What to do When Your Website Has Been Compromised

A website is the image of its owner on the web. It tells everything about the owner. For example, if it’s a company’s website, it tells everything the company does and offers. If it’s a personal one, it usually has some stories about what the owner does, likes, and something like that. With this personal image on the web, can you imagine what would happen if your website was compromised? What if, for example, your website had been compromised by some sort of viruses, Trojans, or even malware?

How do you know if your website has been compromised?

There are many ways to compromise a website. It depends on the attacker motive. However, from what we’ve learnt from some cases in the past, at least there are some common symptoms that connect all the victims, including:

  • Your website has been changed with a different display (defacing)
  • Your website URL suddenly changed into a completely different URL than you registered (website redirect). The ‘new’ URL usually leads to porn or pharmaceuticals site.
  • Your browser, search engine, and/or antivirus marks your website as Unsafe or Compromised.
  • Your website experience a strange traffic, with sudden, unexplained big spikes.
  • You get a warning from http://www.google.com/safebrowsing/diagnostic?site=your domain name

Eliminating the threat

If you experience even one of these symptoms, it is safe to assume that your website has been compromised. The challenge comes next: bringing your website back to safety.

Build a support team

Contact your hosting provider as soon as possible. Tell them your situation and ask for their advice. Alternatively, you can also reach some helpful communities and experts to ask their assistance on your problem.

Quarantine your website

Bring your website online as soon as possible to prevent further damage from the attacker and reduce victims from your user’s side. Ask your hosting provider to redirect your page to a static page on a completely different server with 503 HTTP response code.

Next, perform thorough check on all user accounts. Check if there is any suspicious account. If you found anything, write down the details for later report to your hosting provider. Delete the account as soon as you found it. Then, change all your passwords and recommend your users to do the same thing.

Identify and remove the threat

At this step, we will remove the threat from your local computer and website, to make sure there’s nothing left.

  1. Update your antivirus and scan your local computer. Make sure it’s clean from any dangerous programs, including Trojans, spyware, viruses, malware etc.
  2. Ask your support team or hosting provider to examine and fix log files, software extensions, plugins, consoles and other data as well as applications to determine the vulnerability, including how and when the attack as performed. Once done, make sure you have the up-to-date version of any plugin, console, extension, and application on your website.
  3. Restore your backup, even though it is an outdated one.
  4. Apply any necessary change to the backup and bring it online.

Maintain your website

Once you’re back online, you may need to regularly monitor your website for any malware. For this, you can use Sucuri or Sitelock. They’re pretty nice for securing your website.

Conclusion

Cyber threat can attack any website, including yours. However, if you found the evidence for it, don’t panic. Contact your hosting provider and gather a support team as soon as possible to determine the vulnerabilities and fix them. Meanwhile, you need to take your website offline to prevent further damage from the attacker and your users from being targeted.