It’s not always easy to spot a website that’s been hacked. There are many different signs of a com­prom­ised website including browser and virus software warnings, un­re­spons­ive web pages, spam emails flooding your inbox or undesired redirects to websites. Either way, you’ll want to act swiftly by notifying the host and changing your access and re­gis­tra­tion data.

Why do websites get hacked?

In most cases, website hacking is motivated by money or politics. Usually, hackers try to intercept bank details or user data to access accounts and steal funds or sell data to criminals. Ransom­ware attacks have become more common in the last few years. They involve paying a ransom for encrypted company data. Polit­ic­ally motivated website hacks mostly target political parties, public figures and in­sti­tu­tions. These are often executed by groups of hackers such as Anonymous and are motivated by morals, dif­fer­ences of opinion or fame.

In rare instances, hacks may be targeting military IT systems or state digital in­fra­struc­tures to secure data or crash systems.

Tip

Protect your website from ransom­ware attacks and other cy­ber­at­tacks with MyDe­fend­er from IONOS, which includes automatic backups, virus scans and data recovery.

How to diagnose a hacked website?

Having your website hacked is one of the very real dangers of operating a website. Even those who install several security measures aren’t safe from cy­ber­at­tacks. Security gaps in websites, apps or email accounts are often to blame.

Back in the day, hackers used to primarily target large busi­nesses. But with advancing di­git­isa­tion, SMBs are in­creas­ingly exposed to cyber dangers. And with the rise in WordPress hacking in­di­vidu­al website owners are at risk too.

Dia­gnos­ing a hacked website is usually the first step in rec­ti­fy­ing the situation. To do so it’s worth going through a quick checklist of weak points in your website con­fig­ur­a­tion. Hackers make use of weak­nesses such as in­suf­fi­cient cloud security. They attack websites via zero-day exploits or DoS and DDoS. Man-in-the-Middle attacks un­for­tu­nately are a lot harder to spot.

So, what are the typical signs of a hacked website? To detect malware and identify a com­prom­ised website check for the following signs:

Browser warning

Browsers like Google Chrome or Mozilla Firefox have security features that recognise unsafe websites and auto-block bad downloads or codes. The ‘HTTPs Only’ function is useful to detect and auto-block pages without SSL or TLS. If you receive a browser warning when opening your website, the website may be com­prom­ised.

Website can’t be reached

You may not notice that you’ve been hacked until your web host disables your website. Hosting providers usually react to warnings from their IT security or flags from visitors. Not all hosting providers will notify the website owner when their site is shut down.

Anti-virus software

You can use anti-virus software to spot a hacked website or hardware virus issue.

Login not working

If logging into your site no longer works, it may be a sign that someone has taken over your website or removed your user account.

Warnings about login attempts

During a brute force attack, hackers attempt to guess your login data. If you’re receiving warnings about un­so­li­cited login attempts, your website access may be com­prom­ised.

Defacing

Defacing is when cy­ber­crim­in­als swap your website or index.html for a web page that contains a statement from the hackers. You will no longer be able to access your website. Defacing is often polit­ic­ally motivated and affects com­mer­cial or corporate websites.

Hijacking

Hijacking is a different approach whereby malicious code is embedded on a website. This causes malware to be down­loaded when your website is launched. Many virus scanners and browsers can pick up on this, but some attacks go unnoticed or are detected too late. Weak FTP passwords are common security gaps.

Ransom­ware attacks

Ransom­ware can be a worst case scenario for companies. Depending on the type of malware, entire business and website data can be encrypted and rendered unusable. Hackers will then issue a demand for ransom in exchange for de­cryp­tion. Busi­nesses should install security measures against ransom­ware as part of their website pro­tec­tion protocol.

Google warnings

The Google Search Console is a free Google analytics tool which checks the search engine op­tim­isa­tion of your website. If malware or sus­pi­cious backlinks are spotted, you should verify the security of your website.

Website blocked by Google

A website gets blocked by Google if it’s being classed as sus­pi­cious or malicious. The effect is that your website will no longer be shown in search results. You can see if your website has been delisted by checking the Google Search Console.

Unusual page load times

Is your page loading unusually slowly? This could be a sign that your website is com­prom­ised. Website attacks like crypto­jack­ing can spike CPU usage. During crypto­jack­ing, hackers infect computers with malware or install mining software such as Coinhive on website. As a result, the computing power of affected computers or website visitors is used for illegal cryp­tomin­ing.

Spam emails, redirects or pop-ups

Sub­scribers who complain of spam emails from one of your email accounts could indicate a malware in­fest­a­tion. Redirects or unknown pop-ups and ad­vert­ise­ments are also signs of hacking.

Tip

Fast, secure and scalable Web­host­ing from IONOS including features like an SSL cer­ti­fic­ate, backups and DDoS pro­tec­tion.

