Fraud Prevention

What to Do When Your Site Gets Hacked

Hackers attack sites of all sizes, from massive enterprises to small, family-run online retailers. When an attack occurs, there are steps any business owner can take to stop the attack, get things cleaned up, and get back to doing business.

Having your site hacked is a painful, emotional, and sometimes costly experience. But any retailer can overcome it with a bit of help and a plan. Remember too that getting hacked is rarely a personal or direct attack on your business. Most hacks are attacks of opportunity. Some bad guy or gal wrote a script that looks for a particular configuration, like a combination of plugins, and uses vulnerabilities in that configuration to get in.

Get Help from Your Developer, Hosting Provider, Organizations

Most small or mid-sized online stores use reputable hosting providers — examples include Firehost, Media Temple, and Rackspace. These hosting services frequently have security experts on staff armed with server-scouring tools that can help identify and root out malware and site spam.

The moment that you know your site has been hacked, contact your hosting provider.

If you have an on-staff developer or regularly use a freelance developer, it will make sense to include that person too. Although your developer is probably not a security expert, he or she can still do a lot to help find the malevolent bits of code. For example, one common sort of hack that uses uploaded images to find code might be discovered by running a find command on a Linux-based web server.

find . -type f -iname "*.php" -exec egrep "eval(base65_decode" {} /dev/null ;

Seek help in online forums and from organizations specializing in helping businesses recover from a hack attack. As an example, there is a good Google forum related to hacked sites and you could visit Stop Badware, which has forums and tools that can help too.

Go Offline

If your site has been hacked you want to stop that hack from harming customers, damaging your business reputation, and hurting your site’s ranking in search engines.

Although it may seem extreme, about the best thing you can do is to take the site offline temporarily. Many good ecommerce and publishing platforms have a way to take a site down for maintenance. For example, adding a simple text file named “maintenance.flag” to the web root of a Magento-based site will put the site into maintenance mode and display a 503 service unavailable message to site visitors. Figure out how to do this for your particular platform and take the hack offline.

It may also be beneficial to customize the 503 message, offering customers a phone number to call if they have questions about an order or even posting a discount code for free shipping when the site comes back up.

Change All Passwords

The attacker probably didn’t get into your site via a compromised password. Nonetheless, changing all account management passwords eliminates that particular type of access.

It also gives you an opportunity to review user accounts and close any relative vulnerabilities.

Search for the Symptoms

As you try to assess the damage the hack has caused and figure out how to remove the bad code, it can be helpful to search for the symptoms on search engines like Google or Bing and in specialized malware and web spam forums like Stop Badware mentioned above.

If, for example, your site is suddenly redirecting users or even just search bots to sites selling pharmaceuticals, search for that symptom. This sort of search can be a better way of finding the particular sort of attack your site is facing and provide better answers about how to get things cleaned up.

Clean Up the Site

With the help of a developer or your hosting provider, you may have been able to find several files that have had malicious code added to them. You or someone helping you will need to clean this code up either manually or programmatically.

It may be the case that you will need to add a fresh installation of your site platform, manually check plugin folders, and update the version of just about every tool running on your site.

Try to Discover How the Attack Happened

Although it can be very difficult to determine exactly how an attack occurred, you’ll want to do your best to find the “attack vector” — the path or means the hacker used to access your site files — so that you can protect against future attacks.

One current attack, the “Pharma Hack,” frequently uses vulnerabilities in WordPress plugins or image uploads to access a site, so that just making certain that the most up-to-date version of WordPress or a WordPress plugin is running might avoid this particular attack.

Improve Your Site Overall

An attack against your site can be an opportunity to consider how seriously your organization takes security and server management. After you have everything cleaned up, take steps to prevent any sort of attack in the future and implement tools and solutions that might make it easier to recover from hacks, if one should happen again.

If your site is managed using a repository like Git or SVN, it may be the case that the entire cleanup could be done by simply republishing that last version in the repository. Or the bad code might have been more easily discovered by running a comparison between the last published version and the current production files.

Armando Roggio
Armando Roggio
Bio   •   RSS Feed