How to Cope with a Hacked Site
There’s been a lot of articles on this topic over the years (I even wrote one). But I’m going to tackle this from a different angle, one that I’m not used to: A non-technical one.
Fixing a website “hack” is actually a fairly heavy technical thing to do. Most bloggers are not webmasters. They are not really technical people. They’re probably people who simply purchased a web hosting account, maybe set up WordPress using a one-click install, and started blogging. In an ideal world, this sort of setup would be perfectly secure. The fact that it’s usually not is really a problem for web hosts to figure out.
But often I find that the emails/posts I see that read “help me my site was hacked what do I do” or similar don’t get a lot of help. There’s a reason for this. People who are asking this question are not usually the type of people who are technically capable of actually fixing the problem. Guiding somebody through this process is non-trivial. Frankly, it’s kind of a pain in the ass. So those of us capable of fixing such a site (and there are plenty) are reluctant to try to help and basically offer our services for free. The amount of work is high, the frustration is equally high, and there’s not a lot of benefit in it.
So, with that in mind..
Step One: Regain control of the site
By “control”, I basically mean to get the passwords back and change them. Tell your webhost to do it if you have to, and read this codex article on how to change your WordPress password even when you can’t get into WordPress. Also, change your web hosting account password, your FTP password, the database password… Any password you have even remotely related to your site: change it. Note that doing this will very likely break the site. That’s okay, down is down, and it would be better to be down than showing hacked spammy crap to the world.
And that’s another point: take the site down, immediately. Unexpected downtime sucks, but if you’re showing spam to the world, then Google is sure to notice. If you’re down for a time, then Google understands and can cope, but if you’re showing bad things, then Google will think you’re a bad person. And you don’t want that.
The idea here is to stop the bleeding. Until you do that, you haven’t done anything at all.
Step Two: Don’t do a damn thing else
Once you have the passwords and the site is offline, leave it like that.
Seriously, don’t erase anything, don’t restore from backup, don’t do anything until you do what follows next…
Anything you do at this point destroys vital information. I cannot stress this enough.
Step Three: Hire a technically competent person to fix it for you
If you know me, then you know I rarely recommend this sort of thing. I tend to offer technical knowledge and try to help people do-it-themselves. But hey, for some people, there are times when it’s just a hell of a lot to take in. Webserver security is a complex subject, with a lot of aspects to it. There is a lot of background knowledge you need to know.
If you’re reading this and you don’t know how a webserver works, or config files, or you don’t know arcane SQL commands, or you don’t understand how the PHP code connects to the database and uses templates to generate HTML, then trust me when I tell you that you are not going to fix your website. Not really. Sure, you could probably get it running again, but you can’t fix it to where it won’t get hacked again.
So, find a website tech person. Somebody who knows what they’re doing.
(BTW, not me. Seriously, I’ve got enough to do as is. Just don’t even ask.)
How, you ask? I dunno. Look on the googles. How do you find anybody to do anything? There’s several sites out there for offering short-term jobs to tech wizards. There is the WordPress Jobs site, but note that I said you need a website person, not necessarily a WordPress person. A lot of people who know WordPress don’t know websites and security… Although many of them do and this is not an indictment on the community, it’s more a recognition of the fact that working with servers and websites in general is not really the same thing as working with WordPress. WP knowledge is useful, but generic server admin experience is much, much better in this situation.
And yes, I said HIRE. Seriously, pay up. This is a lot of work that requires special knowledge. I know that a lot of people try to run their websites cheaply and such… Look here, if you’re paying less than $300 a year to run a website, then why bother? How serious are you about your website anyway? Quality web hosting should cost you more than that, hiring a specialist for a short term day-job is going to run you a fair amount of money. Expect that and don’t give him too much hassle about it. Feel free to try to argue on the price, but please don’t be insulting. Offering $50 to fix your site is unfair, as that’s less than an hour’s pay for most consultants, and you need one with special skills here. This is a minimum of a day’s work, probably longer if your site is at all complicated. Just getting it running again without doing everything that needs to be done is probably a 4 hour job. Sure, somebody can hack together a fix in half an hour, but do you ask your automotive guy to just throw the oil at the engine until it runs? Have some respect for the fact that knowledge and skill is valuable, in any profession.
Basically, here’s what the website guy will be doing, if he knows his business.
