Knowledgebase: How-To
What to Do If You're Hacked
Posted by on 09 January 2014 05:03 PM

Oh no! We hope your site hasn't been hacked, but if it has... no fear. There are some things you can do to help re-secure your site and get it up and rolling. Check out the selections below and follow the most applicable directions to your case. If you have a questions, just contact us.

Wordpress

Below are a few steps you can take to help audit the security of your Wordpress site:

  • Stay calm! This is not the end of the world and we'll help you get up and rolling as soon as possible.

  • Run virus/malware software. Go ahead and run virus or malware software on your computer systems and see if you can find the culprit.. try a couple of different brands of software. Some of the viruses are very adept at detecting malware software.

  • Change your passwords. This is a given, but an important step. Change all the passwords on web content software, email accounts, blogs, forums, web hosting account etc. And make them strong!

  • Revert back to previous version. If you're using version control you can quickly identity what has changed lately, and revert back to a previous version.

  • Check your .htaccess files. Look in the base folder for your site and see if any weirdness is going on, especially at the bottom of the code, where hackers like to hide their changes. Change the permissions back to 644 if they have been changed.

  • Secure your cPanel. Secure cPanel by changing your login password, make sure all your FTP accounts and associated email addresses are in use (if not, delete them), make sure any email forwards listed are ones you created, and check for any records pointing away from the site in the Simple DNS Zone Editor section

  • Restore from a backup. If things have gone too far, you could always restore your site from a clean backup of WordPress and re-upload your backed-up WP plugin.

  • Upgrade. Once your site is clean, update to the latest version of WordPress since older versions are more prone to hacks.

  • Secure the site. After you have recovered your site, secure it! Implement some recommended security measures.

  • Keep regular backups. For the sake of all that is good, do backups on a regular basis.

For more steps on how to secure your WP site, check out our blog post and our Securing Your WordPress Site article.

Joomla

Hacking can happen to Joomla too... here are a few steps you can take:

  • Take it down. Go ahead and take your website offline.

  • Run the tool. Run the Joomla Forum Post Assistant and Security Tool.

  • Run virus/malware software. Go ahead and run virus or malware software on your computer systems with FTP, Joomla super admin, and Joomla admin acces to see if you can find the culprit.. try a couple of different brands of software. Some of the viruses are very adept at detecting malware software.

  • Get the latest and greatest. Make sure you are running the most current version of Joomla.

  • Review vulnerable extensions list. See if you have any extensions in your logs file that have been targeted. Look for one of these two examples:

    ​//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http
    ../../../../../../../../../../../../../../../../proc/self/environ

  • Change your passwords. This is a given, but an important step. Change all the passwords on web content software, email accounts, web hosting account, control panel, MySQL, FTP, Joomla! Super Admin, and Joomla! Admin password. And make them strong!

  • Delete and replace. Make sure all your files are clean... delete the dirty ones and replace with new ones.

  • Get those images out. Check and replace all .pdf, image or photo files that seem suspicious or exploitable.

  • Proper Permissions. Use proper permissions on files and directories. They should never be 777; 644 for files and 755 for folders is ideal.

  • Reinstall. Reinstall Joomla after everything is all fixed up... fresh starts are good.

Spam

SpamBots are evil. SpamBots can cause incessant comment and form spam and can find exploitable avenues in your site to add spam to. Some of the most common SpamBot activities include fake accounts, comment spam, contact form submissions, email spam, PHP file exploits, and email account hijacking. Take the following steps to help remedy your SpamBot issues:

  • Secure forms and comments. Enable a captcha or similar on your web forms and comments to help prevent further finagling of your site. This requires the visitor to fill in required info to prove they are human.

  • Secure logins. Limit login attempts or secure the login with a plugin to prevent a spammer from repeatedly filling in fake users and mucking up your site.

  • Get the latest and greatest. Make sure you are running the most current version of whatever CMS you're using.

  • Change your passwords. This is a given, but an important step. Change all the passwords on web content software, email accounts, CMS logins etc... anything that comes in contact with the culprit spam. And make them strong!

  • Make email invisible. Hide your email address from appearing on your website. Use an image to display the email address on your site so a spammer can't find it on your website without physically looking with real-person eyes.

  • Review logs. Most CMS's have a way to see who and when someone accessed your site. This could help you pinpoint the spammer.

General

There are some general guidelines below to follow if you suspect hacking has occurred on your account or website. Check 'em out:

  • Update all of your web content software/content management systems to the most up-to-date versions and check for any un-patched exploitable bugs to make sure there are no issues running them.

  • Check all modules, plugins, add-ons, themes and extensions for your web content software/content management systems to ensure that there are no un-patched bugs and that they are also updated to the latest versions.

  • Run virus and malware scans on all computer systems used to access the account prior to changing passwords to make sure your passwords haven't been stolen!

  • Change your passwords, for affected email accounts, web content software accounts (especially admin users on blogs, forums, portals and other similar software). Also change the affected web hosting account passwords... and choose strong passwords! Check out these tips on setting strong passwords.

  • Check all email accounts, subdomains, add-on domains and parked domains in your cPanel account to make sure there are no erroneous entries or changes.

  • Verify that the content of your hosting account has no abnormal files or directories, that your .htaccess files exist as they should, and that the content of any dynamic scripts, such as PHP, are installed and operating correctly.

 
If you have any questions about these steps, or just want to check with us about the status of your account, please go ahead and submit a ticket!


See also Why is My Site Getting Hacked?

(2 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
Help Desk Software by Kayako fusion
ERROR: This domain name (kb.asmallorange.com), does not match the domain name in the license key file help.asmallorange.com.

For assistance with your license, please contact the Kayako support team: https://support.kayako.com