Suppose you visit your site to look for content to edit. But suddenly, you realize that the homepage is replaced by very offensive content and foul language. In that case, your website is hacked, but how do you rescue it? Well, here are some tips, and let’s find out.
Table of Contents
- Look for symptoms!
- Your scan results indicate a threat
- Your website is unexpectedly altered
- The website behaves strangely
- You receive a warning/penalty from your browser/search engine
- Your website suddenly slows down
- Visitors tell you about weird things
- There are unknown files or code
- Your password doesn’t work
- There are settings that changed without your permission
- There are unexpected spikes or drops of traffic
- Any of your devices are infected
- How to deal with the hack?
- Take your site offline
- Inspect the damage
- Contact your hosting provider, contacts, and team members
- Change all of your passwords
- Scan all your devices thoroughly
- Create a backup
- Restore from your backup
- Remove the malware
- Pick safe files and wipe your website
- Change your passwords again
- Last resort: Start over with a new domain
- Testing, testing, testing
- Securing your site
- Learn about the attacks websites can suffer
- Make sure your passwords are robust
- Keep all software up-to-date
- Optimize security settings
- Write a blog post about it
Look for Symptoms!
To rescue a hacked website, you have to find out about a hack as early as possible. Therefore, it’s essential to learn about the symptoms. Here are a few of them.
Your Scan Results Indicate a Threat
You have installed an antivirus program on your website, right? If not, stop reading this page and immediately download a reputable antimalware plugin. Make sure you read customer reviews in the process to ensure that the app is authoritative!
If you have antivirus software on your website, scan the site often. If results show a threat, you should start clearing the malware immediately because there must be something wrong if this result is produced.
However, no antivirus software is perfect, and malware is often designed to dodge the antivirus. Therefore, you should look for visual changes to your website as well, which are explained in the following sections.
Your Website is Unexpectedly Altered
Another sign of malware is that your site looks very different from what it was before. This means cybercriminals use the site to show offensive and inappropriate content or even convince users to install malware!
If you see this change, you should contact other people that are working on this website immediately. Before beginning malware removal, you should eliminate the possibility that it’s done by other members of your team, especially if the modification is quite subtle.
The Website Behaves Strangely
Moreover, you should be aware if your site behaves weirdly. For instance, your site might contain missing or replaced images in these circumstances, or the page might disappear immediately after it is loaded. This is an obvious sign that malware is present, given that other people working for your site didn’t make significant changes to it.
You Receive a Warning/Penalty from Your Browser/Search Engine
If you encounter this scenario and can’t visit the site by just entering the URL, your site certainly has malware. In fact, malicious or suspicious files have already been detected on the website for these to happen.
Therefore, if you receive warning messages that your site is hacked, clean the website immediately.
Your Website Suddenly Slows Down
This scenario is different from the previous ones: If you encounter this, look for attacks from the outside first. In these circumstances, it’s probably due to a DDoS attack that is overloading your server so that it becomes slow or inaccessible. Keep in mind that these attacks often obscure some even more severe hacks, such as stealing data from the website.
Moreover, you should think about site speed optimization. Maybe your server is too slow, or your images are too big. It might be due to some render-blocking scripts. Or perhaps the server is too far away, and you have to move it closer to the target audience.
However, if you’ve ruled out these circumstances, you should consider the possibility that internal malware is causing the problem. There might be complex scripts that load when the page is loading, and they might be used to do nefarious things to your site.
Visitors Tells You About Weird Things
Furthermore, if one of your visitors notifies you that they saw weird stuff, you should consider that it’s the result of a cyberattack. It means that your user has noticed some symptoms of a malware infection on your site, and you should be aware of that situation.
There are Unknown Files or Code
If there are weird files or code added to the website, it’s a clear sign that malware is present. However, you should talk to your teammates first, just in case the change is theirs.
Additionally, if you found something like that, record the file name and path immediately. This can be used in the malware removal process, which is vital for your site to return to normal operations.
Your Password Doesn’t Work
This is a 100% sign that your website was hacked or infected if the password involved is related to your site, such as the CMS or FTP password. In fact, attackers might change your password immediately after getting into your account to prevent the valid owner from intervening.
In this case, start attempting to recover your password first. Use the “Forgot Password” option, and keep in mind that the function isn’t just for forgotten passwords!
