My website has been hacked – what should I do?
There are several ways a hacker can attack a website, exploiting poorly executed security policies or taking advantage of unattended vulnerabilities. (See also Online safety for website owners). The attack can be internal or external, often using spam or malware to achieve the purpose.
Currently, browsers such as Google Chrome issue a malware warning for websites that may have been compromised by an attack. This is a visitor repellent warning that no website owner wants to see when accessing his or her web page. Still, if such thing happens, first thing to do is stay calm, take the infected site offline and then assess the situation before proceeding to action.
How can I tell my website has been infected?
Some attacks do not display a victory flag saying “I hacked your site”, that is to say not all intrusions are clearly visible. In such cases, you should suspect that your website has been attacked if you see on or more of the following symptoms:
- user complaints about the site being blocked by their security software or browser, or about getting malware from visiting your website
- users report redirection to other websites
- significant changes in traffic – usually a dramatic and sudden traffic decrease
- a sudden drop in search engine raking
- browser warning indicating that the website has been compromised
- the website is blacklisted by search engines or other databases of malicious URLs
- the website works improperly, displaying errors and warnings
- your site contains files and/or code you don’t recognize
- your pages suddenly don’t validate for the W3C standard
- after visiting the website, computers exhibit strange behavior.
- last login IP in the Admin Panel is not from your IP
After taking the site offline, scan all files for malware using the anti-virus of your choice (refer to AV-Comparatives tests and reviews to compare the options). Also, fully scan all computers that have stored your FTP username/address and/or have been used to publish the files of your website. If taking down the website is not an option, use an online scanner and change all FTP passwords or other passwords used for administrative sections of the website, together with e-mail passwords. Do not use software to save the passwords, instead memorize them or write them down on a piece of paper.
Refer to your web developer and ask them to verify the current version of the site to the latest one they have stored for publishing, in search of any suspicious differences.
Check with your hosting provider. Your website might not have been the only victim of the attack, especially if you are using shared hosting. The hosting provider can confirm the attack or indicate a loss of service as the cause of the symptoms, and take steps in fixing the problem.
Backup. Make a backup of what remains left of the website and make a habit (if you do not already have) of backing up the website files at every change. It is a good idea to use a version control service to easily identify the latest version of your website and rollback to a previous version that you know to be safe.