How to recover from a hacked website
Addressing hacks is usually a nightmare which can cost you a lot of time/money. Acenet puts a lot of resources in ensuring that all server-side software is up to date and has all necessary security patches applied as quickly as possible.
Our Technical support staff regularly watches for security bulletins regarding your shared/managed server's software. Our kernels are kept up to date, non-standard ports are closed off in our aggressive firewall, and server software is kept at the latest stable, secure version.
How was I hacked?
If your account has been hacked, the first question you should ask yourself is "How was I hacked?"
There are a number of possibilities in regards to how a hacker gained access to your account.
[1] They obtained your login details.
[2] Through a vulnerability in an outdated/insecure script. (This is the most common)
Acenet, Inc. does not monitor the content you put on your website. You are free to host a wide range of scripts from shopping carts to image galleries. Similar to our precautions server side, it is a good idea to ensure that the software or scripts you use are kept up to date within your user space. This includes any modules, plugins, themes, addons, and etc. you may have installed.
The latest version of a script can also be vulnerable to hackers. You will want to contact any script developers to ensure the latest version of their script is secure and if it's not, what needs to be done to make it secure.
[3] Uploaded a malicious file(s) using an upload script available in your account.
Now that I've been hacked, what should I do?
The next question you should ask yourself is "Now that I've been hacked, what should I do?"
This is a question that is best answered by your webmaster. Acenet does not assist with recovering your site after it has been hacked. This is the responsibility of your webmaster. If you do not have a webmaster that can assist you with recovering your site from being hacked and you're not comfortable recovering your site yourself, we suggest hiring a professional. You can find available professionals that can assist you at the links posted below.
Here is what Acenet suggests for your webmaster to do:
Backup your account
You can download all of your site's content to your local machine via FTP or, if you have access to cPanel, you can process a full account backup through your cPanel. You can view our knowledgebase article for more details on Generating a Full Backup
Download the backup to your local machine. You will want to ensure you have your backup saved somewhere other than your account on the server before proceeding with the next step.
Reset all of your passwords
This includes your cPanel (control panel), FTP users, database users, script admin users, and email addresses.
Delete all cron jobs
If you have access to cPanel, you can view our knowledgebase article on how to Delete a Cron Job
Remove your current content
Delete all of the content from your account's document root folder. This is most commonly the public_html folder.
Once your account is compromised, it is possible that the attacker has installed a backdoor for easier access in the future. Deleting all of the content from your account's document root folder is the only true way to ensure you have cleared out all untrusted material.
Re-install your site's scripts
Re-install the latest version of any scripts you still need. This includes any plugins, modules, addons, themes, and etc.
If you have shared hosting with us or have purchased Fantastico and/or Softaculous for your virtual/dedicated server(s), we suggest installing your script(s) using Fantastico or Softaculous which are available in your cPanel. Fantastico and Softaculous can send you notifications when new versions of the script(s) you have installed are available and installing scripts through Fantastico and Softaculous is a lot easier than manually installing them.
Check your databases to see if they were hacked
Hacked databases are not common but it does happen. If the database is hacked, it will need to be cleaned before you use it again.
Reconnect your scripts
Re-configure the newly installed script(s) to connect to the appropriate database. You will want to proceed with this step once you have confirmed that your database(s) are clean. There are circumstances where your database(s) may need to be converted to work with the latest version of the script you installed. Most of the time all that needs to be done is the script's configuration file needs to be modified to use the database's connection details.
If you're unsure which file holds the database information for your script, we maintain a Configuration File Location Cheat Sheet
Upload clean files
Upload any needed clean files from the backup you generated.
How can I prevent my account from being hacked?
This is a question that is also best answered by your webmaster or the script developers of the script(s) you have installed within your account. Here are some suggestions Acenet has.
Keep scripts updated
Keep all scripts installed within your account updated to the latest version available.
Developers of web-based scripts release new updates to their software periodically. These updates often contain feature upgrades, but more importantly contain security updates as well. By keeping your scripts up to date, you ensure that the latest security holes are patched and only the content you post is displayed on your website.
If you have installed any scripts through Fantastico or Softaculous within your cPanel, you can have a notification emailed to you once a new version is available for any of the scripts you have installed.
Use secure passwords
Only use secure passwords. A secure password consists of letters, lowercase and uppercase, and numbers composed in a random pattern. At the very least, you want to ensure your passwords do not occur in a dictionary. It is not uncommon for hackers to attempt what is called a "Dictionary Attack". In such an attack, all of the words contained within a dictionary are guessed as a possible password. If your password occurs in the dictionary, such a brute-force guessing attack will succeed and allow unauthorized visitors access to privilleged information. Here are a few examples:
Bad Passwords: password sailboat admin yellow
Good Passwords (but don't use these exactly): hal2kejslIs9 122l0745Js Plwn24sueh37
Your passwords should be 8-15 characters in length and, if you cannot remember it, should be written down in a location only you are aware of. Do not share passwords with untrusted individuals.
Remove script install files
Remove any script install files from your account. Scripts usually let you know, after installation is complete, what files should be removed from your account. If you're not sure what can and cannot be removed, you will want to contact the script developers for assistance.
Password protect admin folders
Password protect the directory where any script's admin panels are located.
This is just added security to ensure only the individuals you want to have access to your script's admin panel have access. If you have access to cPanel, you can password protect a directory through your cPanel. You can view our knowledgebase article on how to Password Protect a Directory
Secure Upload scripts
Make sure any upload scripts installed within your account are locked down so that only the individuals you want to be able to use them are able to do so.
Doing this could be something as simple as password protecting the directory where the upload script is located. It depends on how the upload script is installed. If you're not sure how to lock down your upload script(s), you will want to contact the script developers for more details on how to do so.
Unique MySQL users
Use a username and password to connect to a database that are only used to connect to that database.
What this means is do not use a username and password that are used to connect to other things related to your account. For example, scripts can be configured to connect to a database using the account's cPanel username and password. This is insecure because the database connection details specified within a script's configuration file are usually stored within a flat text file which can be read. If a hacker is able to read your script's configuration file, using a username and password that are only able to connect to the database specified within the configuration file will ensure the hacker does not gain access to anything else.
Security Plugins
Install any available security plugins that are recommended for your script(s).
If you're not sure of any, you could search for recommendations to see what other users of your script(s) recommend or you can contact the script developers directly and ask what they recommend.
Separate Addon Domains
Do not host multiple sites that have scripts installed within them under one user.
It is best to keep sites that have scripts installed within them separated into their own user spaces. The reason being because if one of the sites gets hacked, the hacker will most likely have access to all of the other sites being hosted under that user. By separating the sites into their own users, you are limiting the damage the hacker can do.
As the saying goes, an ounce of prevention is worth a pound of cure. Recovering from a hacking can be time consuming, not to mention detrimental to your site's image. By following the preventative measures above, you can spare yourself the hassle of restoring your site and removing unwanted material.