What to Do If Your Website Is Hacked

The notice Firefox prompts when it flags a website for having malware (without the Matrix background)

I (unfortunately) have a lot of experience with hacked websites. It's happened to me several times in the past. Dealing with it is a bit easier now because people are more informed about it. With a few Google searches you can find help. But years ago when I was hacked for the first time, it was awful because there was no help available at the time.

I feel it is my duty to share with everyone what I have learned about hacked websites in hope that I can help others. It's extremely important to be informed on this subject!

Having your website hacked sucks

Having your website hacked is a terrible experience that I don't even wish upon my enemies. The whole ordeal can be so nerve wracking. If you're lucky one of your website's visitors informs you about it. Although it's more likely that you'll find out about it from Google, which also means Google flagged your site for having malware, turning people away. It's even more troubling to think about how many of your innocent visitors now have malware or a virus because of your website.

But wait, you might not be hacked

Before I start diving into the hacked website subject, I need to point out that it's possible your website may not be hacked. If you're seeing advertisements on your website that you didn't place there, browse other websites to see if the same advertisements are present. If you see them on every website then you've got a malware extension/add-on/plugin in your web browser. Remove it and the advertisements will disappear. And run a virus scan pronto.

How is a website hacked?

To begin with, it's unlikely that a human did the hacking. It's a bot. For this article I'm going to call them hackbots. There are several methods that a hackbot attempts to infiltrate your website.

• CMS's. This is the most common method of hacking. All the popular CMS's that we love to use such as WordPress, Joomla, and Drupal are notorious for getting hacked. Hackbots are waiting for you to be lazy with your CMS's security updates.
• From an infected computer. Hackbots can hack a website from a computer infected with a virus or spyware. Through keylogging they can grab your username and password to your CMS. They can grab your website's FTP credentials from your FTP program, especially if you use Filezilla since passwords aren't encrypted in Filezilla.
• Forms. Hackbots try to use SQL injection to hack into a database through the forms on a website. Although these days this is unlikely to happen. People are informed about the proper way to code a form to prevent hacks.

How can you tell if you're hacked?

There are two quick ways to check if your website has been hacked.

1. Check the status bar

The easiest way to tell is to pay attention to the lower left of the web browser window:

This little status bar quickly tells you which websites are currently loading as your website is loading. If you have widgets in your website such as social sharing buttons from a third party service, it's normal to see the domain name to this third party service appear in the status bar. However if you see a website you know for sure is not from a widget you added, then you have a hidden iframe injecting malware or viruses.

2. Run a website security scan

There are two good websites to run a (free) security scan on your website:

• AVG Threat Labs
• Web Inspector - Scan a Webpage

What exactly happens to a hacked website?

The following are the most common methods of website hacks:

1. Hidden iframes. The #1 most common method is that hackbots inject hidden iframes on pages of a website. They place them at the beginning or end of the <body> tag. These iframes lead to websites that infect visitors with malware or a virus, or look for things like passwords and session tokens. Hackbots are really sneaky with this method. If you look at the hacked website via FTP you won't see updated timestamps on the pages that were hacked to know exactly when they were hacked. And hackbots usually don't hack your entire website. They mainly target index pages.
2. CMS. If you're using a CMS and you got hacked, then you probably got hacked in your source files, your plugins, and/or your database. Similar to above, CMS hacks aim to collect sensitive information from visitors or infect their computer with a virus.
3. Hidden spam keywords. A less common method is hackbots hack your .htaccess file to inject a script that dynamically adds spam keywords to all pages. They do this so that a website can appear in Google under those spam keywords. The tricky part is that if you look at the source code you won't see these spam keywords present. You can only see them if you look at the hacked website in an SEO text browser.

How to fix a hacked website

1. If your website is a CMS

If your website is a CMS (i.e. WordPress) you're in luck. Since WordPress is the #1 most hacked system on the planet, there are several plugins available to scan and remove malicious code in your WordPress site. Find them here: WordPress Malware Scanners. Naturally, try the ones with the highest score. The next step is to review WordPress' official article on what to do when WordPress is hacked: FAQ | My site was hacked.

2. If your website was custom made

If your website was custom made (i.e. static or to a degree dynamic) cleaning it is easy. Look in the source code of your hacked pages to find that pesky malicious iframe. It'll look something like this:

<iframe src="http://examplebank.com/app/transferFunds?amount=1500&destinationAccount=654654">

It also might be in the form of JavaScript. Download your entire website onto your computer and perform a global Find for that script. A global Find searches the code of all your web pages in a given folder. You can remove it manually, or take note of which pages are infected and upload clean copies of those pages (if you already have a clean copy of your website on your computer). How do you do a global Find, you ask? You can do it with:

1. Dreamweaver. Here are some Dreamweaver Find & Replace YouTube videos.
2. Microsoft Visual Studio. If you need a free option, Microsoft Visual Studio is completely free. Although it's not as user friendly as Dreamweaver. Here are some Visual Studio Find & Replace YouTube videos.

3. .htaccess cleansing

If you looked at your website in an SEO text browser and found no surprise spam keywords, then your .htaccess file was not hacked. But if it was hacked: find your .htaccess file by logging into your website via FTP, in the preferences of your FTP software choose to show hidden files, and you'll find your .htaccess in your main directory. Download it and open it in Notepad to look for the fishy code. It'll be easy to spot; you don't need to be an expert programmer to notice it.

4. Server-side cleansing

This is where things get tricky because this method is a bit advanced. You need to use an SSH client (I recommend PuTTY) to dive into your server to run a series of checks. Maybe this step isn't necessary because not all website hacks extend to your server. However there's no easy way to tell how deep the hack was until you check with SSH. You could skip this step, but you'd be taking a gamble.

Anyhow, for directions on how to use an SSH client for scanning and cleaning your server of hacks, check out this article: DreamHost | Troubleshooting Hacked Sites.

5. Run a virus scan now!

Run a virus scan immediately to rule out the possibility that your website was hacked due to a virus on your computer. