You might have read a lot of articles where the writer explains the steps to get your website back after a hack, However, let us assure you that this is the MOST SIMPLE, the MOST Straight-forward guide to getting your website back up and running quickly.
The dreaded page you see when you visit your blog or a website which has, “It has been Hacked by XYZ Hacker”, is really a painful sight for a webmaster or even the Website owner, especially if it is a revenue generating source it surely kill a little part of you.
First and the foremost important step is to get the Website/Blog restored to a working condition or as they call it, the Last known good Condition.
Recovering from a hack can be a real pain and the effects of a hack may have a long time impact on the blog including, losing of readers trust, lower ranking on the SERP and more. The faster you identify and solve the issues the less damage will be induced on your website/blog. We’ve listed some of the most important and dead straight actions to be taken immediately after a potential attack has been discovered.
1. Block Traffic
Firstly, you have to get your website/blog inaccesible to the vistors and Search Engine Crawlers. DO NOT DELETE THE WEBSITE/BLOG yet as you might need the website files for analysis later, deleting any of them is not recommended.
How to block traffic immediately to your website/Blog
You can block all traffic immediately by placing a .htaccess file inside the root directory of your website. If using .htaccess files is not supported, or your server is not running Apache, you are advised to rename the index.php, index.html et.al. file and have a message saying “We are encountering some problem with our servers and we will be back shortly” or something on those lines.
NOTE:Â Do not forget to create a dummy index.php/index.html page or you risk exposing other files in your FTP account as most of the hack are via the homepage (index.php/index.html).
The .htaccess file should contain a single line reading:Â deny from all
Stopping traffic and search engines is an essential part of the process. You don’t want your vistors to exposed to the malware or to attack another website, nor do you want to get flagged by Google as a malicious website.
2. Backup!!!!
We hear a lot of stress being made on backup files and this is where it becomes prominent, backup strategies, if in place, reduces a lot of stress on the web-masters to get the website up and running quickly.
Make a full backup of your home folder. This usually includes not only all the file but also the SQL dumps of the databases you may have.
If you are unable to create a full backup, download the contents of your account using a FTP client and then manually export the database(s) as SQL file(s). Try and have a deep scan of the downloaded backup using your favorite Anti-Virus since some of the malicious scripts injected by cyber-criminals are picked up by string scanners.
3. Copy Static files, if it is a blog, copy the Themes and Plugin
Make a copy of the files you’ve customized. Customized files may include themes, plugins and files uploaded as content practically everything that can’t be downloaded from the web again. Just keep whatever you consider necessary for a fresh start without losing any content.
4. Dig into the Logs
Pull out a fresh copy of the access logs from your server and store them in a secure place. The faster you get them, the better, as most web hosting providers keep them only for a limited period of time, usually 12 – 24 hours. You will require the logs to investigate what exactly the hacker have done on your website. This forensic analysis on your hosting account will likely be able to reveal where exactly your website has failed and, subsequently, will hint you towards what actions to take in solving the issue.
5. Dig Deep
The logs won’t reveal all the information, you will have to get in deep to find to find out the actual cause and take preventive action.
Start by looking inside every plugin and theme file for suspiciously-looking fragments of text.
Pay special attention to lines of text like ‘eval(base64_decode)’, followed by a series of illegible numbers and letters, as well as any script inclusions from domains you don’t know (such as <script src=”http://[unknowndomainname]/scriptname.php”>.
Base64 obfuscation is the method of choice for concealing malicious code from the human eye. If you have found something like that, it doesn’t necessarily mean that it is malicious, as some theme designers use Base64 encoding to protect their copyright notices from being altered. However, what you can do is, compare your modified theme to the original one if there is no Base64 code in the latter, you should clean it from the modified file.
6. Frisk the Database
Go searching through the database table by table and look for any sign of suspicious linking. Pay extra attention to the tables holding the administrators, the configuration settings and the blog post articles. If you find any administrator you are unaware of, remove it quickly.
The last two tables might contain a Javascript-based redirect. Delete any JavaScript calls you are unaware of (by default, WYSIWYG editors do not output JavaScript, so it’s safe to assume that any trace of JavaScript inside blog posts is malicious).
7. NOW Start deleting
After the state-ful inspection and after cleaning the code you should remove the malicious files from your server. If the database was also affected, you should drop it and restore the copy you have manually checked.
8. Get the website up from Scratch, well almost from a scratch
We know this sound tiring and painstaking but the best approach IS to start the website from the scratch not that you should lose all the data, that data can be resorted, but the website scripting and other codes should be done from scratch.
Start uploading your website/blog script back onto the server. Make sure you have downloaded it from the official repository and the archive’s MD5 hash is identical to the one displayed on the official website, check it on the local computer before you upload, it ensures consistency and authenticity.
It is mandatory that you download the latest version of the blog script. Modify the config file to match your web server’s details (SQL user, database, password, file path and the rest of your settings).
Please Note! Using ‘nulled’ scripts is extremely dangerous, as they usually contain ‘bombed’ code (backdoors) set in place by the ‘nuller’ (the one who hacked the original code) to be able to take control over the user’s website. Many of the commercially-supported CMS scripts can be downloaded from ‘warez‘ boards and BitTorrent sites, with their commercial protection defeated
9. Setup Proper Permissions
Make sure that you do not set file and folder permissions higher than the script actually needs to run. Setting files and folders to CHMOD 777 may allow an attacker to actually write to them and re-inject malicious code causing and XSS type of Attack.
Check the script’s technical documentation and set the right permissions for each file and folder. Also change the blog’s administrator passwords and the FTP ones.
10. Final Steps
Restore the modified files back to the Server using FTP this time with proper permission. If you have blocked access to the site’s root with a .htaccess file, you can remove it now.
Flush the browser’s cache and access your website. Additionally, look your blog up in a search engine using your name or the blog’s title as keywords and follow the search result provided by the engine. Most of the time, blog malware checks the referrer to see if the visitor accessed the website directly or via a search engine and only manifests itself to referred visitors.
Hope you find this article helpful and if you’ve come via the Search Engine, best of Luck for the recovery of your blog, if you have any queries feel free to get in touch, either via the contact form or comment below, or even on Facebook, also feel free to Subscribe to Dhawal Damania on Facebook to get expert opinions on Technology, Startups, Social Media, Gadgets and more!
You can also save this Article as a PDF for future references! if you wish to do so, click on Save as PDF button below.