Recovering a Hacked Website

If your website has been compromised, it's essential to act quickly to contain the damage and restore your site’s security. This guide provides step-by-step instructions to help recover from a typical website compromise, particularly if you’re using a popular CMS like WordPress, Joomla, or Drupal.

If using VoltHosting's cPanel or Plesk hosting, a daily backup is automatically created which you can restore via the JetBackup panel from within cPanel or Plesk.

1. Immediate Actions to Secure Your Site

- Temporarily Disable Your Site: Using cPanel’s File Manager, or Plesk's Files edit your .htaccess file to redirect visitors to a maintenance page while you investigate. This prevents malware spread and safeguards your visitors. How to Take Your Website Offline
- Update Passwords Immediately: Change all passwords associated with your cPanel account, including FTP, database, and CMS admin credentials. Use unique, strong passwords to prevent further unauthorized access.

2. Scan for Malware and Review Logs

- Run a Malware Scan: If ImunifyAV or another malware scanner is enabled, allow it to automatically scan and clean infected files. However, manually reviewing your site is recommended to ensure it’s fully secure.
- Check File Directories: In cPanel's File Manager, or Plesk's Files, examine directories like /wp-content/plugins/ and /wp-content/uploads/ for unexpected or suspicious files.
- Analyse Logs: Use Raw Access Logs or Error Logs in cPanel or Plesk to find indicators of unauthorized access, failed login attempts, or other potentially malicious actions.

3. Backup and Isolate Files

- Create a Backup: Before making changes, create a full backup (files and databases) through cPanel’s Backup Wizard, or Plesk's Backup Manager for future analysis or restoration.
- Quarantine Malicious Files: Move any suspected files to a separate quarantine folder, or delete them if you're certain they are compromised. This helps isolate any remaining threats.

4. Update CMS, Themes, and Plugins

- Replace Core CMS Files: Use a command-line tool like wp-cli for WordPress to reinstall the core CMS files. This will replace any corrupted files with clean, verified versions.
- Apply Core Updates: Ensure that your CMS (e.g., WordPress, Joomla) is updated to the latest version via its admin dashboard.
- Update All Plugins and Themes: Outdated plugins and themes are common vulnerabilities, so make sure everything is up-to-date.
- Remove Vulnerable Plugins: Disable or delete unsupported or vulnerable plugins directly from the plugin directory (e.g., /wp-content/plugins/ for WordPress).

5. Restore Clean Files

An automatic daily backup is created for both cPanel on Plesk. You can access cPanel's daily backup via the JetBackup page, or Plesk's daily backup via the Backup Manager page.

- Restore from a Backup: If you have a recent, clean backup, use cPanel’s Backup Wizard, or Plesk's Backup Manager or manually upload the files via FTP to restore your site. Ensure that the restored files are not compromised.
- Use CMS Recovery Features: Some CMS platforms offer options to revert to a clean version of the site, restoring compromised files while preserving content.

6. Set Correct File Permissions

- Adjust Permissions: Proper file permissions reduce vulnerability to future attacks. Recommended permissions for WordPress are:
- Files: 644
- Directories: 755
- wp-config.php: 440 or 400
- Lock Down Sensitive Files: Apply stricter permissions to critical files such as .htaccess, wp-config.php, and other configuration files to prevent unauthorized access.

7. Check the Database for Malicious Content

- Inspect for SQL Injections: Use a security tool or manually examine your database via cPanel’s or Plesk's phpMyAdmin for signs of malicious code (e.g., <script> tags or unknown admin accounts).
- Remove Malicious Entries: Delete suspicious content in the database tables, such as unrecognized posts, comments, or user accounts.

8. Search for Backdoors

- Identify Potential Backdoor Files: Backdoor scripts often hide as PHP files with unusual names or in unexpected locations like /wp-content/uploads/. Delete these files to close off easy re-entry points.
- Use Security Plugins: For WordPress, install a security plugin like Wordfence or Sucuri to help scan for backdoors and reinforce your site’s defenses.

9. Reactivate Your Site and Monitor Activity

- Re-enable Site Access: Once you’re confident the site is clean, remove the maintenance page and allow traffic again. Test all site functionalities to ensure everything works as expected.
- Implement Monitoring: Set up automated monitoring for suspicious activity, such as uptime checks with Jetpack or security plugins that provide continuous scanning.

10. Secure Your Site Against Future Attacks

- Establish Regular Updates: Keep your CMS, plugins, and themes updated to the latest versions to reduce vulnerabilities.
- Limit Login Attempts: Install a plugin like Limit Login Attempts Reloaded on WordPress to deter brute force attacks. Enable two-factor authentication (2FA) for admin accounts if available.
- Harden `.htaccess`: Use .htaccess rules to block suspicious user agents, restrict access to sensitive directories, and limit admin panel access by IP.
- Regular Backups: Schedule regular off-site backups using cPanel’s backup tools or plugins like UpdraftPlus to maintain recent copies of your site, ensuring rapid recovery if needed.

For more guidance on strengthening your site security or for assistance with these steps, please reach out to the VoltHosting support team.

Updated on: 07/11/2024