How to fix a hacked website

It’s not always easy to spot a website that’s been hacked. There are many different signs of a compromised website including browser and virus software warnings, unresponsive web pages, spam emails flooding your inbox or undesired redirects to websites. Either way, you’ll want to act swiftly by notifying the host and changing your access and registration data.

Why do websites get hacked?

In most cases, website hacking is motivated by money or politics. Usually, hackers try to intercept bank details or user data to access accounts and steal funds or sell data to criminals. Ransomware attacks have become more common in the last few years. They involve paying a ransom for encrypted company data. Politically motivated website hacks mostly target political parties, public figures and institutions. These are often executed by groups of hackers such as Anonymous and are motivated by morals, differences of opinion or fame.

In rare instances, hacks may be targeting military IT systems or state digital infrastructures to secure data or crash systems.

How to diagnose a hacked website?

Having your website hacked is one of the very real dangers of operating a website. Even those who install several security measures aren’t safe from cyberattacks. Security gaps in websites, apps or email accounts are often to blame.

Back in the day, hackers used to primarily target large businesses. But with advancing digitisation, SMBs are increasingly exposed to cyber dangers. And with the rise in WordPress hacking individual website owners are at risk too.

Diagnosing a hacked website is usually the first step in rectifying the situation. To do so it’s worth going through a quick checklist of weak points in your website configuration. Hackers make use of weaknesses such as insufficient cloud security. They attack websites via zero-day exploits or DoS and DDoS. Man-in-the-Middle attacks unfortunately are a lot harder to spot.

So, what are the typical signs of a hacked website? To detect malware and identify a compromised website check for the following signs:

Browser warning

Browsers like Google Chrome or Mozilla Firefox have security features that recognise unsafe websites and auto-block bad downloads or codes. The ‘HTTPs Only’ function is useful to detect and auto-block pages without SSL or TLS. If you receive a browser warning when opening your website, the website may be compromised.

Website can’t be reached

You may not notice that you’ve been hacked until your web host disables your website. Hosting providers usually react to warnings from their IT security or flags from visitors. Not all hosting providers will notify the website owner when their site is shut down.

Anti-virus software

You can use anti-virus software to spot a hacked website or hardware virus issue.

Login not working

If logging into your site no longer works, it may be a sign that someone has taken over your website or removed your user account.

Warnings about login attempts

During a brute force attack, hackers attempt to guess your login data. If you’re receiving warnings about unsolicited login attempts, your website access may be compromised.

Defacing

Defacing is when cybercriminals swap your website or index.html for a web page that contains a statement from the hackers. You will no longer be able to access your website. Defacing is often politically motivated and affects commercial or corporate websites.

Hijacking

Hijacking is a different approach whereby malicious code is embedded on a website. This causes malware to be downloaded when your website is launched. Many virus scanners and browsers can pick up on this, but some attacks go unnoticed or are detected too late. Weak FTP passwords are common security gaps.

Ransomware attacks

Ransomware can be a worst case scenario for companies. Depending on the type of malware, entire business and website data can be encrypted and rendered unusable. Hackers will then issue a demand for ransom in exchange for decryption. Businesses should install security measures against ransomware as part of their website protection protocol.

Google warnings

The Google Search Console is a free Google analytics tool which checks the search engine optimisation of your website. If malware or suspicious backlinks are spotted, you should verify the security of your website.

Website blocked by Google

A website gets blocked by Google if it’s being classed as suspicious or malicious. The effect is that your website will no longer be shown in search results. You can see if your website has been delisted by checking the Google Search Console.

Unusual page load times

Is your page loading unusually slowly? This could be a sign that your website is compromised. Website attacks like cryptojacking can spike CPU usage. During cryptojacking, hackers infect computers with malware or install mining software such as Coinhive on website. As a result, the computing power of affected computers or website visitors is used for illegal cryptomining.

