How to Clean a Hacked Site

Cleaning a hacked website can undoubtedly be exhausting. However, by following a few basic steps, you can quickly identify as well as clean a hacked site.

STEP 1- IDENTIFY HACK

1.1 – First scan your website properly

There are many tools that can remotely scan your site for finding malicious payloads as well as malware locations.

For scanning a site for hacks:

• First visit the SiteCheck site.
• Then click ‘Scan Website’.
• If your website is infected, do review the warning message.
• Note any payloads as well as locations (if available).
• Also note blacklist warnings.

If the scanner fails to find a payload, please continue with other tests. Also, you can manually review the iFrames / Links / Scripts tab of the Malware Scan in order to look for suspicious or unfamiliar elements.

If you are having multiple sites on the same server, don’t forget to scan them all. Cross-site contamination is one of the main reasons of reinfections. So it is recommended to isolate hosting as well as web accounts.

1.2 – Then check core file integrity

Most core files shouldn’t be modified.

The fastest way to confirm the integrity of your site core files is by using the diff command in terminal. You can manually check your files via SFTP if you’re not comfortable using the command line.

Your core files are clean if nothing has been modified.

1.3 – Check recently modified files

You will be able to identify hacked files by checking if they were modified recently.

For checking recently modified files using terminal commands on Linux:

1. You need to type in your terminal:

$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r .

2. And if you want to see directory files, please type in your terminal:

$ find /etc -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r .

3. Any unfamiliar modifications in the last 7-30 days can be suspicious.

1.4 – Then check diagnostic pages

If your site has been blacklisted by Google or any other website security authorities, use their diagnostic tools for checking the security status of your site.

For checking your Google Transparency Report:

1. Visit the ‘Safe Browsing Site Status’ site.
2. Then enter the URL of your site and search.
3. On this page you will be able to check:

• Site Safety Details: all information about malicious redirects, spam as well as downloads.
• Testing Details: recent Google scan that found malware.

You can also add your website to any free webmaster tools and check their security ratings as well as reports for your site.

• Google Webmasters Central
• Bing Webmaster Tools
• Yandex Webmaster
• Norton SafeWeb

1.5 – PCI Considerations for E-commerce sites

If an ecommerce site is hacked, one of the prime concerns would be credit card details of the customers. In case you process payments within your E-commerce site, you will need to respond to a possible data breach, including implications regarding PCI compliance.

If you think that credit card data is being stolen, contact your bank for inquiring about virtual credit cards. These can be used for testing purchases on your website before cleaning the hack. Stolen credit cards are generally used within 12 hours, hence this exercise can indicate if further investigation is needed. Although this isn’t a 100 percent reliable method, it is one step that you can take on your own before asking for help from a PCI Forensic Investigator.

Back up your hacked site immediately including:

• Server log files
• Your website file system
• Your website database
• Custom files & configurations

STEP 2- REMOVE HACK

So now you will be able to remove malware from your site as well as restore it to a clean state as now you have the information about malware locations.

Pro Tip:

Comparing the current state of the site with an old & clean backup is one of the best ways to identify hacked files. If a backup is available, you will be able to use that for comparing the two versions as well as identifying what has been modified.

2.1 – First clean hacked files

You can replace the files with fresh copies or a recent backup if it is not infected.

Use any malicious payloads or suspicious files found in the previous step to remove the hack.

For manually removing a malware infection from your site files:

• First log into your server via SSH or SFTP.
• Then create a backup of the website before making any changes.
• Identify recently modified files.
• Confirm the date of changes & the user who changed them.
• And then restore suspicious files.
• Open any custom files with a text editor.
• Then remove suspicious code from the custom files.
• Finally, examine to verify the website is still operational after changes.

2.2 – Then clean hacked database tables

For removing a malware infection from your site database, use your database admin panel for connecting to the database. Also, you can use tools such as Search-Replace-DB or Adminer.

For manually removing a malware infection from your database tables:

• First log into your database admin panel.
• Then create a backup of the database before making any changes.
• Look for suspicious content.
• After that open the table that contains suspicious content.
• Remove any suspicious content manually.
• Examine to verify the website is still operational after changes.
• Finally, remove any database access tools that you may have uploaded.

