How to Recover from a Website Hack

A technology disaster plan is only as useful as its proper execution. Those who are unprepared will find themselves panicking in the midst of a website hack—they’ll flounder about in trying to get their assets squared away and hire consultants for a last-minute “dousing” of the flames.

The smart business owner, on the other hand, doesn’t panic when things go wrong. He sips his coffee, pulls out that good old disaster plan and gets on with his day as if a website hack was just another problem. The truth is that there’s not much to fear if you are both prepared and well-versed in the execution of a definitive plan—you can approach the situation with clarity if you have all your metaphorical ducks in a row.

Let’s walk through some of the more essential steps in recovering from a website hack…

Take the Site Offline ASAP

This is priority number one. No matter the extent of your damages, the only way things can get worse is if you allow the attacks to continue by leaving your site online. You can also return a 503 status code if taking the site offline isn’t in the cards. Either way, it’s important that your users aren’t being compromised by accessing hacked web pages.

Renaming your public_html folder temporarily is another option, but you should talk to your hosting provider first. The problem with this is that you might not be able to rename the folder back to its originality, which means your website will remain offline until the hosting providers are able to help you out directly.

Contact Your Hosting Provider

It’s surprising how many people don’t consider this as an early thing to do after experiencing an attack on their website. The guys and gals working hard over at the ISP center are often more than capable of handling some of your technical problems; they are also useful in offering advice on how to move forward. And let’s be honest—they probably know more about the ins and outs of shared hosting than you ever will. If shared hosting is something you operate with, the hosting providers will definitely become your best friends in this situation.

You’ll want to tell the providers exactly what’s been compromised and when (to the best of your knowledge) the attack occurred. They might be able to fill you in on important information such as what “holes” were punctured during the hack and on what end the hack is coming from. This intelligence is essential to a successful recovery process.

Initiate the “Backup” Step of Your Disaster Plan

As discussed in our previous blog post about creating a technology disaster plan, it’s critical that you have backups of all your data and hardware so that you can continue day-to-day operations in the midst of an attack. The last thing you want is a loss of profits as a result of extensive downtime. Your employees should know exactly how to react to the situation and should be on board with any necessary adaptations required to continue working.

Implement a Backup of Your Website’s Data

This is the easiest way to recover from a website hack. If you have a backup version of your website from before it was hacked (get on this if you haven’t already), then all you have to do is restore it. This, however, shouldn’t be done too hastily. Implementing the backup version will virtually make any trace of the hack disappear, which means you won’t be able to find out what exactly caused the problem in the first place. Recovering from a website hack also involves ensuring that it never happens again—you’ll want to assess the origins of the attack and take necessary action in its future prevention before you completely obliterate it from existence. This brings us to the next component of the plan…

Assess the Situation

So you’ve got a backup plan and a recovery version of your data. With the right tools by your side, you can now take revenge on the hacker. Okay, not really. But it is important that you find out all you can about who did this to you and why they did it, that way you can prevent a repeat performance.

• What were they after?
• How did they get access to your files?
• What about your site or company initially made them target you?
• Was this attack your own fault? (Perhaps you or your employees weren’t being safe enough when using the Internet)

You need to find the answers to these types of questions. Assets the hackers were targeting in the first place are the ones you will want to take action on in regards to protection. Moreover, finding out whether or not these hackers are just typical amateurs who “politely” equipped you with some malicious software will help you determine the severity of the problem. Repeat performances can easily be prevented in the future if all that happened was poor adventuring through the Internet. On the other hand, if professional hackers are targeting you specifically, then the situation may be more complicated and could even require legal action.

Re-Open Shop

Once the damages have been assessed, the recovery version of the site has been installed and the possibility of future attacks has been eliminated, it’s time to bring your site back online. This usually involves having Google re-crawl your website and alerting your users about the situation (if and only if they were also compromised). According to Google, your site shouldn’t be penalized for any links to malicious websites that were put up during the hack. Just make sure that they’ve all been removed and that your users are safe to use your website once again.

References:

[1] http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html (Retrieved 6-12-2012)
[2] http://www.webhostinghub.com/support/website/website-troubleshooting/website-hacked (Retrieved 6-12-2012)
[3] http://www.zen-cart.com/wiki/index.php/Recovering_From_Hacks (Retrieved 6-12-2012)