Spam emails, redirects or pop-ups

Subscribers who complain of spam emails from one of your email accounts could indicate a malware infestation. Redirects or unknown pop-ups and advertisements are also signs of hacking.

How to proceed when your website has been hacked

Once you’ve diagnosed that your website has been compromised, it’s time to act. There are several things you can do to solve the problem and plug security gaps. But before we get into the details, it’s always a good idea to backup your website and its data. A backup allows you to quickly recover the site in case of problems.

Keep calm and trooper on

First things first: stay calm! Losing your wits about the issue won’t help solve the problem. You may act erratically and cause more damage. Avoid using infected hardware or accessing email accounts on compromised networks. It’s best to use external computers or accounts. If in doubt, consult an IT expert. Businesses should immediately inform their IT security contacts of any issues.

Change login and registration details

One of the first steps in securing a compromised email or user account is changing your login details. This includes login data for administrators, account passwords for your hosting provider and cloud services as well as email accounts. In some situations, you may want to change the access rights for anyone with administrator rights. You’ll want to pick a secure password consisting of at least 12 characters, with upper and lower case letters, numbers, and special characters.

Switch website to maintenance mode

If your website is compromised, it can take a while to fix the issue. To safeguard your page visitors, it’s a good idea to switch your website to maintenance mode.

Check your logfiles

You can check your website’s logfiles via the admin console. If in doubt, check with your hosting provider. The file contains an overview of error messages and access logs which can help to identify the time and point of attack. Security gaps such as malware, malicious codes, plugins, themes or other third-party software can be swiftly removed.

Reset .htaccess data

The .htaccess file is often targeted of hackers because it contains important configurations for websites running on Apache web servers. Attacks on .htaccess files can lead to malware redirects, malicious PHP files, data theft, browser fingerprinting or so-called watering hole attacks. Resetting the .htaccess file and restricting access rights can close security gaps.

Scan website for malware or malicious code

WordPress operators can use free and paid for security plugins for WordPress to scan their website data, apps and plugins for malware and malicious code. Known and popular security plugins include:

• WPScan
• Jetpack
• Sucuri Security
• BulletProof Security

If you’re using WordPress alternatives there are plenty other tools to scan a website for security, monitor a website and optimise network security, including:

• SiteGuarding
• Intruder
• HostedScan Security
• Detectify
• ImmuniWeb

How to prevent your website from being hacked?

The following security measures and rules help to safeguard your website against malware:

• Create secure passwords with enough characters and special symbols that aren’t easy to guess.
• Use a password manager to keep track of password security when there are many passwords.
• Regularly change passwords and login details and save them in your administrator log file or on your computer.
• Use current PHP versions. The latest is PHP 8.
• Keep plugins, apps, and other linked software up to date with updates.
• Use antivirus software.
• Look for a reputable and secure hosting provider with a high level of data protection.
• Use security plugins to monitor your website.
• Keep track of current SSL certificates.
• Secure your file transfers from web to connected computers using access rights via FTP or SFTP.
• Enable warnings for unauthorised logins using two-factor authentication.
• Create a backup of your website data.
• Get a professional security or IT software or expert to analyse your website for vulnerabilities.
• Monitor access, page permissions and user roles.
• Use a secure firewall for your website (e.g. via Sucuri or Cloudflare).
• Businesses should incorporate their own IT security.

Customer communication in the wake of a hacked website

Fixing a compromised website isn’t just a matter of restoring website security. You’ll want to be sure that your subscribers or data users aren’t affected or informed swiftly if their data has been compromised. Concealing a cyberattack is a bad idea as that could harm your brand or business. For example, Facebook waited two years to inform its users that the data of 530 million user accounts was stolen in 2019. As of the UK General Data Protection Regulation (UK GDPR), users are obliged to inform users about data theft and security breaches.

You’ll want to be transparent about a website that’s been hacked and announce it in public or via email to your users or customers. Clearly describe the events and its consequences. Let your audience know which measures they can take to restore security and protect their data such as changing passwords or adding two-factor authentication.