How to clean up your hacked site


Before I get into how to clean up your site I would just like to mention something that will probably make your blood boil if you have been hacked….

If your site has been hacked blame the likes of sites like exploit-db who promote ways to hack peoples sites and create file uploaders, shellcodes and backdoors enabling online criminals to destroy your site and make money form doing so.

As computers get more complex more and more exploits appear and as a results more and more sites are being hacked and exploited by online criminals for purposes that range from spreading malware to seo to help promote there illegal pharmacy websites on search engines.

Exploit-db claims to be a site for so called pen-testers however with there google hacking database exploit-db shares methods for online criminals to find other peoples vulnerable websites to exploit. It is one thing pen-testing your own site to stop it from being hacked but it is another thing entirely using footprints to scrape google to identify other peoples sites.

It is a bit like a burglar telling the police “I was only pen-testing whether the door was secure or not..honest!”

If your site has been hacked it is extremely important you know how it was hacked in the first place if you are going to properly clean it up.

The key to cleaning up a hacked site is finding out the point of entry (the place where the hackers are getting in and wrecking your site) and eliminating it. This is key to cleaning up a site else the hackers are just going to keep on hacking your site no matter how many uploaded files you delete.

Hackers might have compromise your site because of dodgy files you may have uploaded to the site, a virus on your actual computer that allowed the hacker to collect your login details such as for your ftp account or hackers may have exploited the server that your site is hosted with.

Here are some quick and simple steps to ensure that your website is secure if the hack persists even after following these steps then this will mean that it is the server that is being exploited and we suggest that you move hosts to one with better security instead.

We advise that you make sure that your computer is free of viruses before you begin!

1) If you are using a content management system for example wordpress you may want to export your data. In wordpress you can either export your data using the tools>export featue found in your wordpress dashboard or by using extracting the mysql tables from your wordpress database.

It is very important after exporting all of the data that you go through it using a text editor making sure that there are no backdoors that have been added to your data that may let a hacker rehack your site. Look out for anything that does not look right for example php or encoded base64 code.

Once you are happy that there isn’t anything in the exported file that shouldn’t be there move on to step 2.

2) Login into your webhosting control panel. Once logged in please check that that there are no extra ftp users other than you. Then make sure to delete any databases set up on your account.

3) Using a ftp file manager login and delete all files and folders on your site.

4) Log back into you webhost control panel and change your password for both your webhosting account and ftp account.

5) Reinstall a fresh version of your website.
If you are using a content management system like wordpress make sure that this time you do not install any dodgy plugins or themes that could lead to your site being compromised and make sure that you keep your cms updated at all times. Simply reinstalling the themes and plugins that you used before will just lead to your site being compromised again as the point of entry will still be present. It is therefore sensible to find better and more secure themes and plugins to use.

If you use a custom content management system get your web developer to check through the code before reinstalling the site to make sure that there are no vulnerabilities that could be exploited.

By following these steps you ensure that you remove all potential vulnerabilities from your website that could be used as a point of entry for a hacker.

If you find that your site gets hacked even after cleaning up your site and you are confident that there are no vulnerabilities on your site this means that the problem lies with your webhost as the server your hosting your site on is is insecure and has been compromised! In this case until the vulnerability on the server fixed, account passwords changed and all backdoors removed your site will continue to be exploited no matter what you do and how many times you clean up your site.

Make sure you do not use the same password or username that you used before!

Good luck!