.

Defacing

If your normal site has a statement from the hackers on it instead, your account is probably locked out and you’re going to need to make some calls or gain physical access to regain control.

Hijacking

If you notice strange downloads happening au­to­mat­i­cal­ly or get browser warnings about malicious code, you probably have a com­pro­mised website. Many virus scanners and browsers detect this, but some do not. Weak FTP and web hosting passwords are often to blame.

Ran­somware messages

Ran­somware messages will appear when your sites or your servers are hacked, and the attacker wants money to restore them. Until then, every­thing on them is encrypted and unusable. If you don’t have an intact backup of all data, and you haven’t installed effective security measures against ran­somware, you’ll need to make several hard decisions.

Google warnings and blocks

Google Search Console is a free marketing and analytics tool provided by Google which checks the search engine op­ti­mi­sa­tion of your website. If it warns you about a massive influx of incoming or outgoing links, malware, or sus­pi­cious activity, you need to verify the security of your website. The website also gets blocked by Google if it’s been re­peat­ed­ly reported as sus­pi­cious or malicious. To get back into search results, you need to fix your site and re­ac­ti­vate it via Google Console.

Unusual page load times

If your page loads unusually slowly, your website may be com­pro­mised. Cryp­to­jack­ing spikes CPU usage and memory usage. Both mining software (like Coinhive) and dis­trib­uted hash hacking malware can be the culprit. They use the server and infected clients for cryp­to­min­ing and brute forcing passwords.

Spam E-mails, redirects, or pop-ups

If you get com­plaints of spam E-mails from one of your accounts, it may have been taken over. Reports of redirects and unknown pop-ups or ads are also signs of hacking.

Tip

Fast, secure, and scalable web­host­ing from IONOS can protect you with up-to-date SSL cer­tifi­cates, backups, and DDoS pro­tec­tion.

What to do when you know you have a com­pro­mised website

There are several things you can do to reset your accounts, secure your site, plug the exploits that got you into this situation. First backup your website and its data onto external storage. You don’t want any virus or malware that may be present to infect an active machine. Do a full virus and malware scan on the backup and examine it for any content or script changes. Only then can you be sure it’s safe to use. For all remaining ac­tiv­i­ties, use external computers, storage, and accounts. Nothing local can be trusted. When in doubt, consult an IT expert.

Change login and reg­is­tra­tion details

You need to do a global password reset. Every E-mail, hosting account, service account… every­thing. None of your accounts can be trusted. This includes the login data for all site ad­min­is­tra­tors. If you have a central password manager, change the master password first, then use it to initiate a global password reset. If not, you’ll need to go through every account one by one. Use a secure password with at least 12 char­ac­ters, with upper- and lower-case letters, numbers, and special char­ac­ters. Al­ter­na­tive­ly, use a unique sentence-length phrase of at least 25 char­ac­ters.

Switch website to main­te­nance mode

If your website is com­pro­mised, switch it to main­te­nance mode to protect your visitors and your rep­u­ta­tion while it is being fixed.

Check your logs

Examine your website’s logs via your admin console or in the ap­pro­pri­ate directory from the command line. If you don’t know where your logs are, contact your hosting provider. If you don’t un­der­stand the contents, contact a cy­ber­se­cu­ri­ty and mon­i­tor­ing pro­fes­sion­al.

Reset .htaccess data

On Apache, reset the .htaccess file and restrict rights to the bare minimum. Once every­thing is secure, you can reset access to normal levels.

Scan website for malware or malicious code

WordPress operators can choose between free and paid for security plugins for WordPress. These will scan your site data, apps, and plugins for malicious code.

Known and popular security plugins include:

  • WPScan
  • Bul­let­Proof Security
  • Sucuri Security
  • Jetpack

For WordPress al­ter­na­tives, you might consider:

  • Intruder
  • ImmuniWeb
  • Host­ed­Scan Security
  • Detectify
  • Site­Guard­ing

How do you prevent your website from being hacked in the future?

You can protect your site from malware by:

  • Using secure passwords and a secure password manager.
  • Cycle passwords pe­ri­od­i­cal­ly and use a password checkout system to avoid si­mul­ta­ne­ous use.
  • Use up to date PHP versions. The latest is PHP 8.
  • Use en­ter­prise patch man­age­ment or do periodic patch checks for all plugins, apps, and other linked software.
  • Use antivirus software and, if you have access to it, packet filtering.
  • Use reputable and secure hosting providers.
  • Leverage security plugins to monitor your site.
  • Keep your SSL cer­tifi­cates up to date.
  • Never use de­pre­ci­at­ed protocols like FTP. Use SFTP.
  • Enable two-factor au­then­ti­ca­tion whenever it is available.
  • Create regular backups of your website data or servers.
  • Execute result vul­ner­a­bil­i­ty tests on your site and in­fra­struc­ture.
  • Monitor access logs, page per­mis­sion changes, and user roles.
  • Use a secure firewall for your website (e.g. via Sucuri or Cloud­flare).
  • Busi­ness­es either have in-house IT security or contract an external service.

Customer com­mu­ni­ca­tion after securing a hacked website

Fixing your com­pro­mised website is just the first step. All sub­scribers, users, and corporate partners need to be informed according to your internal policy, as well as industry and gov­ern­ment reg­u­la­tions.

An example of these reg­u­la­tions is the General Data Pro­tec­tion Reg­u­la­tion (GDPR) act. It specifies how and when users and business partners need to be informed about security breaches. There may be ad­di­tion­al local reg­u­la­tion, as well as industry standard, to consider.

Be trans­par­ent. Describe events factually, as well as the potential impact. Let users know what measures they can take to be secure, protect their identity, and safeguard their finances. Encourage them to change their passwords and add two-factor au­then­ti­ca­tion when possible.

Con­clu­sion: Pro­tec­tion first

Cy­ber­at­tacks are growing in scope and magnitude. With so many potential targets given the world’s growing pop­u­la­tion and the expanding Internet of Things (IoT), that trend won’t reverse any time soon. Website owners must remain vigilant. They need to install measures to protect their websites, email addresses, and servers. Reliable web­host­ing includes many of the tools that you will need to stay safe out there.

Go to Main Menu