Need help with a hacked website?

If you are looking for help with a hacked website or web-application then you're in the right place.

Below I will outline the basic steps I have taken to help others just like you with hacked, defaced, and vandalized websites including issues with redirection, code injections, malware, and other issues that arise from breaches in website and web-application security.

I can help you with any kind of website including Wordpress, Joomla, Drupal, CodeIgniter, Magento, Zen Cart, OpenCart, and all manner of custom CMS, eCommerce, and blog solutions.

If you have access to the source code, I can help!

If you're looking to have someone handle the clean up for you, or if you continue down the page and have questions or need any help as you go, please contact me directly or fill out the form below. I'm happy to help you in any way I can.

In general the steps I take are:

  • Lock the site down
  • Set up a static maintenance page
  • Redirect all traffic not on my IP to the maintenance page
  • Debug and fix the site
  • Unlock the site and restore normal traffic

Step 1: Block access and prevent any further damage

To stop the attack if it's ongoing and prevent any further unauthorized access and/or damage while we fix the site we need to lock the site down.

Lock it down...

How you do this will depend on how your server is set up and what kind of access you have to it. I will be going over how to do this on an Apache webserver with re-writes turned on. I'm also making the assumption that you have access to, and know how to access, your website's files via ftp, sftp, ssh, cPanel fileviewer, or something similar.

Log in to your server and navigate to the root of your website. This is usually a folder called public_html or www. If you have your website installed in a subfolder of the webroot you will want to navigate there.

Once in the root folder for your website look for a file called ".htaccess". If you cannot see this file be sure you have turned on the ability to see hidden files. If you do not have or cannot find this file, stop and get some help.

Open the .htaccess file in the site's root and add the following to the top of the file.

RewriteEngine On #ErrorDocument 503 /_maintenance/index.php ## may need to add the server IP to allow css, js, images, etc. to load properly RewriteCond %{REMOTE_ADDR} !^(127\.0\.0\.1|YOUR\.PUBLIC\.IP\.ADDRESS)$ RewriteRule !^_maintenance/index\.php$ - [L,NC,R=503]

NOTE 1On line 5 REPLACE YOUR\.PUBLIC\.IP\.ADDRESS with you actual IP. E.G. if your public IP is 8.8.8.8 then replace YOUR\.PUBLIC\.IP\.ADDRESS with 8.\8\.8\.8 so that your allowed to see the actual site from your IP while everyone else gets the maintenance page.
NOTE 2You may also have to add your server's public IP. If you do, just add it after yours and be sure to separate the IPs with the "|" symbol or it will not work. The | is the alternate character on the backslash key.

Once this code is added to your .htaccess file your website will be unavailable to everyone except you. You can test this by removing your IP from the .htaccess file and navigating to your site.


Step 2: Setup your maintenance page

The basic server maintenance page is ugly and makes it look like your site is down due to an error VS intentional maintenance. We can fix that with a customized maintenance page.

A customized maintenance page...

In the root folder for your site where you adjusted the .htaccess file add a folder called "_maintenance". Once the folder exists navigate to it so we can add some new files.

If at any point you get stuck or have questions, please contact me directly or fill out the form below.

In the new "_maintenance" folder we need two main files. Others may be needed depending on how custom you want your maintenance page.

  • .htaccess
  • index.php

Create each of the above files and add the following content respectively:

.htaccess
RewriteEngine On
index.php
<html> <head> <title><?php echo $_SERVER['HTTP_HOST']; ?></title> </head> <body> <div style="text-align: center;"> <h1><?php echo $_SERVER['HTTP_HOST']; ?></h1> <p>Our site is on its way.</p> <p>Please check back in a few days.</p> </div> </body> </html>

The above index.php will create a very basic maintenance page but you can alter the content as needed for your situation. If you want to add your logo or other images you can drop them into the new "_maintenance" folder and then reference them in the index.php file as you would normally.

Because of the way this all works I do recommend using relative links if you link to any images or other content you add to the "_maintenance" folder.

If you would like a custom maintenance page, please contact me directly or fill out the form below and I will build one for you.


Step 3: Redirect incoming traffic to the new maintenance page

Once you have the maintenance page loaded to the server as outlined above you need to redirect the incoming trafic from the default "resource unavailable" page to the new maintenance page.

Redirect to the customized maintenance page...

All you have to do here is go back to the .htaccess file in step 1 above and edit line 2 to remove the # at the beginning of the line.

