“911, My Site Has Been Hacked!” How to Identify and Fix a Website Security Breach

Thousands of websites fall victim to DDoS attacks, malicious bots or account breaches on a daily basis. In spite of the real and present threat that hackers pose to websites big and small, most website owners live in the happy delusion that their site will never be a target.

Reasons like “We’re too small to be attacked” or “We don’t handle sensitive data like financial records” don’t cut the ice anymore; it has been repeatedly shown that ALL websites irrespective of their size are vulnerable to security breaches and can be used as deadly tools in the hands of no-good hackers.

Identifying a Website Hack

While there is a small percentage of hacking attempts that can be extremely tough to detect, by and large you can identify any attempts – successful or otherwise – at hacking your site with the following indicators.

• Sudden, unforeseen spikes in traffic, especially from foreign countries that typically don’t send much traffic to your site
• Your domain redirects automatically to a third party (often spammy) site
• Your homepage (and/or inside pages) is modified, its content either missing or altered
• Spikes in outbound bandwidth, which may indicate that your server was hijacked and is being used for botnet DDoS attack
• Your direct and organic traffic drops because search engines like Google, Bing and browsers like Firefox and Chrome issue security warnings about your site preventing users from visiting it

If you spot any of these signals on your site, quickly perform a self-diagnosis of a security loophole or attack with Google’s Safe Browsing Diagnostic Tool (you need to replace www.example.com with your actual domain in the URL). Alternately you could also perform a website reputation check with a free tool like URL Void.

Fixing the Breach

When you look at it objectively, identifying a hacking attempt is often the easy bit. What follows – the repairs - is what takes time, effort, skills and most importantly money.

Inform your audience and go offline if needed

Users who are regular visitors to your site trust that they are safe on the site and might expose themselves to the hackers who attacked your site by landing on it unwarned. As a responsible site owner, you need to inform your visitors of the fact that your site may be a victim of a security breach and that visitors’ would be better off not visiting your site till the problem is fixed.

If the attack is widespread, it makes sense to take your site offline till you find and fix the problems plaguing it. A simple ‘Site down for Maintenance’ message will tell users that it’s a temporary problem without scaring them off permanently.

Being upfront about the problem builds trust among users – something that you will desperately need once the site is back up on its feet.

Contact your webhost

Web hosting companies work with thousands of websites on a daily basis and would have faced nearly every possible type of security issue that there exists on the web. Once you know that your site security has been compromised, waste no time in reaching out to your web host and asking for their expertise.

Their experience combined with the fact that most webhosting companies have dedicated engineers who are trained to spot and fix hacking attempts will be an asset in your time of crisis. Even if your web host does not offer their own assistance, they will be in a position to put you in touch with other website owners who might have faced a problem similar to yours’ and who can tell you with how they went about fixing their sites.

Set your technical support team to work

Typically media files, .php files or files that have been lying in non-secure locations are the ones targeted by hackers. Hackers tend to sneak in malicious code into these files and take down your site via backdoor attacks. You or your support team needs to scour these usual suspects and then move on to the rest of the site to isolate the exact breach and begin the cleanup process.

Cleaning up the malicious code from the infected files requires you to download these files from your server, remove the offending code and re-upload clean files into the server.

Sometimes it’s not enough to just clean up your infected files. Hackers can sometimes gain access to your files, make modifications in them or delete critical chunks of code without you even realizing it. It is a good idea to compare the cleaned up version of your infected files with the original files from your web developers to check if you’re missing any important pieces of code. Most importantly, hackers will typically install backdoor shells that allow them to keep hacking your site, even after all infected files were removed. These shells are often masked as a regular file and they will be backed up with all the rest of your content. If you were hacked, after reverting to your backed up version, use a proprietary shell detection service to make sure that no such shell still remains.

Change passwords

Cleaning up your infected files is just half the job done. You need to ensure that the hackers don’t gain access to your data again. One simple but essential way to do this is by changing your passwords – ALL your passwords. Whether it is your email, FTP, Admin passwords – spare no time in changing your passwords, making sure that your new passwords are strong and not guessable by brute force programs.

Consider using website security services

Having at least a basic security infrastructure in place is common sense for any website, irrespective of size. A simple tool like the Login Lockdown plugin for WordPress users, for example, is useful for preventing simple login page brute-force attacks. However, it becomes even more critical when you have already been attacked by a hacker.

So if you don’t have a firewall or a security system safeguarding your site yet, put it into place without further ado. The truth is that while webhosts do offer protection, it is usually basic and engineers will only step in when the damage has already been done. Prevention is always better than the cure and using a Web Application Firewall (WAF) solution will be one of the best decisions you could make to secure your website.

A Web Application Firewall is a complete out-of-box solution offered by cloud security companies that adds an extra security layer and inspects all traffic coming to your website, blocking a wide range of malicious threats. Including some of the most common and aggressive threats among the Open Web Application Security Project (OWASP) top ten threats list like SQL Injections, Cross Site Scripting and Invalidated Redirects.

While several high-end hosting providers will offer built-in WAF protection through the open source mod_security Apache server module, it is not sufficient in blocking newly discovered threats, as it is rarely updated by web hosts who don’t have the resource required to track the rapidly evolving threat landscape.

Instead, many end users are now taking matters into their own hands by subscribing to a managed web application firewall service, delivered by a cloud security provider. Such cloud-based WAFs are plug-and-play solutions that monitor all inbound traffic and autonomously handle the entire threat detection and mitigation process, pulling on enterprise-level resources and personnel to quickly respond to new and existing threats.

In addition, such cloud services are usually bundled with content delivery networks (CDN), denial-of-service (DDoS) protection services and even load balancing solutions to improve performance, security and availability.

Move to HTTPS if you haven’t

One of the newest ranking signals that Google has announced a couple of months ago is the HTTPS signal. This focus on website security shows that Google is serious about ensuring that ill-protected or hacked sites are not served up in search rankings to their users, or as Google puts it, it’s their attempt to make the web a safer place.

HTTPS is Hyper Text Transfer Protocol Secure –a communications protocol used to transfer important information between websites and servers in a more secure fashion than plain old HTTP, which is the current web standard. HTTPS was so far commonly used for financial transactions on e-commerce sites, for inbox and login protection on email clients, in short it was used for all transactions that required a safe and highly secure environment on the internet.

By switching your entire site to the HTTPS protocol, you are not just making it doubly secure; you are also improving its chances of ranking high on relevant searches on Google. One feature, double benefits.

Send Whitelist requests to Google, Bing, AVG and others

One of the consequences of having your website hacked is that a whole host of web entities – search engines, browsers, security software –identify your site as a ‘problem’ site and issue explicit warnings to their users against visiting your site to prevent them from being infected.

To ensure that your site can get back on its feet as soon as possible, it is imperative to contact Google, Bing, Yahoo, AOL, AVG, Norton, Mozilla and others to review your security certificate and take you off their list of blacklisted sites.

Over to You

As with most other things that go wrong in life, it pays to be a little cautious to begin with and make sure that you’ve taken all possible precautions to protect your site against possible attacks. If the inevitable has happened, don’t lose heart.

Just use the unfortunate (though avoidable) incident as a wakeup call, follow the steps outlined above and plug any security loopholes that may have surfaced to avoid such an event in the future.