How to fix a website that has been hacked

To fix a hacked website, you need to know that it has been compromised in the first place. That’s not always easy. If the attacker takes out your monitoring system, you need to look for other signs: unusual activity, browser or virus warnings, unresponsive services or web pages, a sudden surge of spam reports. Once you figure it out, you need to swiftly take steps to secure your site.

Why do websites get hacked?

There’s a saying in the cybersecurity field that goes, “if you don’t know, don’t guess”. Website hacking might be motivated by greed, revenge, or politics. But any system with weak security will eventually get hacked in a random botnet sweep.

The result will usually be one or more of the following four things:

Financial leverage is when an attacker uses their new position of power to get money. That might be via bank fraud, ransomware, or by running scams on others from your domain.

Defacing and service denial is the most obvious website hack. The attacker sabotages the site to stop you from doing business or edits the website and automated emails to send harmful, spammy, or politically oriented messages.

IP theft is when the attacker wants to steal insider secrets, customer and vendor information, and other valuable data that would otherwise be private.

Spying and resource capture is a subtle website hack. The attacker wants to use your servers as a listening post, capturing interactions as they happen. Later, they might hijack your systems to become part of a botnet, or as a fall guy for illegal activity.

How do you diagnose a hacked website?

The first step in diagnosing a hacked website is to find the security gaps that the hacker used to gain access. The actual vulnerability might be on the website itself, via a weak app, or by using a compromised email account.

In particular, WordPress hacking has become more common. WordPress has severe vulnerabilities when you’re running old software, and site owners are often targeted by social engineering campaigns.

If your hacked website isn’t running old software, it’s possible that they took advantage of insufficient cloud security. or they found a zero-day exploit to leverage. Or you’re just one of many people caught in the middle of a DoS or DDoS attack. Man-in-the-Middle attacks are also possible, but unfortunately, they’re harder to spot.

Now that you know how it happens, you can look for signs of a hacked website. To spot malware and determine if you have a compromised website, watch out for the following:

Browser warnings

If your browser is warning you that it can’t access a secure version of the site or that the certificate isn’t valid, that site might have been hacked. Without a valid certificate, SSL and TLS stop working.

Website can’t be reached

The attacker might take the site offline, or your web host might disable your website due to suspicious activity. If the attackers gained access to the host’s network hardware or your domain registrar, they might have changed how the site routes or resolves as well.

Anti-virus software

Sometimes anti-virus software will spot the malware that a hacked website is trying to push on visitors. That’s a pretty clear sign.

Login not working

If you can’t log in despite knowing for a fact that your username and password are correct, someone may have taken over, renamed, or removed your user account.

Warnings about login attempts

A brute force attack generates thousands or millions of failed login attempts. Repeated warnings means that someone is trying to use automation to breach your account.

Defacing

If your normal site has a statement from the hackers on it instead, your account is probably locked out and you’re going to need to make some calls or gain physical access to regain control.

Hijacking

If you notice strange downloads happening automatically or get browser warnings about malicious code, you probably have a compromised website. Many virus scanners and browsers detect this, but some do not. Weak FTP and web hosting passwords are often to blame.

Ransomware messages

Ransomware messages will appear when your sites or your servers are hacked, and the attacker wants money to restore them. Until then, everything on them is encrypted and unusable. If you don’t have an intact backup of all data, and you haven’t installed effective security measures against ransomware, you’ll need to make several hard decisions.

Google warnings and blocks

Google Search Console is a free marketing and analytics tool provided by Google which checks the search engine optimisation of your website. If it warns you about a massive influx of incoming or outgoing links, malware, or suspicious activity, you need to verify the security of your website. The website also gets blocked by Google if it’s been repeatedly reported as suspicious or malicious. To get back into search results, you need to fix your site and reactivate it via Google Console.