If you can recover your account, immediately start the process of eliminating the malware. If you can’t, you have to abandon your account. In that case, try to contact another administrator or the website to try to log in to his/her account.
There Are Settings That Changed Without Your Permission
Like files or code that are added strangely, you should also look for unfamiliar changes in settings. If a hacker does so, it might facilitate the attack or leave a trail so that the remains of the malware will reinstall itself after a specific period of time.
If you notice something like this, make sure you contact other people working on your website first. Your website is possibly infected if none of your teammates admit the change. In that case, you should begin the malware removal process right away.
There Are Unexpected Spikes or Drops of Traffic (Alert)
Unexpected spikes or drops of traffic can indicate a hack, especially if it’s accompanied by other symptoms. While a spike might indicate that there might be an attack, a drop might suggest that the search engine or browser has noticed malware, or the user experience is worsened substantially.
Take a look at the sources and time frames of the sessions first. If it’s from a particular time frame and location, it might be an attack that might be trying to break into your account. If the spike is persistent and from a global source, it might be due to a DDoS attack, which can hide another attack on your site.
Moreover, troubleshoot your site if you see a weirdly low amount of users or an unusually high bounce rate, especially for a relatively long time. This means that user experience has declined, or your search engine partially or completely removed your site from its index due to malware. This is also a sign to look out for.
Any of Your Devices are Infected (Alert)
You should also worry about your website if any of your devices are infected. If that’s the case, malware can creep into your website from your local computer, especially if the password is accessible through the device. It might be one of the most attractive spots for malware since a website is a great way to distribute it.
How to Deal with the Hack?
If you’ve observed one of the first nine symptoms, it’s a sure sign that someone invaded your website, and it’s time to erase the malware. Let’s find out how to do so in the sections below.
Take Your Site Offline
Firstly, you have to take your website down. While it might be silly act to disable your site for no reason, it’s worth it in this case. You don’t want to serve users with malware or offensive content, right? If you do, the site might seriously harm the visitors’ computer, as well as the visitors themselves.
A tip is to tell the visitors that the site is undergoing maintenance. This can protect the reputation as much as possible because the users will think it is not offline for no reason. Moreover, use another server or use the .htaccess file to redirect the visitors to the maintenance screen with an HTTP code of 503.
Inspect the Damage
From this step on, consult professionals if you have major decisions that your team doesn’t know how to make.
Firstly, you have to inspect the damage. Take a look at the website files now. Are there any images or blog posts that are missing? Are there many recently modified files that look fishy? Is there spam in your website “Sent” folder? How many threats does the antivirus reveal? Here are just some of the questions you must ask when you find out about the issue, and you should think of more to assess the damage.
Contact Your Hosting Provider, Contacts, and Team Members
After that, you should immediately contact your hosting provider, contacts, and team members. Firstly, if you utilize shared hosting, you should make sure other sites on the same server is not hacked by letting the hosting provider know the condition of your website. If other websites are compromised, it will lead to a significantly more serious attack because the malware will be more platforms to start the hijack.
Furthermore, it’s better to notify your contacts to prevent them from receiving spam from your website. You should tell them not to click on links or attachments on emails sent from a particular domain, as well as related email accounts like your personal one.
Additionally, you should contact your team members and tell them they should change their passwords straight away. If you troubleshoot a hacked site without the other team members knowing it, your team might not be on the same page, which causes all sorts of issues and misunderstandings. Besides, your team members are good at various aspects of website management, and they can all work together to get the site back to life more quickly.
Change All of Your Passwords
The next step is to change all your passwords as quickly as possible. Make sure they are strong, unique, and hard to guess. Start with accounts related to your website, like your CMS or cPanel accounts. Then change the passwords of other important accounts, such as your email or bank account. Finally, modify your passwords for the rest of the accounts, such as newspaper subscription accounts.
Why do you have to change your passwords of unrelated accounts? This is because your computer might be compromised from hacking your website, which might expose all your passwords if the password manager password is accessible.
