1. Home
  2. Security
  3. My website has been hacked, what should I do?

My website has been hacked, what should I do?

There are basically three methods by which you can manage a hacked website. This guide will detail all three below.

Often you will be informed about that your website has been hacked via an email sent by us to you with information about harmful files. If you have not received such an email, but suspect that your website has been hacked, please scan your web hosting account using the tool Imunify360 available via cPanel.

Clean out the hack

The advice listed here is general, and apply no matter what hosting provider you use for your website. The instructions is based on how you perform the various steps on our hosting, but similar steps should work regardless of provider.

Keep in mind that a hacked website will not be cleaned/purged automatically by moving it from one provider to another.

Method 1 – Restore from backup

To restore the website from a backup from when the site was clean of infection is often the easiest and best method. It’s simple, because you only have to perform the restore and all malicious files are gone. It’s good because you can be rather sure that all malicious files are actually removed (as long as you follow the instructions below).

The downside of this method is that you may lose data. E.g., if your website has been hacked for a week during which you have added content to the website and then restore, your work from the past week will be lost. There is, however, a way around this which we will detail below.

If your website has been infected, both files and the database may be affected. We recommend that you begin by restoring just the files, since this will lessen the risk of data loss. If restoration of the files isn’t enough, we describe the database restoration process below.

Restore files

We have detailed instructions regarding how you use our backup software here. However, please read the text below before you continue with the restoration.

Before you can restore, you need to find a backup from a point in time where your site wasn’t infected. You can do this by selecting a couple of files from the list of harmful files you’ve received from us (if you don’t have such a list, ask us to scan your account), and check if those files exist on the backup. If you find the files on a selected backup point, you know that your site was infected at the time that backup was saved. If you cannot find the files, you’ve probably found a clean point that you can restore from.

It’s important to differentiate between malicious files and infected ones. Malicious files should not exist on your account at all. Injected files are legitimate files where malicious code has been injected. That the files exist is a good thing (minus the injected code). Hence, you need to look for malicious files while browsing the backups, not injected ones.

Before you restore, rename the folder where the website is currently located. E.g., if the website resides in public_html, rename it to public_html_old. Then you’re free to restore the public_html folder.

Once you’ve identified a backup point you wish to restore from, follow our guide to perform the restoration.

By first renaming the folder that you’re about to restore, you will have a copy of the website from before the restoration was done. Therefore, you also have access to files not available on the backup. E.g., if you miss images after you’re done restoring the files, you can copy them from the site’s folder from before. If you only do this with specific images or document, it should be fine. However, do not copy over entire folders to the clean version of the site, since malicious files may reside in that folder.

Restore the database

If restoration of the files didn’t solve your issue, you may have to restore the database as well. Where restoring a database, you don’t have to consider anything else that what we mention below. Your database will be replaced by the one from the backup server. You can read about how to restore databases here.

Since the database contains most of the content of the website, the risk of data loss is large when you restore the database. However, you can work around this if you’re willing to spend extra time on it.

The instructions below are written for you comfortable working with MySQL databases.

Before you restore the database, create a .sql dump of the current database by following the instructions here. Then, create a new database by following the steps detailed here. Finally, import your .sql dump to the newly created backup by following this guide.

Now, you can use phpMyAdmin (which you find via cPanel) to selectively export data from the old database to the newly restored one.

Method 2 – Manual cleanup

This method is intended for advanced users.

You may also go through all files on your website and clean out all malicious code by hand. This will require a lot of time, but if you know what you’re doing you may get great results. The main advantage of using this method is that you will experience no data loss.

The only manageble way to go on using this method is via SSH. Doing it via FTP or cPanel’s built-in File manager would require at least twice as much time as if you go on via SSH.

We recommend that you start from the list of malicious files we’ve sent out (if you haven’t got such a list, ask us to scan your account). It’ll give you a great starting point on your hunt for malicious files.

Then try to find common factors between the files, e.g. if they were edited on the same day, contain the same code sequence, or are of the same file type. Once you’ve found this, use suitable Linux commands to find all files on the account sharing this factor. Probably you’ll find additional files than the ones reported.

If the database is infected, you can clean it out manually, either via phpMyAdmin or via mysql-cli over SSH.

We will not delve any deeper into this method since it’s for advanced users, and you need to find out what tools you need and how to use them on your own.

Method 3 – Start from the beginning

By starting from the beginning we mean that you delete the current website and create it from scratch. It may sound extreme, but it’s a method that works well in a few key cases. For example, if you haven’t created much content on your website yet there isn’t much to lose by starting over. Otherwise, if you’re in the process of building a new website anyway, it may not be worth spending time on cleaning and rescuing the old website. Instead, just remove the infected site and carry on building the new one.

The main advantage of using this method is that you’re guaranteed to remove all malicious files. This is a major point, since that if you miss only one malicious file the hack may happen again shortly.

After cleanup

Once you believe that you’re done with the cleanup of all malicious code, contact us via email and ask us to scan your account anew. It’d be best if you reply to our initial report, so everything is kept within one support ticket.

If we find more malicious code, we’ll get back to you.

Once it’s been confirmed that all malicious code is gone, you need to enhance the security on your website to ensure that you don’t get hacked again. We’ve written a guide that walks you through the various parts to consider when hardening the security of your website.

Depending on what kind of information you store on your website, you may have to report the hack to the Swedish Authority for Privacy Protection. If you’re unsure if you need to report it or not, contact them to find out.

Why did I get hacked?

The reason why you get hacked varies. It’s uncommon that an attack is aimed directly at you or your company. Instead, the attacks are often done by automatic software searching out websites running a specific software, plugin or theme.

Below follows a few examples what the purpose may be when a website gets hacked:

  • To use our servers to send spam email.
  • “Script-kiddie hack”, just someone hacking the website for “fun”.
  • To spread a message by swapping out the start page of the website.
  • Setting up fraudulent websites used e.g. for phishing attacks, trying to get hold of banking credentials.
  • To spread virus or malware, or to attack other servers online.
  • To steal sensitive data stored on the website (information about certain individuals, or credit card information).
Was this article helpful?

Related Articles