Unusual page load times

If your page loads unusually slowly, your website may be compromised. Cryptojacking spikes CPU usage and memory usage. Both mining software (like Coinhive) and distributed hash hacking malware can be the culprit. They use the server and infected clients for cryptomining and brute forcing passwords.

Spam E-mails, redirects, or pop-ups

If you get complaints of spam E-mails from one of your accounts, it may have been taken over. Reports of redirects and unknown pop-ups or ads are also signs of hacking.

What to do when you know you have a compromised website

There are several things you can do to reset your accounts, secure your site, plug the exploits that got you into this situation. First backup your website and its data onto external storage. You don’t want any virus or malware that may be present to infect an active machine. Do a full virus and malware scan on the backup and examine it for any content or script changes. Only then can you be sure it’s safe to use. For all remaining activities, use external computers, storage, and accounts. Nothing local can be trusted. When in doubt, consult an IT expert.

Change login and registration details

You need to do a global password reset. Every E-mail, hosting account, service account… everything. None of your accounts can be trusted. This includes the login data for all site administrators. If you have a central password manager, change the master password first, then use it to initiate a global password reset. If not, you’ll need to go through every account one by one. Use a secure password with at least 12 characters, with upper- and lower-case letters, numbers, and special characters. Alternatively, use a unique sentence-length phrase of at least 25 characters.

Switch website to maintenance mode

If your website is compromised, switch it to maintenance mode to protect your visitors and your reputation while it is being fixed.

Check your logs

Examine your website’s logs via your admin console or in the appropriate directory from the command line. If you don’t know where your logs are, contact your hosting provider. If you don’t understand the contents, contact a cybersecurity and monitoring professional.

Reset .htaccess data

On Apache, reset the .htaccess file and restrict rights to the bare minimum. Once everything is secure, you can reset access to normal levels.

Scan website for malware or malicious code

WordPress operators can choose between free and paid for security plugins for WordPress. These will scan your site data, apps, and plugins for malicious code.

Known and popular security plugins include:

• WPScan
• BulletProof Security
• Sucuri Security
• Jetpack

For WordPress alternatives, you might consider:

• Intruder
• ImmuniWeb
• HostedScan Security
• Detectify
• SiteGuarding

How do you prevent your website from being hacked in the future?

You can protect your site from malware by:

• Using secure passwords and a secure password manager.
• Cycle passwords periodically and use a password checkout system to avoid simultaneous use.
• Use up to date PHP versions. The latest is PHP 8.
• Use enterprise patch management or do periodic patch checks for all plugins, apps, and other linked software.
• Use antivirus software and, if you have access to it, packet filtering.
• Use reputable and secure hosting providers.
• Leverage security plugins to monitor your site.
• Keep your SSL certificates up to date.
• Never use depreciated protocols like FTP. Use SFTP.
• Enable two-factor authentication whenever it is available.
• Create regular backups of your website data or servers.
• Execute result vulnerability tests on your site and infrastructure.
• Monitor access logs, page permission changes, and user roles.
• Use a secure firewall for your website (e.g. via Sucuri or Cloudflare).
• Businesses either have in-house IT security or contract an external service.

Customer communication after securing a hacked website

Fixing your compromised website is just the first step. All subscribers, users, and corporate partners need to be informed according to your internal policy, as well as industry and government regulations.

An example of these regulations is the General Data Protection Regulation (GDPR) act. It specifies how and when users and business partners need to be informed about security breaches. There may be additional local regulation, as well as industry standard, to consider.

Be transparent. Describe events factually, as well as the potential impact. Let users know what measures they can take to be secure, protect their identity, and safeguard their finances. Encourage them to change their passwords and add two-factor authentication when possible.

Conclusion: Protection first

Cyberattacks are growing in scope and magnitude. With so many potential targets given the world’s growing population and the expanding Internet of Things (IoT), that trend won’t reverse any time soon. Website owners must remain vigilant. They need to install measures to protect their websites, email addresses, and servers. Reliable webhosting includes many of the tools that you will need to stay safe out there.