What to do when your site gets hacked

HSI: Hacked Site Investigation Over the years, my sites have been hacked numerous times. Each hacking event was somewhat of a miserable experience at first, but ultimately educational and even enlightening. I’m not going to say that getting hacked was the best thing that ever happened to me, but it certainly wasn’t the end of the world. In this post, I want to share some important steps to take and things to keep in mind if and when you discover that your site has been hacked.

Imagine it. You wake up. The sun is shining. Everything is going your way. Then you get online to manage your sites, but something is not quite right. Maybe some pages are not loading properly. Maybe you get an alert from Google letting you know that your site is reported as malware. Maybe your entire site is not loading and you can’t figure out why. Whatever the case may be, you understand that something is awry and begin to suspect that your site has been hacked.

If that sounds familiar, then you know the feeling. The shock, panic, confusion, and rage rise up and can turn you into a virtual Hulk in a matter of moments. But don’t panic. You need to stay calm. Rational. In control. A clear, focused mind is the key to efficiently responding to any security breach. Once you’ve got that, proceed with the following steps.

Assess the damage

Upon discovering that one of your sites is hacked, take a few moments and check any other sites that you may have, especially if they are on the same server. If one site is hacked, it’s likely that other sites on the same server are hacked as well. So take the time to investigate and assess the scope of the damage before continuing with any further action. Doing so will give you a better understanding of the severity of the exploit, which enables you to make informed decisions as the situation continues to unfold.

Lock things down

After assessing the damage, the first thing you should do is lock things down. You want to prevent anyone else from accessing your site while it’s compromised and vulnerable to further damage. You don’t want any visitors getting freaked out by non-functional, hacked pages. And you definitely don’t want Google dropping in for a crawl and flagging your site as malware. Wouldn’t that just be the icing on the cake.

In my experience, the best way to lock down a site is to add the following rules to the root .htaccess file of any site that you suspect might have been hacked:

<IfModule mod_rewrite.c>
	RewriteCond %{REMOTE_ADDR} !^123\.456\.789$
	RewriteCond %{REMOTE_ADDR} !^987\.654\.321$
	RewriteRule .* - [R=503,L]
<IfModule mod_headers.c>
	# 3600 = 60 minutes
	# 86400 = 1 day
	Header always set Retry-After "86400"

This code checks the visitor’s IP address and compares it to the two that are specified via either RewriteCond. Only matching IPs are allowed access. You can specify as many IPs as needed, or remove one of the lines if it’s not necessary. This tried-and-true script allows access to the specified IPs while delivering a 503 Service Unavailable message to everyone else. You can verify that it’s working by visiting your site via proxy service of your choice.

For more advanced maintenance-mode techniques, check out Maintenance mode via .htaccess over at WP-Mix.com, and also htaccess Redirect to Maintenance Page here at Perishable Press.

You may be asking, “why not use a maintenance-mode PHP script or WordPress plugin instead of messing with .htaccess?” Two reasons. First, it’s fast and easy to copy/paste and upload the file. And second, because your PHP files and plugins may have been hacked, so you’ll need to deactivate and/or replace them at some point during the cleanup process. That’s not to say that .htaccess files are invulnerable — it’s just that the root .htaccess file is easier to manage, and will continue to keep your site locked down even after all PHP files have been removed from the server.

Change all passwords

As soon as possible, begin changing all of your passwords. Keep a log so you can be thorough and keep things organized. This includes passwords for everything on your server or related to it, for example:

  • Server control panel
  • Hosting account center
  • All SSH passwords
  • All FTP passwords
  • All database usernames and passwords
  • All HTTP/.htaccess authentication passwords
  • All app/software passwords (e.g., WordPress logins et al)
  • All email passwords
  • All user passwords

Plus any other passwords that are used to access or communicate with your server, control panel, hosting account, and so forth. Be thorough, because you don’t want to have to deal with all of this again in a few days when the hacker breaks in simply by entering one of your old passwords. Yes this can be a long, tedious part of any hack recovery, but it is absolutely essential to do thoroughly. And remember, make sure that all new passwords are super strong. Use an online tool to generate secure passwords, if needed.

Record everything

A hacked site is a crime scene, so treat is as such. Open a text file and document everything as you proceed with investigation and cleanup. Doing so will help you stay organized and understand the “what”, “when”, “where”, “why”, and “how” of the event. This gives you a clear picture that’s useful for post-cleanup analysis and preventing further damage.

Some things to include in your notes:

  • Description of what happened and how you discovered it
  • Observations, things you notice about what happened
  • List of affected sites and/or pages
  • Relevant log entries, times, dates, et al
  • Any IP addresses that you think might have been involved
  • Any user agents, referrer info, and other identifying information
  • Make a copy of any suspect code that you discover
  • List of any useful search results, articles, code, etc.
  • Log files for PHP errors, HTTP access, FTP activity, et al
  • Screenshots and copies of any affected/hacked pages
  • Log any communication made between you and your hosting company or tech support
  • Any other evidence that may prove useful

When responding to a hacked site, things can happen quickly, as in like a blur. Keeping detailed notes equips you with priceless information that can be used for evaluation, evidence, and documentation. I still have complete files for each time that my sites were hacked. Files, codes, logs, screenshots — I can relive each of those intense experiences right down to the smallest detail. Thorough documentation enables you to respond more quickly should any similar event happen in the future.