FROM
RewriteEngine On #ErrorDocument 503 /_maintenance/index.php ...
TO
RewriteEngine On ErrorDocument 503 /_maintenance/index.php ...

To test the maintenance page and see what it looks like in the browser, remove or alter your IP on line 5 so you can see the page.

If at any point you get stuck or have questions or if you would like a custom maintenance page, please contact me directly or fill out the form below.


Step 4: Debug, fix, and reload your site

Now that your site is secured and is down for maintenance VS broken, it's time to dehack it. There are alot of tools you can use to scan your site for injected code and several methods for finding where the source code was altered but I am going to cover the basic comparison process I use.

Step 4a: Compare the hacked site with clean code...

For this to work you need a known clean copy of the site.

Ideally you have a clean backup of the site's source files that you can use. If not then you will want to create a clean copy.

I do realize that if you had a clean backup you would likely want to just copy those files to the server to overwrite the hacked files and be done but this will not work in most cases.

Aside from losing any changes made since your last backup, copying clean files over the top of hacked files will not remove extra files that have been added to the server. PHP shells and other tools give hackers unrestricted access and if you leave them the hacker will simply rehack your site and undo all your hard work.

Going through the comparison process will help to ensure that you catch new files as well as altered files.

If you do not have a reasonably current backup of your site and therefore have to create a clean copy of your site from scratch then it's time to get some help. At this point, please contact me directly or fill out the form below so we can work together going forward. The process to create a clean copy of your site from scratch is beyond the scope of this page because there are so many things to consider that there is simply no way I can cover everything for every possible situation here.

Time to diff the clean and hacked folders...

Moving forward with a good backup of the site we can use a diff tool like Meld, Kompare, WinMerge, or anything else you are comfortable with to quickly compare the clean backup to the hacked live site so we can see the differences between them.

If you are unfamiliar with diff tools I suggest using Google to find an appropriate diff tool for your operating system. The only real requirement for this process is that the tool you choose can compare folders as well as files.

With your diff tool set up and ready, download a copy of your hacked site to your local machine. I put the clean copy and the hacked copy in separate folders within the same main folder. E.G. I create a folder called "cleanup" and place the clean site in that folder in a folder called "cleansite" and the hacked site in a folder called "hackedsite".

Make a quick backup please...

Before you run the diff tool be sure you create a copy of the hacked site in case something goes wrong and you have to start over. Once this is done I use the diff tool to compare the two folders "cleansite" and "hackedsite".

Once the diff tool is done comparing the two folders you should have a split window view of the two folders that highlights the differences between them.

The files missing in one will be highlighted in the other in one color and files in both that are different will be highlighted in a different color. In this way you can see the differences between the two copies of your site. If you can, set the diff tool to ignore any files or folders that are the same in both.

Inspecting the hilighted code...

Now all you have to do is go down the list opening and inspecting each file that is in the hacked folder but not in the clean folder to see if the file should be deleted or kept. In most cases you will be able to tell which you need to do by comparing the content of that file with the content of a known clean file. If you cannot tell you can always copy any code that looks out of place and Google it to see what others have to say.

Of course if you get stuck or have questions you can also contact me directly or fill out the form below and I will help you out.

Remember that you are cleaning up the hacked copy of the site so you should only be making changes to files in that folder. Only adding, removing, or updating from the "hackedsite" folder will give you a clean copy of the site with all your updates once you are done.

As you go through all the highlighted files check for alterations you made and be sure to retain those as you clean up your site. If you come across files you are unsure about trust the clean copy over the other one. If you are unsure what to do you can contact me directly or fill out the form below and I can help you out.


Step 4b: Load the clean site to the server...

Once you are done cleaning up your site and sure you have found everything it's time to load the clean copy to the server.

To do this first remove the old site completely, making sure not to remove your .htaccess file or "_maintenance" folder. *** MAKE SURE YOU HAVE A FULL BACKUP OF THE ENTIRE SITE BEFORE YOU DO THIS! THERE IS NO WAY TO UNDELETE YOUR SITE ONCE IT'S GONE. ***

After you have removed the hacked site source files upload the now clean version of your site. Once this is done your site will be almost ready to go live.


Step 4c: Load the clean site to the server...

We are almost finished but before you bring your website live there are few items you should attend to.

