There are lots of different types of website hacks. Hacks can be malicious (such as installing a virus on your website that your visitor's may get), or the hacks can just change the text on your front page. It is important to determine if your website has been hacked, how it was hacked, and then how to restore the site to its status prior to the back.
Has my website been hacked?
Some website hacking is obvious, while others are more subtle. Signs that your website has been hacked:
- Your front page is "defaced." When you visit your website, instead of your page there is a completely different page. Often these pages will have a "hacked by...." message on them.
- You can no longer log into any of your admin pages. If you are having trouble logging into your CMS administrator login and your cPanel, then it is possible that your site was hacked and the passwords were changed.
- You get a Google Warning when you visit your website. Google scans all websites for malicious coding. If Google finds any files to be malicious, then when you visit your site through a Google search or in Firefox/Chrome it will display a red warning page.
- Your computer anti-virus software warns you when you visit your website. If your anti-virus warns you of a virus on your website, then there is likely a virus or Trojan that your website is attempting to install on your computer.
- A page that previously loaded now suddenly will not load. This is not as common, but if a hacker has modified for example a database on your website that made the site no longer function properly, you may get a "cannot connect to database" or similar message when loading a page.
How was my website hacked?
The more common methods used to hack websites include:
- Hacked cPanel or FTP password
- Code injection - http://en.wikipedia.org/wiki/Code_injection
- Remote File Inclusion - http://en.wikipedia.org/wiki/Remote_File_Inclusion
If your password has been hacked, generally this will lead to your front page being "defaced" as the hackers will upload their own index page. If you use software such as WordPress, ZenCart, or other programs, often time the hacks are done through an exploit in those programs. In many cases, if you use a CMS program the database will be hacked as well and will need to be restored.
How do I fix my website that is hacked?
It is difficult to give an exact method to resolve a hacking issue as there are many different types of website hacks, here are some general steps to take to correct your website:
- Restore backup of your website. The easiest way is to restore your site from a version that was saved prior to the site being hacked. If you have paid for the automated backup service, please contact our support team so that your website can be restored from the backup. If you do have the automated backup service, then you will need to restore your own backup of your website through cPanel, or by re-uploading your website from a local copy.
- Remove coding from the .htaccess file. Many times if the site is hacked by code injection, there will be a "re-direct" placed in your .htaccess file in your public_html folder. Open your .htaccess file and look for any lines of coding that look suspicious. Delete the suspicious lines of coding, and then save your changes.
- Remove coding from other files. The easiest way to find files that have been modified is to check the last modified date. Make sure to check files in subfolders.
What should I do prevent my site from being hacked?
Depending on the cause of the hack, there are some steps you can take to help prevent hacks in the future:
- Change any passwords for your account. This is always the recommended first step. In case your passwords were compromised, change your cPanel password, any FTP account passwords, and if you use WordPress or a CMS change that password as well.
- Remove any unknown logins. This applies to cPanel, FTP and your CMS. Often hackers will create accounts with a username such as "Backup" that look harmless but should be removed unless you created it, but even then the password should still be changed.
- In WordPress you will find in wp-config.php a set of authorisation keys and salts. If you have been hacked you will need to generate new versions and replace these as per the instructions provided in that section of wp-config.php. Other CMS systems may have similar things that need changing - refer to the appropriate vendor's support documentation for more information.
- Update programs running on your hosting account. If you use third party software to build your site, such as WordPress or Joomla, make sure you are using the most up to date version as security exploits may have been fixed by the developers.
- Some plugins and themes will require manually updating and won't be checked as part of the in-built update routine, check the version of every plugin you are running against the latest version shown on the developer's website.
- Have your web developer check all other files on your hosting account, it isn't enough to update WordPress as there's likely to be other infected files. To be completely sure of clearing the infection it's often best to clear the hosting account, install a fresh version of your content management system, reconnect it to the database, reinstall any plugins you need, and get your web developer to re-upload their version of any themes.
- If your web developer created a custom theme based on a standard one, they should ensure any code is updated manually in the custom theme to reflect updated in the original theme.
- Update Programs running on your computer. Some programs, such as Adobe's Flash, include vulnerabilities that allow hackers to access data on your computer. They can then sniff around and find data, such as FTP usernames and passwords that are saved in some programs. Be sure that you keep all of your software up to date as most developers often release security patches.
- Scan all devices used to access cPanel, FTP or your website for viruses, spyware and malware.