This guide explains how to secure your web site after it has been hacked, and how to help prevent future attacks.
The first step to securing your web site and getting back to normal operation is determining how it was hacked. In general, most hacks occur for one of the following reasons:
Software vulnerability hacks are more common than FTP/SSH password hacks, primarily because of the huge growth in pre-bundled software applications. Users often set up an application and then forget to apply security updates, leaving their sites vulnerable to attack.
Similarly, if a file or directory in the public_html directory has permissions set to 777 (full access), code or data may be exposed and potentially exploited by an attacker.
You should first try to determine if someone has compromised your password and logged in to your account. To do this, follow these steps:
history
This command displays the last 1000 commands run on the account, as well as when. Review recent entries in the list for any commands that seem suspicious or that you did not type.
At the command prompt, type the following command:
cat ~/.lastlogin
This command displays the IP address of the last user who logged in to your cPanel account. This information is also available from the cPanel home screen.
If you suspect or determine that an unauthorized user is accessing your account:
After you have followed these steps, go to the Cleaning up after a hack section below. Otherwise, if you did not find any suspicious behavior, go to the next section.
Out-of-date software applications often contain well-known security vulnerabilities that malicious actors can exploit using automated scripts. Software applications include anything you have installed using Softaculous, as well as any packages that you have installed manually. Usually these are applications such as blogs, image galleries, forums, shopping carts, content management systems, etc.
You should review all of the software applications that are installed on your web site. Make sure you have installed the most recent version and all updates. When you update software applications, make sure you check the plugins as well. If you have any non-standard plugins installed with your applications, do a web search for the plugin name and the term “vulnerability” to see if there are any known issues with your version. If you discover any known vulnerabilities, either update the plugin or disable it.
You should also check for recent errors on your web site by using cPanel's Error Log feature. Error messages can help you determine which software applications or files are vulnerable. For more information about how to access the error log in cPanel, please see this article.
After you have updated your software applications and plugins, go to the Cleaning up after a hack section below.
After you have secured your web site, the next step is to clean up the mess left behind by the perpetrators and restore normal operation.
The first step in the cleanup process is to ensure there are no malicious processes still running on your account. Otherwise, you may go through all of the following cleanup steps, and these processes will simply wreak havoc all over again.
To view the user processes running on your account, follow these steps:
ps faux
Examine the list of running processes and look for anything suspicious. If you do see a suspicious process, note the process ID (PID) number.
Because you ran the ps command in step 2 yourself, it is not a malicious process and should not be terminated! For example:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND username 2847697 0.0 0.0 108504 1900 pts/2 Ss 16:37 0:00 -bash username 2885143 0.0 0.0 109960 1016 pts/2 R+ 16:44 0:00 \_ ps faux
These two processes are normal.
To kill any suspicious processes that you found, type the following command for each process. Replace process_id with the process ID (PID) that you noted in step 3:
kill process_id
You should go through all of the files in your account and delete anything that you did not put there. If you are using an FTP client, make sure it is set to show hidden files. Similarly, if you are using the command line in SSH, make sure you use the -a option with the ls command so it shows all files. (Many malicious files try to “hide” from casual observation by making themselves hidden.)
Although we recommend going through all of your files, you can prioritize your search. Look first for file modification timestamps that have changed since you last modified your site, or that occurred around the time the hack took place. If you identify a file that was modified during the hack (such as a defaced index page), you may be able to locate other affected files by searching for similar timestamps.
For example, to find all of the files that have been modified in your public_html directory within the last three days, follow these steps:
cd ~/public_html find . -mtime -3
By default, every directory beneath the public_html directory should have its file permissions set to 755 (full access for the owner, and read and execute access for everyone else). Additionally, every file should have its permissions set to 644 (read and write access for the owner, and read access for everyone else). To set these permissions for your account, follow these steps:
cd ~/public_html find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \;
Some hacks, particularly SQL injection attacks against vulnerable Joomla! installations, may alter the database with malicious code. These modifications can grant an attacker access to your account even after you update applications and remove altered files.
Therefore, you should review your databases to see if there are any suspicious changes. You may also want to restore the database from a backup that was completed before the attack occurred. If you need further assistance, please open a support ticket with our Guru Crew on the Customer Portal at https://my.a2hosting.com.
You can use the Server Rewind feature in cPanel to restore files in your home directory that have been lost or modified within the past month. For more information about how to use the Server Rewind feature, please see this article.
If you use WordPress, there are additional steps you must take to secure your site after an attack. For example, you must reset the WordPress security keys. For more information about WordPress security, please see this article.
A hacked site can lead to online reputation damage and lower search engine rankings. Or visitors may even see “Deceptive site ahead” warnings in web browsers. When you are confident that you have secured your site, you may want to request a review from Google. If Google determines your site is no longer dangerous or deceptive, it will unflag it and no longer penalize it in search engine rankings.
For information about how to request a site review from Google, please visit https://web.dev/articles/request-a-review.
To help prevent future attacks, you should consider enabling Cloudflare for your account.
Cloudflare is a content delivery network (CDN) service. Cloudflare's network blocks threats and limits abusive bots before they reach the web server. This increases security and reduces wasted bandwidth.
You can sign up directly on Cloudflare's site at http://www.cloudflare.com.
For additional suggestions about what to do if your web site is hacked, please visit http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html.
Subscribe to receive weekly cutting edge tips, strategies, and news you need to grow your web business.
No charge. Unsubscribe anytime.
Did you find this article helpful? Then you'll love our support. Experience the A2 Hosting difference today and get a pre-secured, pre-optimized website. Check out our web hosting plans today.
We use cookies to personalize the website for you and to analyze the use of our website. You consent to this by clicking on "I consent" or by continuing your use of this website. Further information about cookies can be found in our Privacy Policy.