What to do if your website is hacked?
If your website has recently been hacked there are a few steps to be taken regardless of what sort of content management system you are using. This is a general guide, specific guides are available for most commercial and open source content management systems.
Firstly take your website offline. I know this seems counter intuitive as during most situations keeping your website up and running is a primary goal however once your website has been hacked you are looking to limit the exposure of your customers to any malicious code that the hacker may have installed. If you are concerned with taking your site completely offline place up a simple html holding page letting your customers know you are experiencing technical difficulties and include an estimate of how long you believe the recovery process will take. The second and more important reason that you take a hacked website offline as soon as possible is to prevent Google or other spiders from flagging your site as containing malicious code.
Once your site is offline find out where the intrusion occurred and remove all occurrences of the malicious code. Usually a hacker will place a small piece of code either on random pages or on every page. If the code occurs more than once do a find throughout all documents for an exact or near match of the code. If there are several files with the malicious code which have been modified on a single day search through all other code where the document was modified on the same day to ensure you find all occurrences, even if more than one type of malicious code was uploaded the chances are that all modifications occurred within a short time period.
If you have a recent backup of your website it can often be safer and quicker to do a complete backup of your current website to a different location (a backup of the hacked content) and then do a complete restore of your website from the safe backup copy, checking through the backup copy first for any traces of the code.
Once you are certain that the content on your website is free from malicious code resist the temptation to simply activate your site again, next you need to secure your website to ensure the same problem does not happen again. As a temporary measure set your directory permissions as strict as possible, don’t allow writing to any directories by any user, once this is done remove the holding page or start your web service again. Your website (depending on the type you use) may operate perfectly well with this strict security applied, if it does and you don’t notice any functionality is decreased leave these strict permissions in place, it may prevent any attack from occurring in the future. You might notice with strict privileges enforced that you cannot upload or edit images for articles, if possible only relax permissions for the directories that must have write permissions and only relax the permissions as little as possible. Start off by simply letting the owner of the directory have write permissions, test uploading an image, if it doesn’t work continue to relax permissions one at a time on only the directories which require write access until you can use the website as required.
Directory permissions are a place to start but in reality you should be trying to find out how the attack occurred. Look at the malicious code, take snippets from it and do searches on the web, chances are high that the attack was automated and someone may have encountered the problem before and have an idea what the cause was.
As a good rule of thumb reset as many passwords as possible, some providers will reset your passwords for you or give you the ability to reset these passwords yourself. Resetting the admin password (and username if possible) for you content management system if you have one is a necessary step to take. If it is possible to reset your SQL/MySQL password and your web user password (the user account which owns the directory where your site is hosted) that is also a good step. Inform your hosting provider of the hack, provide details (including code snippets) of what occurred so that they can investigate the issue further in case it affects other sites hosted on the same server or group of servers. Your hosting provider can also be a valuable source of information in regards to recovery and directory permissions.
If you have any doubts as to how secure your website is, how the attack occurred or how to complete the recovery process consult an IT professional for assistance.