So you have received an email stating your website has been compromised, access to the website has been restricted until the website has been cleaned up. So what do you do?
Now, this can seem like an overwhelming task to many people, especially if your website consists of a high number of pages and folders. That’s why we are going to provide you some guidance on things to check.
There tends to be three methods to clearing up websites and we have all three here:
- The Long – This is more in-depth
- The Short – Tends to be a lot quicker
- The Paranoid – This is the best way to ensure a clean website
The Long
The first thing we would recommend, is that you check your own PC/Laptop and any other devices you have accessed your website from for any viruses or malware, ensuring you have up to date anti-virus software running. Then complete a full virus scan to clean out viruses or malware that could be lurking in the background.
Now you have checked your PC/Laptop and you know there is nothing lurking in the background you should then look at changing your account, email and FTP access passwords, you should ensure the passwords are secure and going to be hard to guess. That means passwords like “password”, “qwertyuiop” and “letmein” should never be used. For advice on creating a secure password, I would take a look at the following guide.
Next you need to take a look at the most recently created / modified files on the website, most FTP clients will either display the file creation date or the modified date. The most recently created / modified file tends to be the one updated during the compromise. It could be that a current file on your website has been modified and malicious content added between the lines of the current code, in an attempt to hide the changes that have been made or a new file could have been uploading just containing the malicious content. In either case the files need the malicious content removing from them. Here is a guide to using FileZilla to connect to your website’s FTP space. We would also recommend you check other files that have been modified since your last known update yourself. Files could have been modified at any time, but may not have been caught straight away.
After this has been done, we would advise you to check any pre-built software you have installed such as WordPress, Joomla and Drupal. Many pre-built software solutions have a file showing the current version, you can compare this against the current version listed on the respective software website and take steps to update anything older than the current release version. Along with that, we also have some guides on securing WordPress and Joomla
Just to recap, you have changed the passwords, checked recently created / modified files and ensured you are running the most recent version of your website software. That’s got to be it now, right? The answer to that is not yet. Most pre-built software such as WordPress have support for third-party plug-ins. These also need to be checked to ensure there the most recent versions.
Just one last thing to check now, if you are using pre-built software then it’s more than likely you have a database running in the background. You will also need to give the databases contents a review, as it’s possible to store malicious content in the database itself.
The Short
This option would be to restore from a clean backup of your website, however you need to be 100% sure it’s a clean backup. Otherwise you will simply be re-creating the same set-up that allowed the compromise in the first place. As with the Long method, you’ll need to run a complete virus scan on all PC’s/Laptop’s before restoring from the clean backup. After this has completed you can then change your account passwords, this includes FTP and email accounts. After this has been done you can now restore your clean backup , if you don’t have a backup now may be a good time to make one using the following guide. When your backup is restored and everything is working you will need to ensure your running the latest of any pre-built software.
The Paranoid
This method tends to be less practical for customers who need their website to be up 24/7. However it’s by far the best method to ensure a clean site is restored.
You would start off as with the other methods, by completing a full virus scan on your PC/Laptop to remove any virus or malware present. You may even wish to run two different anti-virus software to try and ensure the first scan didn’t miss anything.
After this has been done you will want to go through changing all your account passwords, that means your account, FTP, email and database passwords. Creating new passwords using the following guide.
Now you may also want to take a backup of any databases you now have and review them on your personal PC/Laptop to make sure there is nothing malicious held in them.
For the last step you would remove every file from your web space and start to build the site again, this will help ensure no tainted files are placed back on the website.
Classification: Public
Last saved: 2021/05/14 at 10:40 by Jamie