Use a random password generator on most accounts and save it on a password-protected password manager. But, for critical accounts and the password manager itself, you have to use your creativity to come up with brilliant passphrases that are easy to memorize but difficult to crack. For instance, if your sentence is “Secure your passwords to enhance security”, you should opt for something like “SeYPwds2ESy5599^&!#”. WARNING: DO NOT USE THIS PASSWORD ON YOUR OWN ACCOUNT!
Create a Backup
After that, you have to create a backup in case something goes wrong the recovery process. Starting over with a new domain due to a simple error is awful, right? Although the backup contains malware, it provides an opportunity to rescue your data if mistakes are made in the following steps.
Restore from your backup
Then, you have to restore from a backup that is made before you found your site infected. It hopefully ensures a faster return to normal operations because there might be less malware (or no malware at all) when the website is restored.
Still, the restore app itself might be damaged, and malware might still linger despite the restoration. Therefore, you should conduct the following steps to erase the malware. However, this action is worth it because it hopefully minimizes the damage to the eraser later in the process
Remove the Malware
Here comes the most important part of all: Trying to remove the malware. Firstly, you need to rerun a scan. Look for any threats. If there is, point out that file and try to remove it. However, no antimalware software is perfect, and they cannot point out all malware because some deliberately hides. You should also look for any weird code in every single file in the website. That doesn’t sound easy because there could be thousands of files on your website, but do it as much as possible to catch the malware.
Another option is to scan your website with various antimalware software. Make sure it’s a complete copy of your website on a healthy computer, and read customer reviews and ratings before downloading any of these. However, these might also be compromised by the malware, so after removing as much as possible, you will have to do the nuclear thing: Erase the website.
Pick Safe Files and Wipe Your Website
This might be the most frustrating step in this list, but this might be necessary, depending on the malware involved in the attack. It’s picking safe files and storing them in a backup, and erasing the entire website afterward.
Firstly, start with audio files and images. They are multimedia files that don’t pose any threat usually. However, it doesn’t hurt to scan these files once more, so you should do so.
Keep in mind that you should not extract plugin files or system files. They can be easily reinstalled later, and they might reinfect the website. Just pick up the content and copy it to an external drive.
Next, you should wipe your website. Simply go to your FTP account and delete all system files. Then, reinstall your CMS and plugins, add the content, and you’re done!
Change your Passwords Again
After clearing the malware, make sure you change your password again to prevent any further damage to your accounts in case the leftovers of the malware stole other passwords. It can also be used as a permanent password because the first password must be generated very quickly by your mind and might not be as strong as you think.
Last Resort: Start Over with a New Domain
If your site is damaged beyond economic repair or if you just want an opportunity to start again, you can create a new website on a new domain. Ensure that you don’t redirect all traffic on your old domain to your new domain or create any link between the two sites. Otherwise, the penalty might linger, and it might adversely affect the performance of your new website.
Note that this is a last resort. It should only be used if all else fails.
Testing, Testing, Testing
After malware removal is complete, it’s time to test your website after your site is ready. If you’re confident that the malware doesn’t stay there, you can put your website back online in this process. Although you can keep adding new content, be overly sensitive to symptoms, and run a lot of scans. If you noticed any of the symptoms above, assume that your website is infected and immediately start the process above.
Moreover, the malware might be reintroduced by restoring from the backup. Therefore, you should consider starting over with a new domain if that is the case, or try restoring again if you think you made a mistake when you put your website back.
Meanwhile, follow the tips below to ensure that your website is safer from future attacks.
Securing Your Site
After your website is hacked, it’s time to improve its protection against malware. Here are some of the things you can do to beef up your security.
Learn About the Attacks Websites Can Suffer
Websites can suffer from many attacks, like DDoS, XSS (Cross-site scripting), MITM (Man-in-the-middle) attacks, malware attacks, password-stealing attacks, and SQL injection attacks. You should learn more about the types of website attacks to learn more about the vulnerabilities on your site and update your code accordingly.
Make Sure Your Passwords Are Robust
Another thing to do is to ensure that your passwords are nearly uncrackable. You have to change your passwords if a data breach occurs, or if you realize one of your passwords are not strong enough.
Then, what is a strong password? Then, what is a strong password? It’s a sufficiently long password that it has a negligible chance of being guessed in a brute-force attack. It should not be extracted from a dictionary or use common substitutions or apparent patterns that anyone can understand. To make it easier to remember, you should opt for passphrases, or use a password manager to store most passwords made by a random password generator.