First, he’ll probably backup the site. This includes the files, the databases, any logs that are available, everything. The idea is to grab a copy of the whole blamed thing, as it stands. This is a “cover-your-ass” scenario; he’s going to be making large scale changes to the site, so having a backup is a good idea, even if it is a hacked one. The person will need all of the relevant passwords, but don’t give them out in advance. He’ll ask for what he needs from you.
Second, if you already have regular backups (please, start making regular backups… VaultPress is invaluable in this situation and can help the process out immensely), then he’ll probably want to restore to a backup from before the hack. And yes, you very likely WILL lose content in this restoration. However, since there is a backup, the content can be recovered later, if it’s worth the trouble.
(Note, if you don’t have any backups, then he’ll try to remove the hack manually. This is error prone and difficult to do. It also takes longer and has a much lower chance of succeeding. It’s also difficult to know that you got everything out of the site. If anything is left behind, then the site can be re-hacked through hidden backdoors. This is why regular backups are critically important to have.)
Third, he’ll update everything to the latest versions and perform a security audit of the site. This means looking at all the plugins, themes, permissions on the files, the files themselves, everything. This is to make sure all the main security bases are covered and that it doesn’t get rehacked while he does the next step. They may talk about “hardening” the site.
Fourth, from that backup he made earlier, he’ll likely try to trace where the hack started from. Logs help here, as do the files themselves. This is kind of an art form. You’re looking at a static picture of a dynamic system. And unfortunately, he may not even be able to tell you what happened or how the attackers got in. Attackers often hide their traces, especially automated tools that do hacking of sites. With any luck, the basic upgrades to the system will be enough to prevent them getting in again, and a security audit by a knowing eye will eliminate the most common ways of attackers getting in. That often is enough.
Step Four: Prevention
Once your site is fixed, then you need to take steps to prevent it from happening again. The rules here are the same rules as any other technical system.
- Regular backups. I can’t recommend VaultPress enough. After my site went offline for a day due to some issues with my webhost (not a hack), I lost some data. VaultPress had it and restoring it was easy. There’s other good backup solutions too, if you can’t afford $20 a month (seriously, don’t cheap out on your website folks!).
- Security auditing. There’s some good plugins out there to do automatic scans of your site on a regular basis and warn you about changes. There’s good plugins to do security checks on your sites files. There’s good tools to check for issues that may be invisible to you. Use them, regularly. Or at least install them and let them run and warn you of possible threats.
- Virus scanning. My website got hacked one time only. How? A trojan made it onto my computer and stole my FTP password, then an automated tool tied to that trojan tried to upload bad things to my site. It got stopped halfway (and I found and eliminated the trojan), but the point is that even tech-ninjas like me can slip up every once in a while. Have good security on your home computer as well.
- Strong passwords. There is no longer any reason to use the same password everywhere. There is no longer any excuse for using a password that doesn’t look like total gibberish. Seriously, with recent hacks making this sort of thing obvious, everybody should be using a password storage solution. I tried several and settled on LastPass. Other people I know use 1Password. This sort of thing is a requirement for secure computing, and everybody should be using something like it.
These are some basic thoughts on the subject, and there’s probably others I haven’t considered. Security is an ever changing thing. The person you hire may make suggestions, and if they’re good ones, it may be worth retaining him for future work. If your site is valuable to you, then it may be worth it to invest in its future.
And yes, anybody can learn how to do this sort of thing. Probably on their own. The documentation is out there, the knowledge is freely available, and many tutorials exist. But sometimes you need to ask yourself, is this the right time for me to learn how to DIY? If you need quick action, then it might just be worth paying a pro.
Nice write up and practical; I hope many take the advice and get someone who knows what they’re doing. Can I propose “Step Five: If this keeps happening to you switch to a managed service”?
This post should be added to the boiler plate support reply for “my site is hacked” or at least to the postmortem.
Boy, I wish I you had posted this about six weeks ago when I was struggling with getting my hacked WordPress site up and running again.
I spent considerable amounts of time on it. It was so bad I simply gave up and installed a new database and put it back together post by post in my spare time, which took a week.
I think if I had the info in your post, I would have taken a much different route to revitalization. Of course, then I would not have invested the time into making the site more like I had wanted it in the first place, so there is always good in stuff like this.
Thanks for the honest advice. I have bookmarked your post in case it happens again in the future.
It helped a lot. thanks!
