Front-end Developer, 15+ Years of Web Development on HubSpot and Various CMSs
October 22nd, 2019
I want to approach this topic from a place of Zen.
It’s important that we maintain this overall feeling throughout our journey today, because as you read your blood pressure may start to creep up when you imagine any scenario where your customers (returning or brand new) get the sense that your company is anything less than a leader in its space.
Think about it.
What would you feel if you click on a search result in Google and land on a page that’s obviously been hacked?
Would you do business with that company, or would you feel like it’d be better to give your business to another that’s on top of these things?
To answer this question, take a step back, relax, rub your earlobes, and repeat after me: “Wooooosssaaaahhhh.”
Ok, now that we’re in the right state of mind, my hope is that after you’re done reading today, you’ll walk away with a better plan and understanding of what to do when your website gets hacked and, more importantly, how to avoid the scenario altogether.
Your alarm goes off and, as you promised yourself, you avoid checking any messages until you’ve gotten out of bed and started your exercise, meditation, or any other morning routine that does not involve plugging in.
Side note: This is my favorite new practice and, let me tell you, it is crazy how effective it is at starting your day off with a stable mindset and keeping it that way -- all day. If you want some information on the benefits of such practices, check this and this out, but let’s get back to the task at hand.
Your phone keeps vibrating. You quickly peek and there are already 22 texts and voicemail messages on your lock screen. Something is definitely wrong.
Being the responsible person you are, you break your own rules and feverishly look through your messages.
Your blood pressure starts to rise as the horror sets in.
Your website has been hacked and your customers are now being re-routed to online casinos, or perhaps there’s been a data breach or it has completely crashed -- white page with nothing on it.
What to do when your website gets hacked?
The first thing to do is DON’T panic!
One way or the other, your site is coming back online. The only pertinent questions right now are how long is that going to take? and how much is it going to cost?
Depending on your level of preparation for an event like this, today is going to go one of two ways:
Either you’ve prepared with a backup and you’ll be back up and running in a few hours at most, or you’ve been caught completely by surprise, with zero to little preparation and you have no backup.
You better wear comfortable shoes, ‘cause it’s going to be a long one.
If you’re freaking out as you read this -- fear not. We’re going to go over ways for you to prepare and give yourself a little insurance.
Scenario 1: No backup
In this scenario, the assumption is that you don’t have quick restore and that your site is on a simple hosting environment.
Essentially, this means you have one place where your website is stored and you’ve not thought to follow any form of backup procedure in case something like this happens.
Here’s what you should do:
Go into maintenance mode
First and foremost, you need to ensure that you protect all incoming traffic to the site.
It’s way better for customers to see an honest message from your company that the site is undergoing maintenance rather than leaving them vulnerable to your site’s hacked code.
The hacked website needs to be taken down right away and replaced with a simple HTML index page (the initial page that everyone sees when visiting the site) displaying a message that explains what’s going on.
It doesn’t need to be too detailed, but something has to let visitors know that you know the site is down.
Then, ask your developer to redirect all traffic to this new page temporarily by adding a rule in the .htaccess file for those visitors coming from a bookmark or search engine.
This file is loaded before the index page and is kind of like a police officer directing traffic.
This may even be an opportunity to take this negative situation and flip it to the positive side.
Show some personality and let them know that you’ve got human beings feverishly moving mountains to get the site back up. Let them know that for your organization their experience, privacy and security is paramount.
Here’s an example from Flickr:
Your maintenance message should also contain language conveying your contact information for consumers that have questions, alternative ways to purchase your product, etc.
Get your website site cleaned
This is not for the faint of heart or the untrained eye; you absolutely need to contact a professional for this one.
Either your IT or in-house developer or your outside web development firm is going to have to inspect the site for malicious exploit code that is affecting the site and remove it.
There are many technical details I’ll omit here, but it suffices to say that most of the time the hack propagates — or copies — itself to different files so it’s important to perform this cleansing offline to prevent further propagation.
If you have an HTML site...
HTML sites have no backend coding so, typically, hackers stay away from these types of sites.
The reason being that there's nothing to be gained from taking control of a site like this other than to be a nuisance. This might be fun for some hackers but most are out for other nefarious reasons — capturing sensitive data, diverting traffic, setting themselves up for other scam scenarios and the like.
These types of sites are usually hosted on some form of shared hosting and should be relatively easy to recover.
The reason it’s a much simpler process is that any hack here will be very apparent. Your developer won’t have to worry about obfuscated code and any code that shouldn’t bet there is much easier to spot.
Essentially to clean the site, you’d download a backup, remove the HTML that shouldn’t be there and re-upload it to the server.
Other content management systems or websites as-a-service providers like HubSpot transpile their code to HTML because it’s faster and more secure.
If you have a PHP site...
PHP is one of the most common server-side coding languages and, as such, powers a lot of the web. In layman’s terms, it allows smarter code to be mixed in with regular html -- outputting it all in one shot to the browser.
If you’ve got a straight PHP website, most hacks will be localized in files that are reused like the header and footer, for example, but a thorough inspection of all the site files is necessary to be sure.