How to proceed when your website has been hacked

Once you’ve diagnosed that your website has been com­prom­ised, it’s time to act. There are several things you can do to solve the problem and plug security gaps. But before we get into the details, it’s always a good idea to backup your website and its data. A backup allows you to quickly recover the site in case of problems.

Keep calm and trooper on

First things first: stay calm! Losing your wits about the issue won’t help solve the problem. You may act er­rat­ic­ally and cause more damage. Avoid using infected hardware or accessing email accounts on com­prom­ised networks. It’s best to use external computers or accounts. If in doubt, consult an IT expert. Busi­nesses should im­me­di­ately inform their IT security contacts of any issues.

Change login and re­gis­tra­tion details

One of the first steps in securing a com­prom­ised email or user account is changing your login details. This includes login data for ad­min­is­trat­ors, account passwords for your hosting provider and cloud services as well as email accounts. In some situ­ations, you may want to change the access rights for anyone with ad­min­is­trat­or rights. You’ll want to pick a secure password con­sist­ing of at least 12 char­ac­ters, with upper and lower case letters, numbers, and special char­ac­ters.

Switch website to main­ten­ance mode

If your website is com­prom­ised, it can take a while to fix the issue. To safeguard your page visitors, it’s a good idea to switch your website to main­ten­ance mode.

Check your logfiles

You can check your website’s logfiles via the admin console. If in doubt, check with your hosting provider. The file contains an overview of error messages and access logs which can help to identify the time and point of attack. Security gaps such as malware, malicious codes, plugins, themes or other third-party software can be swiftly removed.

Reset .htaccess data

The .htaccess file is often targeted of hackers because it contains important con­fig­ur­a­tions for websites running on Apache web servers. Attacks on .htaccess files can lead to malware redirects, malicious PHP files, data theft, browser fin­ger­print­ing or so-called watering hole attacks. Resetting the .htaccess file and re­strict­ing access rights can close security gaps.

Scan website for malware or malicious code

WordPress operators can use free and paid for security plugins for WordPress to scan their website data, apps and plugins for malware and malicious code. Known and popular security plugins include:

  • WPScan
  • Jetpack
  • Sucuri Security
  • Bul­let­Proof Security

If you’re using WordPress al­tern­at­ives there are plenty other tools to scan a website for security, monitor a website and optimise network security, including:

  • Site­Guard­ing
  • Intruder
  • Hos­ted­Scan Security
  • Detectify
  • ImmuniWeb

How to prevent your website from being hacked?

The following security measures and rules help to safeguard your website against malware:

  • Create secure passwords with enough char­ac­ters and special symbols that aren’t easy to guess.
  • Use a password manager to keep track of password security when there are many passwords.
  • Regularly change passwords and login details and save them in your ad­min­is­trat­or log file or on your computer.
  • Use current PHP versions. The latest is PHP 8.
  • Keep plugins, apps, and other linked software up to date with updates.
  • Use antivirus software.
  • Look for a reputable and secure hosting provider with a high level of data pro­tec­tion.
  • Use security plugins to monitor your website.
  • Keep track of current SSL cer­ti­fic­ates.
  • Secure your file transfers from web to connected computers using access rights via FTP or SFTP.
  • Enable warnings for un­au­thor­ised logins using two-factor au­then­tic­a­tion.
  • Create a backup of your website data.
  • Get a pro­fes­sion­al security or IT software or expert to analyse your website for vul­ner­ab­il­it­ies.
  • Monitor access, page per­mis­sions and user roles.
  • Use a secure firewall for your website (e.g. via Sucuri or Cloud­flare).
  • Busi­nesses should in­cor­por­ate their own IT security.

Customer com­mu­nic­a­tion in the wake of a hacked website

Fixing a com­prom­ised website isn’t just a matter of restoring website security. You’ll want to be sure that your sub­scribers or data users aren’t affected or informed swiftly if their data has been com­prom­ised. Con­ceal­ing a cy­ber­at­tack is a bad idea as that could harm your brand or business. For example, Facebook waited two years to inform its users that the data of 530 million user accounts was stolen in 2019. As of the UK General Data Pro­tec­tion Reg­u­la­tion (UK GDPR), users are obliged to inform users about data theft and security breaches.

You’ll want to be trans­par­ent about a website that’s been hacked and announce it in public or via email to your users or customers. Clearly describe the events and its con­sequences. Let your audience know which measures they can take to restore security and protect their data such as changing passwords or adding two-factor au­then­tic­a­tion.

Summary

Cy­ber­at­tacks are a growing phe­nomen­on as the world becomes ever more digitally connected. Website owners can install measures to safeguard their websites from being attacked by hackers by using strong passwords, updating their security software, using reputable hosting providers and antivirus pro­grammes.

Go to Main Menu