“Look here, if you’re paying less than $300 a year to run a website, then why bother? How serious are you about your website anyway? Quality web hosting should cost you more than that,”
You say: “Most bloggers are not webmasters. They are not really technical people. They’re probably people who simply purchased a web hosting account, maybe set up WordPress using a one-click install, and started blogging.”
This article is meant for them, right? Not for the webmasters who know everything?
In that case, how can you say that they are not serious about their website? There are lot of people who have a family website for instance with family trees and images, where they have probably put in more hours than you on your website. Or are blogging about their hobby, which in the end is a great source of information to other people. Do these websites cost more than $300? No. Are they less valuable than your website? No! If a website doesn’t cost money it doesn’t mean that it is less valuable.
Quite an arrogant statement you are making there.
By the way, I’m a ‘webmaster’, as you call them and I still feel offended by this article.
If it’s important to you, and you spend time on it, then the fact of the matter is that you shouldn’t be cheap when it comes to providing for it. Websites cost money to run, to maintain, to backup, etc. If you’re not spending some money on it, then you’re probably not serious about it.
Having a website *should* cost you more than $300 a year. If it doesn’t, then you’re doing it wrong.
Note that I’m talking about running your website yourself. If you don’t do that and use a managed service like WordPress.com, then this article doesn’t apply anyway. And honestly, for “hobbiest” bloggers and such, they should be using a managed service instead of rolling their own.
BTW, I don’t care if you’re offended. FYI.
Maybe there is a difference in price running a website between different countries. It could be that in the USA it is not possible to find quality webhosts that offer packages for a reasonable price.
$100 per year is more than enough to run a quality website. I’m talking about WordPress.org.
Backups can be done for free using FTP. Backup of content can be done for free since there are plenty plugins to do the job. When you maintain your website yourself, you can use several plugins, for free.
I still don’t see why it “should” cost more than $300. Maybe I’m missing something.
Quality has not always to do with money, and in this case it is true. It’s not difficult to find online a website that has more than 30.000 visitors a day while the website is hosted by HostGator on a simple package. Less than $300…
Hobbiest should not use a managed website. I started as a hobbiest and grew because everything was not chewed first for me. If you want more flexibility, it’s better not to use a managed service. WordPress.org is not that hard. It’s just the time you put in.
And when the website is running on WordPress.org, what is the difference anyway? The only thing I can think of if that you can’t add the plugins you like…
So, still not clear to why a website “should” cost more than $300. To me this falls into the category ‘you “should” have a car that costs more than $50,000 to be serious about it’ or ‘you “should” have a house worth more than $700,000 otherwise you are doing it wrong’.
Seriously? Man, $100 per year is not enough to get high-quality webhosting, much less to run a website.
$300 a year is $25 a month. That’s the price of a decent meal in a restaurant. If you can’t afford to spend the price of a meal once a month on your website, then why are you bothering?
It’s not about “status”. Comparing this cost to a $50k car or $700k house is wrong. But hosting costs money. Bandwidth costs money. And if you’re not paying that money, then your webhost is skimping and cutting corners, so you’re not really getting what you’re paying for.
And sure, you can setup your own backup solutions. But what if your drive crashes? If you use a free cloud service of whatever sort, then what happens if that service goes down or just loses your files? Where is your actual security here?
Sometimes it’s worth paying a provider to not only take care of things for you, but to provide reliability and security. If you want to roll together your own half-assed hacked up solution, then you are certainly free to do that. I don’t know about you, but I have better things to do with my time. I mean, I know how to change my own oil too, but that doesn’t stop me from paying somebody else $20 to do it much quicker.
The best webhosting I have ever found is A Small Orange
For 5 USD a month, I get unbelievably good service, and all the bandwidth I need. Do some more research.
Rory: $5 doesn’t get you unlimited bandwidth on ASO, it gets you 15GB of bandwidth. See their own page: http://www.asmallorange.com/hosting/shared/
Not running down ASO, they’re a great host. But $5 a month is one of their cheapest plans. That’s fine for a hobby site, not for any sort of serious endeavor. The minimum needed for a “real” website that was something more than just a “blog” would be one of their business hosting accounts or the VPS hosting.
