Yikes! What to Do if Your Site Gets HackedWeb Design & Development
Nothing will drive away your site visitors like seeing the “red screen of death” with a message from Google stating “this site may harm your computer” or “this site may have been compromised.”
Part of what makes a hacked website troublesome is that hacks are often invisible to users, yet remain incredibly harmful to anyone viewing the page (including the site owner). In some instances, a hacker may be able to find a vulnerability in your site by exploiting out-of-date or insecure software. Like an infection that enters the body through a small wound and spreads, a hacker can damage any portion of your site by performing various actions, such as adding spammy text to your webpages or implementing malicious software. In some instances, harmful code can record keystrokes on a visitor’s computer, effectively stealing login credentials or financial information.
Hopefully, you’ll never need this, but if your site does get hacked, here are some tips to help you get it back on track:
1. Contact your hosting provider.
The first step in restoring your site’s health is contacting your hosting provider. Your hoster can make sure that their other customers where not affected, and they can potentially help recover your site.
2. Take your site offline.
Taking your compromised site completely offline will allow you to perform administrative tasks with less interference from the hacker and prevent your site visitors from being exposed to malicious code. It is unlikely that taking your site offline temporarily during this process will affect your site’s rankings in search results.
3. Update your credentials.
If your site is running on a CMS platform, look at the user accounts and see if the hacker created a new user account. If you find anything suspicious, write down the unwanted account names for later investigation. Next, delete these accounts to prevent future logins by the hacker.
Next, you will want to change the passwords for all site users and accounts. This will include logins for FTP, database access, system administrators and CMS accounts.
4. Consult your Webmaster Tools.
For verification methods that require an HTML meta tag or HTML file, you will need to temporarily put your site back online. If your verification is successful, you will see a confirmation screen.
After verifying your website with Google Webmaster Tools, make sure that the hacker has not also verified ownership or made any unwanted changes to the configuration. You can do this by:
1. Visiting the Google Webmaster Tools homepage
2. Finding your website and clicking Manage Site
3. Clicking Add or Remove Users
4. Making sure that all users and owners listed have authorization
5. Documenting the email of any unauthorized users and deleting them from the site. To deauthorize the unauthorized user, you must delete the owner and any verification tokens that they used, such as a meta tag or an HTML file on your server.
6. Investigating if unwanted changes were made to the settings in Google Webmaster Tools. To do this, click the gear icon and Site Settings, to look for unexpected changes, such as a crawl rate limit. You should also check to see if anything unusual was listed in Remove URLs under the Google Index menu or in Change of Address, found under the gear icon.
5. Determine the type of attack.
The information available in Google Webmaster Tools can help you determine what type of attack was placed on your website.
To investigate the type of attack on your site, do the following:
1. Visit the Google Webmaster Tools account for your site
2. Click Messages
3. Check for important messages from Google stating that your site has been compromised
4. Access Security Issues in Google Webmaster Tools to find out what type of attack you are dealing with
You may see one of the following:
- Malware: In a malware attack, a hacker may be using your site to infect visitors with software that is designed to access confidential information.
- Spam: In a spam attack, it is likely that a hacker has placed pages, text or links with spam on your site.
- Phishing: In a phishing attack, a hacker uses your site to appropriate the login, password or financial details of users, while keeping it disguised as a trusted site.
6. Contact your friendly web team.
To fix a malware or phishing attack, you’ll need to have access to your webserver, database and files. You’ll also need knowledge of command shell/ terminal and the ability to perform SQL queries on the database. If you think you’re dealing with malware or phishing, you should go ahead and call your friendly web team for backup.
7. Request that Google review your site.
After you’ve had a dedicated web team clean your site, you need to request that Google review it. If the type of attack on your site was a phishing attack, a complete review is available at http://www.google.com/safebrowsing/report_error/. This review will take about a day to process. If successful, the phishing warning that the users see will be removed and your page should be shown again in the search results.
If the the attack was malware or spam, you’ll need to request a review within your Google Webmaster Tools account:
1. Log in to Google Webmaster Tools
2. On the left-hand navigation, click Security Issues
3. Click Request a Review
If Google thinks the site is clean, browser warnings in the search results will be removed within 24 hours.
8. Keep calm!
Hacking is scary, but it is possible to recover. If you think there’s suspicious activity on your website, the most important thing is to stay calm and ask for help when you need it. The tips above will help you get through the basic steps, but don’t be afraid to call the experts for support if you’re stumped.