Keep All Software Up-to-date
Another important tip is to update your software often. Software developers release updates because they provide new features and fix bugs to strengthen the security and add new features. Thus, it’s important to check for updates on your computer and website, and update it without a doubt if you’re sure that the software is secure.
Optimize Security Settings
Furthermore, you should dig into the settings and make sure you change those settings if needed, such as adding two-factor authentication. This ensures a higher level of security that the default settings cannot reach, reducing the chances of future attacks.
Write a Blog Post About It
If your website has a lot of returning visitors, you can write a blog post about it. This can include announcing a severe security event that occurred on your website, how you eliminated the threat, and additional cybersecurity tips for users and website owners.
By simply writing about the attack, you can reflect on your precautions for malware and how you react to it as quickly as possible. If you encounter another threat in the future, you might be able to deal with it better.
In this article, we discussed how to rescue a hacked website by mentioning the symptoms, the malware removal process, and the precautions you should take after the hack. However, you have to learn more about that. Therefore, you should visit the websites in the references below. Moreover, if we missed some important steps or tips, leave this in the comments below to improve our posts.
References and Credits
- IMPACT+. (2019, October 22). What should you do when your website gets hacked? Retrieved June 3, 2021, from https://www.impactplus.com/blog/what-should-you-do-when-your-website-gets-hacked
- Sucuri. (2020, January 23). What to Do If Your Website Is Hacked & How to Remove Malware and Fix It. Retrieved June 3, 2021, from https://sucuri.net/guides/how-to-clean-a-hacked-website/
- Emma Thomas. (2019, June 25). A Few Critical Steps to Take if Your Website has been Hacked. Retrieved June 3, 2021, from https://readwrite.com/2019/06/25/a-few-critical-steps-to-take-if-your-website-has-been-hacked/
- SiteGuarding. (n.d.). What to Do If Your Website Has Been Hacked? Retrieved June 3, 2021, from https://www.siteguarding.com/en/what-to-do-if-your-website-has-been-hacked
- Garenne Bigby. (2018, January 24). 10 Steps to Recover from a Hacked Website. Retrieved June 3, 2021, from https://dynomapper.com/blog/21-sitemaps-and-seo/241-how-to-recover-from-a-hacked-website
- Doug Eubanks. (2018, June 18). How to Tell if Your Website Has Been Hacked – Atlantic BT. Retrieved June 3, 2021, from https://www.atlanticbt.com/insights/how-to-tell-if-your-website-has-been-hacked/
- Felix Brombacher. (n.d.). 7 Signs That Your Website Has Been Hacked. Retrieved June 3, 2021, from https://crashtest-security.com/7-signs-that-your-website-has-been-hacked/
- MayeCreate Design. (2014, January 14). 8 Telltale Signs Your Website Was Hacked. Retrieved June 3, 2021, from https://mayecreate.com/blog/8-ways-tell-website-hacked/
- Katalyst Solutions. (n.d.). 5 Critical Steps to Take If Your Website Has Been Hacked. Retrieved June 3, 2021, from https://www.katalystsolutions.com/blog/119-5-critical-steps-if-your-website-is-hacked.html
- Ellice. (2019, June 6). 12 Reasons Your Website Is Slow (And How to Fix Them). Retrieved June 4, 2021, from https://www.dreamhost.com/blog/how-to-fix-slow-website/
- Kevin Wood. (2017, October 9). 5 Ways to Fix a Slow Loading Website. Retrieved June 4, 2021, from https://www.hostgator.com/blog/fix-slow-loading-website/
- Kim Zetter. (2016, January 16). Hacker Lexicon: What Are DoS and DDoS Attacks? Retrieved June 4, 2021, from https://www.wired.com/2016/01/hacker-lexicon-what-are-dos-and-ddos-attacks/
- Tripwire Guest Authors. (n.d.). The 10 Most Common Website Security Attacks (and How to Protect Yourself). Retrieved June 6, 2021, from https://www.tripwire.com/state-of-security/featured/most-common-website-security-attacks-and-how-to-protect-yourself/
- Jeff Melnick. (2018, May 15). Top 10 Most Common Types of Cyber Attacks. Retrieved June 6, 2021, from https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/