Communicate the event

If you’re a part of a team, you should let any other key members know about the hack. You’ve already locked down the site, so now you can take a bit of time to communicate the situation with your teammates and coordinate recovery plans. Good communication keeps everyone on the same page and helps to prevent confusion and mistakes.

Additionally, whether you’re a part of a team or not, you may want to reach out to experts or people who have more experience dealing with security issues. If nobody on the team is up to the task of dealing with a hacked site, your best bet is to hire someone who is capable of doing the job.

One more point here, which is more of a question put to the reader: when your site is hacked, do you announce it to the general public, your Twitter followers, on Facebook, and elsewhere? Or do you keep it stealth and wait until things are under control before sharing the news? Or is it best to not discuss the issue with anyone for any reason whatsoever? I know what my own personal strategy is, but I’m also interested in other opinions.


At this point, everything should be locked down and you’re ready to begin investigating and getting things cleaned up. In general, this step requires experience and a broad understanding of web security and the myriad ways that sites may be hacked. If you are comfortable doing some research and have time to run tests and diagnose code, then you’re probably fine to tackle this part of the process on your own. If you’re unsure or simply don’t have time to dig deep and play detective, you should reach out and hire a professional. Depending on the severity of the hack, hiring a qualified security guru could save you hours if not days of precious time.

That said, if you’re gonna DIY the cleanup process, here are some key things to investigate:

  • Scan for malicious code
  • Scan for vulnerabilities
  • Scan for viruses and malware
  • Compare hacked files against known clean backups
  • Check your access logs to see who was doing what and when
  • Check for unknown or mismatched files on the server
  • Check for repeating patterns in your server logs
  • Determine what’s not working on your site and determine the cause

It is important to understand the exact method through which your site was hacked. All of the pieces of the puzzle must fit together. There should be no unsolved mysteries or loose ends. Determine the vulnerability, vehicle, payload and payoff. Investigate every clue and assume nothing. Depending on the complexity of the hack, you could be working with one file or thousands. Be prepared for the worst-case scenario and go from there.

Some additional tips for determining the method of attack:

  • Carefully examine your log files; they contain most of the information needed to determine exactly what happened.
  • Search the Web for any distinct snippets of malicious code. Chances are that others have reported similar events.
  • Search the Web for your site name or URL along with words like “hacked”, “pwned”, and other “1337” terms. If some loser hacked your site, they’re gonna want to brag about it to anyone who will listen.
  • Refer to this Troubleshooting Guide for in-depth techniques that may help to isolate and identify any hacked files.

To further discussion of the second point, in 2013 Perishable Press was hacked rather severely. During my investigation, I tried searching online for any clues and discovered that the perpetrator posted about the event on some private hacker forum. The thread went into detail about everything that was done to exploit the site, including the exact mechanism through which the attacker gained access. The scumbags even posted my database username and password for all the world to see. The whole experience was both disturbing and enlightening. The point here is that you should make good use of a search engine if your site is hacked; all of the answers could be right there waiting for you.

Prepare backups

You’ve heard it said a million times, “always keep good backups”. Getting hacked is one reason why it’s important to do so. It is mission critical to keep current, tested, working backups at all times. Not having backups means you could suffer irrevocable data loss. If you are not keeping backups, ask your host if automatic site backups are available. Some hosts take nightly server snapshots, so restoring your site could be as simple as clicking a button.

Once you’ve secured your site, use your most recent backup to restore any compromised data. Depending on the severity of the attack, you may need to restore the database, files, and/or anything else that was compromised. My personal strategy is to “assume they got it all” and restore everything using the most recent backups possible. The take-home point here is that keeping good backups is gonna help put you back on track asap.

Another thing that may be useful is to take a backup of your entire setup immediately after discovering the hack. That way you’ll have a complete snapshot of the hacked site for reference and further analysis. Just make sure to name it clearly so as not to get the hacked files confused with your clean backups. Organization is key.

Fortify security

After determining the cause of the issue and getting things cleaned up on the server, it is critical to secure any vulnerabilities. Don’t even bother uploading a fresh set of files and restoring your database until you have everything properly secured. Once you get everything back in shape, take the time to reevaluate your site’s security and take steps to tighten it up. If you’ve got vulnerable code, update it. If you’ve got sensitive files, protect them. If you’ve got malicious users, block ’em.

Remember, there is no such thing as 100% perfect security, but it is possible to add many layers of protection to greatly fortify the security of your site.

Do not retaliate

After discovering that hacker forum thread discussing how the greasy scumbags hacked my site, I was livid. I wanted revenge. I wanted to “get even”. But even in my rage I knew better than to stir up the hornets nest. Taking any form of direct action against the perpetrators ultimately would have backfired. Seriously, we’re talking about people who spend their lives exploiting vulnerabilities. Of course, not all hackers are bad guys, but you definitely don’t want to pick a fight with an army of people who share that “hacker” mentality. No matter how upset or justified you might be, you’re better off just letting it go. Clean up the hack, secure your site, and move on with your life. My advice.

Share what you have learned

One last recommended step on your journey to complete website recovery: “pass on what you have learned.” You don’t need to reveal any personal or sensitive information, but you may want to let others know what happened and how you went about fixing it. After all, if it happened to you, chances are that it will happen to others. So “be cool” like Fonzie and share any useful information and/or lessons learned. The good karma will come back to you.