Before you begin digging into the incident, make sure you change all your passwords and access logins to all systems. This includes Content Management Systems, database access, system administration, etc. Following this check all user account details with the access logs for suspected activity. This would include unsuccessful login attempts, creation of new user accounts, file permission changes, etc.
Then look upon your website's Google Search Console. The Search Console may help get a better understanding of the attack's severity. Look upon the "Message Center and Security Issues" section for any indication of the attack.
Furthermore, attackers could have likely modified any of the website's content or files. Therefore, a comparison should be made with the most recent backup of your website. This would help verify if any alteration has been made.
Once the information is gathered, the next task is to clone your website prior to conducting tests. This is important since some tests such as penetration tests, could potentially affect your website adversely. Once the cloned system is prepared, the vulnerability scanning process would commence. The priority here is to identify the point of entry of the attackers and patch it up.
Following a system audit approach, the scanning should ideally employ a renown web vulnerability scanner. The scans should cover a number of things including,
Outdated software vulnerabilities
Weak and reused passwords
Misconfigurations on the webserver
Malware/malicious files
Permissive coding practices
Once the vulnerability scanning stage is complete, the process would switch to penetration testing. Of course, none of these tools and techniques are guaranteeing that you will find the exact point of entry. Thereby, you should also opt for looking for the point of entry manually. This can be time-consuming compared to utilizing an automated tool. But it offers a better chance of discovering the exact vulnerability.
Once all the issue sare identified, the vulnerabilities should be patched. Each fix should be tested repeatedly before patching the other vulnerabilities. The fixes themselves would vary depending on the situation. For example, assume the hack was via a brute force attack on the website's login page. In that case, a possible fix would include changing default login URLs.
Now it is a matter of restoring the most recent backup (prior to the attack) of the website. Once restored, ensure that all themes, plugins, and widgets are updated to the latest version available. Furthermore, the site should also include the patches to the discovered vulnerabilities.
In the absence of a viable backup copy, the existing system can be used to restore the website. Here, you should make multiple copies of the website where one would be used to restore the content. Ideally, a clean installation of the website is required while accounting for the discovered vulnerabilities. Next, the unaffected content can be transferred from the copy.
Finally, is the monitoring stage. True, vulnerabilities have been patched and the website has been restored. But the changes made need to be monitored along with other details such as access logs. It is likely that attackers may opt-in for a second try once the website comes back up and your organization should be prepared for such an attempt.
If all of this seems daunting to you, do not worry. We at C-YBER are here to help. Our team of experts can put an end to ongoing attacks, help your company regain total control of your website and help prevent the website from getting hacked againin the future. After all, why torture yourself trying to fix your website when you can leave it up to the experts. So go ahead and give us a call on (+372) 602 3532. You could also email us to info@c-yber.com.