The rapid evolution of technology coincides with the growing number of cybersecurity threats. With 30,000 websites victims of hackers every day, there is no guarantee that your website will not be next.
If your site has already been hacked, be sure to fix it as soon as possible. By doing so, you will minimize the damage that could include loss of reputation and brand revenue, lawsuits, and plummeting positions in search engine results (SERPs).
This article will discuss the symptoms of a hacked site and how to fix them. You will also learn some ways to protect your website from future attacks and the best way to communicate the security incident to your visitors.
Let’s get started.
Table of Contents displays.
How to check if your site has been hacked
Before you take action to clean up your website, you need to be sure that it has been hacked.
The signs that a website has been hacked vary and may even be invisible, depending on the type of attack. The following is a list of common indications that a site has been hacked:
- Alerts about hacking from browsers and search engines.
- Links redirecting to suspicious websites.
- High volumes of traffic from other countries.
- Damaged or broken web pages.
- Slower than usual loading time.
- Alerts on Google’s blocklist.
- Emails sent end up in spam.
- Removal of the website by the hosting provider.
- Unsavory ads.
- WSOD (White Screen of Death).
- Random code snippets displayed in the header or footer.
To confirm your suspicions you have several website checkers such as Sucuri SiteCheck , DeHashed and Have I Been Pwned? We recommend checking your website with more than one tool to receive more accurate results.
10 steps to restore a hacked site
After you have confirmation that your site has been hacked, take action to fix the problem. The following steps will guide you through the process of restoring and fixing your hacked site.
- Keep calm and don’t panic
There is no reason to panic: hacked sites are generally recoverable. Reacting emotionally without calmly assessing the situation can lead to more harm than good.
Therefore, remain calm and proceed to the next step.
- Change your passwords and verify access
Brute force attacks are some of the most common cybersecurity threats . Hackers try to guess your administrator account password using various combinations of letters and numbers.
Changing all your passwords will revoke hackers’ access to your website and prevent them from compromising other accounts and causing further damage.
Here is a checklist of accounts whose passwords you should reset at the first opportunity:
- Hosting account.
- FTP account (primary and secondary).
- Content management system (CMS) administrator account.
- Database (via the database connection file).
- E-mail accounts associated with the hacked site.
In addition to changing all your passwords, we also recommend that you review the access privileges of website users. If hackers are able to get into the site using an administrator account, they will have full access to all administration features.
If the hacked site is hosted on WordPress, check existing user roles and permissions by accessing Users from the admin dashboard. Review accounts with super administrator and administrator roles as they have the highest level of access privileges.
Follow the same procedure on platforms that grant access to multiple users, such as the hosting control panel and FTP system .
Set appropriate permissions for your Web site files, particularly those in the root directory ( usually public_html ) such as the wp-admin folder and the wp-config.php file via the Web hosting’s File Manager . This will prevent unauthorized users from accessing, modifying and executing existing files.
Pro tip.
Use a password manager to manage password saves. Take advantage of the built-in password generator that is generally provided to create reliable passwords.
- Create a backup of your website
Your website may have been hacked, but it is still functional and contains all important data. By downloading a backup of the website , you will be able to reload this version of the website and repeat the cleaning process if it fails the first time.
- Track your actions
Most hacking attempts occur after a website has undergone some changes, creating new vulnerabilities to exploit. By tracking your actions, you should be able to identify the source of security problems much more quickly.
Narrow the time window by checking your web logs for a sudden spike in traffic. Then, inspect your access logs and error logs through your hosting control panel to identify any suspicious activity or errors that occurred within the suspicious time period.
After calculating the time when the hacking occurred, review all changes made before. In WordPress, malicious code usually enters the site through new files introduced by plugins, themes, and WordPress installations.
- Investigate recent online breaches
Even popular software can suffer security breaches. Keeping up to date with cybersecurity news will help you find vulnerabilities much more easily and remove malicious code before it can devastate your website.
Here are some of the best cybersecurity websites recommended by cybersecurity experts:
- Hacker News – provides news about hacking.
- WP Hacked Help Blog – offers tips on WordPress security and restoring hacked sites.
- Daniel Miessler – publishes articles and tutorials on website security and technology in general.
- IT Security Guru – focuses on cybersecurity, cybercrime and ransomware.
- Security Weekly Blog – provides weekly cyber security updates in the form of live streaming.
- Contact your hosting provider.
If your hacked website is running on shared hosting, the source of the security problems could be from another website on the same shared server. In this case, cyber attacks could also target your hosting account.
Contact your hosting provider to see if other websites on the same server were also attacked.
Most web hosts also provide users with access to web logs, allowing you to monitor visits. If server access logging is disabled by default, contact your hosting provider or enable it manually.
- Investigate with Google Blocklist and Spam Blocklist.
If Google detects suspicious or dangerous activity on a website, the search engine is likely to block it. When a website is blocked, it will not appear in search results to protect visitors from potential malware.
Check to see if your website ends up on Google Blocklist using Google Search Console . The alert will appear in Security Issues under Security and Manual Actions .
Google Safe Browsing is another tool you can use to check the status of your website. It will let you know if the site is safe to visit.
If you do not have access to the DNS zone , examine your website traffic through Google Analytics . Having a sudden drop in traffic will be a solid confirmation that Google has blocked your website.
In addition to Google Blocklist, your website may also appear in the anti-spam database. Internet service providers, email providers and anti-spam platforms use spam blocklists to prevent spam emails from entering their system. Emails from IP addresses listed on this blocklist will be blocked or end up in the spam folder.
Clarify whether your domain is listed on the spam block list using domain integrity checking tools such as MxToolBox and Domain DNS Health Checker . In addition to providing detailed information about the status of the domain, these tools can identify problems related to the web server, mail server, and DNS.
- Reset your .htaccess file.
.htaccess is a file that contains high-level configuration settings for a website hosted on Apache web Server. For this reason, .htaccess is a popular target of cyber attacks.
Some of the most common .htaccess file exploits include:
- Redirect from search engines to malware.
- Redirect from error pages to malware.
- Malware attached to PHP files.
- Revealing ‘information.
- Browser fingerprinting.
- Watering hole attacks.
Disabling and restoring the .htaccess file to its original version may help solve the security problem. Also, change its file permissions so that only certain users can access it.