The image above is from OWASP’s Top 10 website
“Un-hacking” your website
Un-hacking is like detective work. When a client calls us saying that their site has been hacked, we metaphorically put on our CSI lab coats and start the techno music.
Try to identify where the hack came from
Check your website' logs. Are there any notifications regarding unauthorized access?
- Sometimes, there is no “hack”; it's your site that makes private data public. (For example, Brault & Martineau, a Canadian furniture store, in a recent security issue didn’t protect their private user data). In this case, it’s the website that wasn’t programmed well, not a hacker attack.
- Is your hosting server the culprit? This sometimes happens on shared hosts where one site is hacked and infects all the others on the same server.
- Forms or other methods of sending information to your website are a common culprit: make sure they prevent common “injection” attacks.
- Did a strange IP address try to connect to your server? Did a “robot” try hundreds of different passwords to access your website to try to fall onto the correct one?
All these items are clues to what to do next to un-hack your website – and keep it secure going forward.
Follow standard procedure
In any hacking situation, you have to cover your bases and do basic stuff like changing your passwords, upgrading your content management system’s version (security patches are regularly released for WordPress, Drupal and Joomla!), and backing up your files.
A great checklist of basic items to verify is available on WordPress’s “my site was hacked” page.
If those quick steps don't fix the problem, seek help
The next steps are very variable depending on the attack, and should be completed by a team of professionals.
Make sure it doesn't happen again
If your site was defaced (images and content changed), you definitely don’t want it to happen again. As the saying goes, “Fool me once, shame on you; fool me twice, shame on me”.
It's important that by removing the hack, you also prevent it from happening again. This is sometimes not as easy as it sounds, especially if you didn't identify how your security was breached in the first place (For example, restoring your website from a backup doesn't make it more secure).
Prevention is the best medicine
Like vaccines are much more potent (and cost-effective) at eradicating disease than healing someone who has fallen ill, preventing your website from the majority of hacks is fairly easy and painless - and less expensive than an emergency un-hacking consultation.
And hackers are a lazy bunch, so if your website is slightly tougher to breach than the neighbour’s they will easily give up.
Suggestions to protect your website
Here are a couple of steps you and your web development partners can take to prevent the majority of attacks:
- Install security modules/plugins
- Backup your website regularly (should be done automatically)
- Use tried and tested modules/plugins
- Keep your platform and scripts up to date
- Manage file and directory permissions
- Test attack-prone functionalities (forms, transactions, etc.)
- Work with an experienced web team that knows how to secure your website or web application (internal web teams might not have cumulative and varied experience with multiple different websites)
I also recommend you check out this article about securing WordPress related to a conference we attended at WordCamp Montreal this year.
Hope all this helps, and wishing that you never need to un-hack your website!