  1. Change ALL passwords for ALL accounts that have any ability to access any admin area of the site at all. It is a good assumption that the hacker had access to passwords and will use unchanged admin passwords to re-gain access to your site.
  2. Search for and review ALL accounts that now have admin or management access to your site and make sure that all accounts listed as admins or managers are supposed to have that level of access. Hackers often add new admin users or modify and take over existing users to re-gain access to your site if you otherwise lock them out.
  3. Navigate your site going page by page checking for junk that may have been injected into the database. Hackers often inject code into dynamically created pages which can help them re-gain access to your site. If you find anything that should not be there, open that page in the editor you use to update page content on your website and remove the stuff that should not be there.
  4. Once you are sure you have all of the database driven content on your site cleaned up, change your database user's password and update your site's config file with the new password. You can safely assume that the hacker looked at and copied down the log in info for your database while they had access. If your site uses SMPT to log in to a real email account to send mail, be sure to update those log in credentials as well.
  5. Update your site's framework, plugins, components, extensions, theme, etc to the most current version of each. Keeping your site up to date is a great way to help keep hackers out.

If you have questions or need help with any of this, please contact me directly or fill out the form below and I will help you figure it out.


Step 4d: Make a clean back up...

You now have a dehacked, clean, and fully up to date website that you just spent hours working on. Make a backup just in case!

Backup the now clean and up to date files and database, and back them up off server. Download them to your computer and put them in a zipped file appropriately named for your site and dated. This way you will always have a good backup and restore point, and you will easily know when it was made.

Going forward, if you were not already taking regular backups, you should start. Taking regular backups and keeping them off server is a great way to protect the money and time you have invested in to your site and it's content.

If you want help setting up an automated backup solution so you always have clean backups from now on, please contact me directly or fill out the form below and I will help you get something set up.


Step 5: Unlock the site and bring it live

Now that the site is all dehacked, cleaned up, up to date, and backed up off server it's time to bring it live again.

Back to business as usual...

All you have to do here is go back to the .htaccess file in step 1 above and remove or comment out the lines we added to block the site from general access. To comment the lines so you can retain them for future use change the file as follows.

FROM
RewriteEngine On ErrorDocument 503 /_maintenance/index.php ## may need to add the server IP to allow css, js, images, etc. to load properly RewriteCond %{REMOTE_ADDR} !^(127\.0\.0\.1|YOUR\.PUBLIC\.IP\.ADDRESS)$ RewriteRule !^_maintenance/index\.php$ - [L,NC,R=503] ...
TO
#RewriteEngine On #ErrorDocument 503 /_maintenance/index.php ## may need to add the server IP to allow css, js, images, etc. to load properly #RewriteCond %{REMOTE_ADDR} !^(127\.0\.0\.1|YOUR\.PUBLIC\.IP\.ADDRESS)$ #RewriteRule !^_maintenance/index\.php$ - [L,NC,R=503] ...

If at any point you get stuck or have questions, please contact me directly or fill out the form below.


The wrap up

Having helped more people recover their hacked websites than I can count I know what you just went through was not easy. Here are a few things you can do going forward that will help keep this from ever happening again.

Keep it secure going forward...

Keep your site up to date. Going forward log in regularly and make sure you install or apply all updates as they come out. Keeping your site's source files current and up to date will prevent most attacks from being successful.

Use strong and secure passwords. Do not under any normal circumstances share your password with anyone for any reason. Do not share your passwords between sites. If there is just no way for you to do this at least keep those things that need to be super secure separate from everything else.

You can for example have a different password for you your email, one for your banking, one for your website's admin log in, and one for other sites so that at least your most sensitive things are separate from everything else. This way if one gets compromised not all of them will be.

Restrict access to your website's admin and management areas. Only allow access to your site's sensitive areas to those who need it and, to the the extent that it is possible, only give the exact level of access needed to do whatever tasks that user needs to do.

Ongoing education is key. There are lots of things you can do to help keep your website and your business secure. I strongly recommend educating yourself as much as is possible about information security and the different ways you can make security part of your everyday process so that you can actively work to protect your clients, your employees, your business, and yourself as you go forward.

Good daily habits. Just like you take steps everyday to secure your physical home when you leave for work, and your physical business when you close up for the day, and your car when you park it at the grocery store, you must take steps every day to secure your company digitally, and to protect it and your clients from digital threats.

If you have any questions about how to secure your business today and keep it secure going forward, please contact me directly or fill out the form below. I can help you protect your business.

Want some help fixing your website?

Tell me all about it...