Here’s the thing: If your blog goes down, it’s not that big a deal. If your ecommerce site goes down, well then that’s costing you money. So while you might not want to spend serious money on your “blog” site to keep it running or to fix hacks quickly, you darned sure will want to spend that money on a site that is costing you cash from downtime. So you have to prioritize your real level of urgency here. If you’re spending less than $300 a year on your website, I’m betting that having some downtime on it isn’t exactly a world-ender for you.
I’m the owner of the web hosting service provider Interactive Online. Periodically we do deal with hacked customer sites on our servers. We have found the best prevention is to automatically upgrade WordPress (or other open source software) for our customers when a new version is available. We do this for all of our customers and have found it has reduced the amount of sites that get hacked. We do give our customers a chance to upgrade WordPress themselves. We check the server a few days after the release and upgrade any installs customers did not upgrade yet. We have found that 99% of customers never upgrade which is why we do it for them for free now.
We also do daily, weekly and monthly backups so we can restore any hacked sites to their previous state so patches can then be applied.
We also have some customers in which we have setup a remote backup script which backups their data to a remote FTP location daily or weekly. Here’s more on the remote backup script at http://interactiveonline.com/web-hosting/how-to-daily-remote-backup-on-a-cpanel-host
If you’re using WordPress and would like to handle the upgrades yourself they can be easily done with just a few clicks from the WordPress admin area. Sign up for WordPress Security Alerts at http://wordpress.org/download/ so you are emailed every time a new release is available.
We have found by following the above principles it has reduce the amount of hacked sites and prepares for disaster recovery.
Most site owner don’t have a disaster recovery plan. Most don’t even store a backup of their website to their local hard drive.
If you’re a site owner and your data is important to you, you should be doing daily or weekly backups to your local hard drive or a remote FTP location.
[…] post, “How to Diagnose and Remove the WordPress Pharma Hack,” Ottopress’ “How to Cope with a Hacked Site,” WordPress’ own “FAQ My site was hacked,” I was able to find the files […]
Hi there, I have been bugging you for a couple days on all your posts concerning hacked word press sites, and am very grateful for all the guidance, even if I did give you a bit of grief. I figured you could take it.
As advised, I have decided to try to find a professional to clean my code, and am trying to find one. Another well received blogger who writes about WP hacks contacted me directly after I posted comments on his blog and made an offer to do this for a very reasonable price.
Trouble is, I don’t know him, and he wants all my passwords (ftp, hosting,Wordpress) to run his scan. I tepidly suggested that I would send him a copy of my whole directory, and he did not seem to think that was good enough. I realized that unless the person helping me was sitting in my office, while I was there, and I was watching them conduct the scan/clean, that I would not be comfortable with anyone, much less a totally anonymous person from the interwebs.
I also don’t understand why he needs anything more than access to the ftp. I thought about creating a new user with limited permissions (pretending of course I know how to do that), but am not sure if that would work or is even possible. (I also don’t want to insult him by saying “I don’t trust you, but its not personal…)
So my question is this: Do you know of a way to have someone scan your ftp files – on the server – without compromising/exposing your site and accounts to unaccountable third party access? And if not, is he right that sending him a copy of my directories is inadequate?
He will definitely need the FTP and WP passwords. He *may* need hosting account passwords in order to get the http access logs.
And yes, just sending the files really isn’t good enough. Unless he can see the live site, in situ, he’s not really seeing the whole picture.
The question is indeed one of trust, I admit. At some point, you have to trust somebody else to work on it. Do you trust the guy? Does he have a good reputation? That sort of thing.
Just remember that even if somebody decides to try to screw your account over, you’re the one paying your hosting provider, so a quick email to them can change your password to something else and you can thus get your hosting account back. And if you have backups of the site and database, then you can rebuild it.
thanks much. this is tough. last question I swear! what do you think about companies like sucuri?
The only thing I know about Sucuri is from reading their blog from time to time. They’ve informed us of security problems before. No real opinion, honestly.
Great post Otto!
I was hacked and couldn’t access my site though /admin-wp. I found the following line was attached to the end of my admin-header.php file. I deleted the line through ftp and I am now able to access my site through /admin-wp. I updated my password and am now upgrading my WP version. Hacker line is below. Hope this helps others.
My website was recently defaced by the Islamic Ghosts Team.
They replaaced all index.php on my main directory ans sub-directory.
My registar was attacked too with some 250 sites!
I used wordpress 3.2.1 … how can I do to re-up my site?
I had the similiar situation with Nick and Mairie. Thanks for that post, it really helps me.
