As a business — your website is your lifeblood. To see it drop offline is heartbreaking.
And not knowing how to fix it makes the feeling 100x worse. In the event of a hack, you need to act fast to minimize the impact — then, get your site back online.
This 10-step action list shows you precisely what to do when your website has been hacked.
Now let’s get to it.
Step 1: Confirm the hack
A hack isn’t always obvious.
Check your site status at https://sitecheck.sucuri.net/, and if it’s been compromised, you should see a warning straight away. If you don’t see an error, it’s unlikely a hack has occurred — but you can still follow the steps to be sure your website is secure.
Step 2: Update all passwords
If you know your site is under attack, you need to update all your passwords immediately. One breach can put your entire system under threat. So, do what you can to regain control and use secure, memorable passwords.
Update database access, system administration, content management account credentials, and passwords for FTP. Meanwhile, if you notice the hackers have created new user accounts, delete them as well.
But first, make a note of any information that could help when it comes to investigating.
Step 3: Inform your site host
Once you’ve done what you can to lock down your site, contact your website host.
First, they should have a better understanding of how to manage the hack itself. While it’s crucial your web host checks there isn’t a widescale vulnerability with their service (meaning other websites could have been hacked).
Your host can help in several ways — they can:
- Take your site offline until the problem is resolved
- Offer a splash page to customers trying to reach your website
- And protect others from downloading malware from your page
Let them take some weight off your shoulders at a stressful time.
Step 4: Verify site ownership
This step may sound strange. But a hacker may have tried to take ownership of your site or alter the settings in the console. If you go to Google Webmaster, you can check for changes and understand the nature of the attack.
Click “Search Console” —> then, sign in —> click “Add a site” —> and type your site URL.
Google will recommend what to do next (which may be to bring the site back online). Now, click “Verify.” If successful, Google will verify your ownership, and you can take your website back offline.
While you’re still on the ‘Search Console’ page, click “Manage site” —> “Add Or Remove Users” —> and if you see a username you don’t recognize, document the email address. Then, delete it.
Finally, check for changes in your site settings and remove anything unusual.
Step 5: Check logs for unusual activity
It’s hard to know a hacker’s intent. Do they want to send spam? Upload malware? Or something more disruptive? Who knows.
Your access, server, and error logs should highlight any suspicious activity. You may find failed login attempts (that show how the attacker gained access) or strange commands (that surface what the assailant is trying to do).
If you have a site backup, use it as a comparison to the current site version. By doing so, you can see which files might have been modified.
Step 6: Find your website’s weakness
Computer software is notoriously vulnerable to spyware and viruses. The hacker may have found multiple flaws in your site setup. Now it’s down to you to spot them too.
You need to look out for:
- Weak or duplicated passwords
- Viruses on an admin’s computer
- Permissive coding practices
- Outdated software or plugins
And just because you find one, do not assume your work is done. There are likely several vulnerabilities to fix. Hence, we suggest you run both an antivirus scanner and a vulnerability check to ensure no weakness remains undiscovered.
Step 7: Final checks
Once you’ve fixed all vulnerabilities, it’s time to consider restoring your site from a backup file.
First, ensure all plugins are up-to-date, all security software is the latest version, and that there are no remnants of the attack left. You may need to check for new URLs added during the attack (and be sure to remove them).
Then, get ready for a reboot.
Step 8: Bring your site back online
Restore your website using a clean backup file. What does ‘clean’ mean? Check the backup is dated from before the hack to avoid inadvertently leaving the door open to a future attack.
Double-check your software is up-to-date, remove any widgets or applications you no longer use and make sure all passwords are indeed new — it’s better to duplicate effort now than risk a second attack the moment you bring your site back online.
Step 9: Check your check-list
You’re almost done — just one final task: perform a seven-step review of your site and if you can answer the following questions with a confident “Yes,” then you’re ready to get on with your day.
- Have I informed all relevant parties if a hacker stole sensitive information?
- Have I upgraded all site software to the latest versions and security updates?
- Have I removed unnecessary plugins, widgets, and applications?
- Have I deleted spam content and newly-created URLs?
- Have I safely restored my site with a clean backup?
- Have I resolved all vulnerabilities that allowed the hack in the first place?
- Have I made a plan to prevent future attacks?
Point VII is crucial: if you’ve been targetted once, you will likely suffer another attempted hack.
Pay attention to site activity. Create a site maintenance plan. Then, move forward in confidence you’ve done everything you can to protect your business.
Step 10: Get a site review
Your work is done, but others now need to step in.
Request that Google reviews your site to unflag your page as a security risk, which you can do in the Search Console — accessed in Step 4.
Once this process is complete (which can take anywhere from a few hours to several weeks, depending on the nature of the hack) Google will remove all warnings from browsers and search results.
Now to your site for one final check… all as it should? Great!
It’s back to business as usual.
To secure your website against a hack or for help resolving a security threat, feel free to give us a call on 253-584-5906.