The most efficient way to look for malicious code is to run searches for known php functionality that empowers the hacked code. Things like base64 and eval are two php functions that are often used because it gives hackers a way to obfuscate their code -- they hide it by re-encoding it to something that isn’t legible by humans making it harder to spot.
If your website is on WordPress...
WordPress is an open source blogging platform that currently powers over 30% of the web. It’s so popular that it is consistently targeted by hackers for known vulnerabilities in plugins, themes and even WordPress’ core files.
WordPress’ underlying language is PHP, as a matter of fact, so a lot of the same things to look for are stated above.
That said there are certain steps to follow to regain a clean site:
The first step is to isolate the core files and replace them with a fresh copy from the WordPress repository.
Next you’ll want to take a snapshot of all your plugin files and re-install those from the plugin directory, too. An alternative is to get everything up and running in a local host environment and install them from the dashboard plugin screen.
If you’re still using an out-the-box theme, you’ll want to grab a fresh copy of that from either the theme directory or wherever you purchased your custom theme.
The best practice regarding themes on WordPress is to make all your customizations to themes in something called a child theme for these very situations, or in the case of a theme update. This way all your work is compartmentalized and easy to update / restore. Hopefully, your developer has implemented this best practice so all that’s left to do is go through your child theme files looking for any hacked code. As a matter of fact, it’s quite possible this is where the hack is centralized since the child is the one activated and pulls what it needs from the original / parent theme.
If you or your developer have not followed this best practice, then unfortunately, the process of looking for hacked code involves going through all of the theme files to see if there’s malicious code present. In my experience, the best thing to do here is isolate anything that was changed directly on the parent theme and implement the best practice outlined in #4 above.
Once you’re confident that the site is clean, install it to a subdomain and run it through a sitechecker like Securi just to make sure you’ve got everything.
In the case of a WordPress website, even after you’ve got your site files cleaned (which I’d say covers 99% of all situations), there’s a database which powers the site.
This means you may also have some code injected into the database which is much much harder to clean. Thankfully there are a bunch of plugins available to help detect if known hacks are preset in your database.
Automatic -- the company responsible for WordPress -- offers a plugin called JetPack that offers a bunch of additional services to users including one that will scan all your post and comment tables for potentially malicious code.
Another one I’ve personally used to keep a site secure is All In One WP Security and Firewall. This one in particular offers protection from invalid login attempts, brute force attacks, direct access to php files and a whole bunch of other protections. I highly recommend it.
For all content management systems...
Now, after you’re 100% sure you’ve done all you can, remove all the redirects you added to the .htaccess file and replace your maintenance index page with the new and, hopefully, improved site/fully-secure site.
Finally, make sure any backend administrator accounts on the site change their passwords and that they’re strong passwords.
As defined on Webopedia, a strong password consists of at least six characters (and the more characters, the stronger the password) that are a combination of letters, numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase.
Now that you’ve gotten through this ordeal, it’s time to start planning for the eventuality that technology is ever changing and the threat of failure is always at the end of the next keystroke.
Research a hosting environment that provides nightly backups and quick restore.
All of this painstaking work could have been avoided simply by clicking a few buttons.
The following hosting providers offer daily backup services and quick restore for custom build php sites and WordPress:
Some of these are part of your monthly plan and some offer restore for a nominal fee. In some cases it’s called quick restore and in others it’s called Site Backup and Restore -- you get the idea.
Scenario 2: We’re prepared with a backup, we got this!
Being prepared means you’ve planned ahead. You have very recent backups of your site and any databases that power it.
All you have to do is sign into your hosting provider and click restore to last night’s version of the website.
That’s really it!
Debrief: Why did this happen?
Now you need to look into reasons why your site was hacked in the first place.
Are you on the latest version of PHP? This is the number one reason websites get hacked.
PHP vulnerabilities are made public so, after a while, if they’re not patched by upgrading to the latest version, hackers have a clear path to exploit your outdated server and gain access.
Once they’re in, they can do anything they want.
They can inject self propagating code. They can delete files, change folder permissions and file ownership. This means the only way to regain control requires terminal access to the server by a root administrator.
Is your WordPress Core version up-to-date? Have you updated all pending plugins? Is your parent theme on it’s latest version, too?
These are all entryways where a hacker can gain entry into your site.
If you’re on a Managed WordPress hosting plan, then your web host takes care of all the server side updates and security for you, but if not, then ask your developer to take a look at your server.
It’s important to make sure that you have everything updated (PHP, Apache, MySQL, Nginx) and that you’ve locked down root access to your server, as well.
Just looking at steps required of you in either of the two scenarios presented today should make it evident that preparation is key.
On one hand you have a long arduous road ahead of you just to get your site live again. On the other, you can be back in a matter of minutes.
Your preparation is the ultimate way to avoid being hacked. At the very least, be prepared to recover as fast as possible.
The best thing to do when your site gets hacked is avoid being hacked in the first place or have insurance that you can quickly recover.
Here Are Some Related Articles You May Find Interesting