Finally, the registar solved the defacement’s problem.
But, I want to know what precautions to take for preventing similar case?
Can anyone recommend a good company, or person, that removes WP hacks? I didn’t see anyone mentioned.
One addition regarding FTP – after changing your passwords install secure FTP client (like WinSCP) and use most secure connection. That will prevent you from stealing FTP passwords in case your PC is compromised.
Also I would suggest verifying if your website is not blacklisted for containing malware (for example at http://unmaskparasites.com) and also it is very important to do a security testing at least once (for example at http://www.webyfly.com).
[…] If you’ve got your WP website already hacked, you might find effective solutions here and here. And in case you have any query or want to share your views regarding the topic under […]
You wrote: There’s other good backup solutions too, if you can’t afford $20 a month (seriously, don’t cheap out on your website folks!).
What are those other good backup solutions? VaultPress is way expensive.
Seriously ValutPress? I say don’t waste your money. My site automatically makes backups via a custom plugin I made which simultaneously sends the backup to 3 locations.
1) SFTP to my computer (in Washington State)
2) Rackspace Cloud Files (in Texas)
3) Amazon S3 US-East Region (in Virgina)
all at a fraction of the cost for VaultPress it keeps the backups geographically distributed and not locked into just one vendor.
If you want to fiddle around with setting everything up yourself, having multiple accounts, and lots of configuration, sure, you can do it that way. I can change my car’s oil too, but it’s a lot easier for me to just pay a guy $30 to do it and get on with my day.
VaultPress is like that. Simple install, a very minor amount of configuration, and it just works from then on. No hassle.
A service like Amazon S3 isn’t much more complicated to setup than ValutPress to setup. That alone should be good enough for alot of setups.
Even using multiple services like I did took just an hour to code the integration and its set. And hour of coding which I do alot of anyway to save me about $200 per year is worth it to me. I can use that money for a better server.
Point is even if someone isn;t a PHP developer I belive there is a plugin to automate backups to S3, and IMHO its alot more plasuble that VaultPress would be shut down vesus S3 if for nothing else than S3 is backed by a major company.
The article is good and helpful but I could not resolve my hacked page.
I had done all the things i’ve seen suggested, including installing WP security and had a dashboard score of 240 out of 260. however somehow a hacker got manual access to the wordpress database. they would change user accounts without actually logging into wordpress(like they were using php-my admin)
Nothing else has ever been touched, only wordpress blog front page defacement. Is it something at my host? I have multiple sites I manage and the ones at hostgator have yet to be messed with. The one where this is happening is at lypha.com
[…] can run as low as $4 a month, though I tend to point out “You get what you pay for.” Otto once said “Look here, if you’re paying less than $300 a year to run a website, then why bother? How […]
[…] backups (if you have them), and spend money and resources to get your site back online (some even recommend hiring someone else to help you). It might seriously harm the reputation of your site on Google and […]
[…] Ottopress – How to cope with a hacked site “here’s what the website guy will be doing, if he knows his business…” […]
[…] of course your laptop or PC is not the only thing that needs protecting. The link is WordPress running on an Apache server specific, but if that fits your situation there […]
How long roughly does it take to re-activate a hacked website? My website has been down now for 2 months and the developer is saying there is still a lot of work to be done. Any info would be most appreciated.
Depends on the site. If it’s not too complicated and if you had backups, maybe a day or two. If it’s more complex and you didn’t have backups, a week or so at most for a good developer. If you have to tear it all down and start over from scratch, then yeah, months.
[…] How to Cope With a Hacked Site […]
I just discovered an old, dead blog of mine was hacked. I hadn’t posted anything since 2012. I let it die, didn’t renew the fee etc, so I thought it would just fade away. But today I discovered someone posted what looks like an academic dissertation (literally) on my blog. I can’t log in anymore, because like I said, I haven’t ‘had’ that blog for 7 years.
For any webmasters out there, Here are the steps I take to remove hacked files from a WordPress site. That article is my cumulation from reading through a bunch of articles that talk about removing malware, and I put together everything that I could find that could help lead one to find all of the malware on the site, because you only have to leave one file sitting on the server, and the hacker can get back in and create a bunch of backdoors all over the place again.
For non-webmasters, I hope you can see that this is not an easy process. I second Otto’s suggestion to not try this yourself. You don’t want to permanently mess things up.