My website has been hacked!

Last updated: 2 March 2022

Attacks on websites happen all the time. It is easy for criminals to look for vulnerabilities in your website’s code and to try to gain access to a control panel. A quick look at the stats for your website will almost certainly show a large number of hits on files such as wp-login.php and xmlrpc.php from lots of different IP addresses – even if your website doesn’t run WordPress. Most of these requests are malicious.

It is usually obvious when your website has been compromised. Often, hacked websites redirect users to a dodgy website or show malicious content. Sometimes, though, compromised websites are more difficult to spot. For instance, if an attacker manages to install a crypto-miner you might only notice that your website is very slow. Malicious scripts that steal credit card details on ecommerce sites are also increasingly common.

Not sure? Contact us!

Please always contact us if you notice anything suspicious on your website. Even if you think that it is probably nothing, do contact us. We got the knowledge, skills and tools to quickly check your website. If it turns out that there are no issues then everybody is happy, and if something is wrong then we can try to fix the issue.

How do hacks happen?

Most hacks happen because of one of two reason: out of date software or weak passwords.

To start with the former, any complicated code contains bugs that can potentially be exploited. And, there is no shortage of criminals trying to exploit bugs. As said, attacks on websites happen all the time. It is therefore important to keep software up to date and to not run software that is no longer maintained.

WordPress is a good example. The content management system is widely used, and the code base is large and complex. That makes it an attractive target for attackers. To keep a WordPress website secure it is vital that you apply updates, and we strongly recommend letting WordPress apply updates automatically as and when they become available.

As an aside, it is of course not just WordPress that is vulnerable. The same is true for any website that uses a server-side scripting language and/or a database.

A second common reason for hacks are weak passwords. Or, to be more precise, weak login credentials. Don’t use admin as the username for an administrator account, and make sure you use a long, random and complex password. Also, use two factor authentication. It is slightly inconvenient, but it will make your website much more secure.

Cleaning your website

In most cases a hacked website has modified and/or new files. For instance, in the case of WordPress hacks the index.php and wp-settings.php files are often executable (which they should not be) and they often include a decoded @include statement. There are typically also files that are not part of the WordPress install, while other files are hidden scripts. It can be difficult to find all the infected files, in particular if the hack is relatively unknown.

In most cases we can find out when a website was hacked and restore the site from one of our backups (we take nightly backups which are retained for seven days). In other cases it may be necessary to manually reinstall the core WordPress files. The latter is not ideal, as the attack might well have spread to for instance the uploads directory. That directory can’t be deleted and reinstalled, as it contains images and other files you have uploaded.

Of course, the WordPress core files, plugins and themes also need to be updated. And, if the hack was caused by a plugin or theme that is no longer maintained then the plugin or theme needs to be disabled. In addition, it is good practice to reset all the logins, including the database password.

Speaking of the database, it is also worth checking if there are any unusual WordPress users – in particular users with administrator privileges. You can do this via the WordPress dashboard (under Users).

Be prepared

Backups are a real life-saver. As mentioned, we got daily backups for the last seven days. In most cases, we can use our backups to restore your site. However, if your website was hacked more than seven days ago then there isn’t much we can do. This is one of the reasons why we recommend making regular backups via cPanel.

Alternatively, you can also make automatic backups via Softaculous or a WordPress plugin. The downside of that approach is that backups are typically stored on your hosting account. The backups can use a lot of disk space, in particular if your website includes lots of images and/or videos. As a result you may run into disk space issues.

If your website runs WordPress then you can also use a security plugin, such as Securi or Wordfence. Other than that the above-mentioned advice applies: keep your code up to date and use strong login credentials, including two factor authentication.