Beginners may use the payload information given by the malware scanner.

Intermediate users may also manually look for common malicious PHP functions, like eval, gzinflate, base64_decode, str_replace, preg_replace, etc.

2.3 – Secure User Accounts

In case you find any unfamiliar users, remove them immediately so that hackers no longer have access. Sucuri recommends assigning only one admin user & setting other user roles to the least amount of privileges required (ie. author, contributor, and editor).

2.4 – Remove hidden backdoors

Smart hackers always try to leave a way to get back into your website.

Backdoors commonly include the following PHP functions:

• str_rot13
• base64
• eval
• exec
• system
• gzuncompress
• stripslashes
• assert
• move_uploaded_file
• preg_replace (with /e/)

These functions may also be used legitimately by plugins, hence you need to be sure to test any changes as you could break your website by removing benign functions.

It is highly important to close all the backdoors for successfully cleaning a site hack, or else website will be reinfected quickly.

2.5 – Finally remove malware warnings on your website

In case you were blacklisted by Google, Yandex, McAfee or other web spam authorities, you can request a review once the hack has been fixed.

For removing malware warnings on your website:

1. First call your hosting provider & request them to remove the suspension.

• You may have to give details on how you removed the malware.

2. You need to fill in a review request form for each blacklisting authority.

• Google Search Console, Yandex Webmaster, McAfee SiteAdvisor.

STEP 3- POST HACK

In this step, you will get to know how to fix the issues that caused your website to be hacked. Also you will learn about some important steps that are needed for enhancing the security of your website.

3.1 – Update & reset configuration settings

Using outdated software is one of the main causes of infections. This includes your Content Management System version, themes, plugins, & any other extension type. Also potentially compromised credentials should be reset in order to make sure that you are not reinfected.

Don’t forget to update your website software

Update all software on your server for ensuring that there are no security patches missing.

Also reset passwords

It is highly important to change passwords for all access points. This includes user accounts, SSH, FTP/SFTP, cPanel, as well as your database.

And reduce the number of admin accounts for all your systems. Always practice the concept of least privileged. Only give users the access they need to do the job.

It is recommended to reinstall all plugins as well as extensions after a hack in order to make sure that they are functional as well as free of residual malware.

3.2 – Harden your site

Take necessary steps to reduce the attack surface or entry points for hackers.

3.3 – Make backups

Now when your website is already clean and you have taken some post-hack steps, it is time for you to make a backup. Remember, backups function as a safety net.

Here are some important tips to help you with site backups:

Location

Always store backups in an off-site location. Never store backups on your server; they may be hacked as well as used to compromise your real website.

Automatic

Your backup solution should always run automatically.

Redundancy

Your backup strategy needs to include redundancy, or backups of your backups.

Testing

Try the restore process for confirming your site functions correctly.

3.4 – Scan Your Computer

Have all your site users run a scan with a good antivirus program on their OS.

Remember, your website may be compromised if a user with an infected computer has access to the dashboard.

Here are some reputable antivirus programs:

Free

Avast, Malwarebytes, Avira, Microsoft Security Essentials.

Paid

Kaspersky, BitDefender, Sophos, F-Secure.

3.5 – Website Firewall

Placing a site behind a firewall not only blocks hackers & prevents data breaches – but also makes the site faster by some clever caching.

Here are some benefits of using a website firewall:

Stop a future hack

By detecting as well as stopping known hacking methods & behaviors, a firewall keeps your website protected against infection in the first place.

Virtual Security Update

Attackers quickly exploit vulnerabilities in plugins & themes, & unknown ones are always emerging. A good firewall can patch holes in your website software even if you have not applied security updates.

Block Brute Force Attack

A website firewall can stop anyone from accessing your wp-login page or wp-admin if they are not supposed to be there, ensuring they can’t use brute force automation for guessing your password.

Mitigate Distributed Denial of Service (DDoS) attacks

DDoS Attack attempts to overload your server or application resources. By detecting & blocking all types of DDoS attacks, your website firewall can make sure that your website is available if you’re being attacked with a high volume of fake visits.

Performance Optimization

Most firewalls will offer to cache for faster page speed which in turn will keep your visitors happy and lower bounce rates while improving website engagement as well as conversions.