Recovering Hacked Websites

Websites get hacked all the time. Sometimes you will not even know until it becomes public. As with technology, cybercriminals are increasingly becoming ambitious. It is not a matter of "if", but rather "when" your website gets hacked. So, what happens if it does get hacked? How should your company respond to such an incident? While there are few ways to go about this, here is a general course of action you could follow.

The first order of business is to inform the company's development team and the hosting provider regarding the attack. Next, you need to take your website offline. Once you discover that your website has been compromised it is important to cut the website off from the internet. Doing so would not only limit any further damage to the website, but also helps prevent the attackers from possibly covering their tracks. At the same time, ensure that you have compiled all the necessary information that you would need to access once the website is taken offline.

It is also important to ensure that users trying to access your website do not get affected as well. Thereby, you should set up a static page on a different browser that acts like a landing page every time a user tries to visit the website.
Checking for file system irregularities

Before you begin digging into the incident, make sure you change all your passwords and access logins to all systems. This includes Content Management Systems, database access, system administration, etc. Following this check all user account details with the access logs for suspected activity. This would include unsuccessful login attempts, creation of new user accounts, file permission changes, etc.

Then look upon your website's Google Search Console. The Search Console may help get a better understanding of the attack's severity. Look upon the "Message Center and Security Issues" section for any indication of the attack.

Furthermore, attackers could have likely modified any of the website's content or files. Therefore, a comparison should be made with the most recent backup of your website. This would help verify if any alteration has been made.

Testing the system

Once the information is gathered, the next task is to clone your website prior to conducting tests. This is important since some tests such as penetration tests, could potentially affect your website adversely. Once the cloned system is prepared, the vulnerability scanning process would commence. The priority here is to identify the point of entry of the attackers and patch it up.

Following a system audit approach, the scanning should ideally employ a renown web vulnerability scanner. The scans should cover a number of things including,

  • Outdated software vulnerabilities

  • Weak and reused passwords

  • Misconfigurations on the webserver

  • Malware/malicious files

  • Permissive coding practices

Once the vulnerability scanning stage is complete, the process would switch to penetration testing. Of course, none of these tools and techniques are guaranteeing that you will find the exact point of entry. Thereby, you should also opt for looking for the point of entry manually. This can be time-consuming compared to utilizing an automated tool. But it offers a better chance of discovering the exact vulnerability.

Patching up

Once all the issue sare identified, the vulnerabilities should be patched. Each fix should be tested repeatedly before patching the other vulnerabilities. The fixes themselves would vary depending on the situation. For example, assume the hack was via a brute force attack on the website's login page. In that case, a possible fix would include changing default login URLs.

Now it is a matter of restoring the most recent backup (prior to the attack) of the website. Once restored, ensure that all themes, plugins, and widgets are updated to the latest version available. Furthermore, the site should also include the patches to the discovered vulnerabilities.

In the absence of a viable backup copy, the existing system can be used to restore the website. Here, you should make multiple copies of the website where one would be used to restore the content. Ideally, a clean installation of the website is required while accounting for the discovered vulnerabilities. Next, the unaffected content can be transferred from the copy.

Let C-YBER help you

Finally, is the monitoring stage. True, vulnerabilities have been patched and the website has been restored. But the changes made need to be monitored along with other details such as access logs. It is likely that attackers may opt-in for a second try once the website comes back up and your organization should be prepared for such an attempt.

If all of this seems daunting to you, do not worry. We at C-YBER are here to help. Our team of experts can put an end to ongoing attacks, help your company regain total control of your website and help prevent the website from getting hacked againin the future. After all, why torture yourself trying to fix your website when you can leave it up to the experts. So go ahead and give us a call on (+372) 602 3532. You could also email us to info@c-yber.com.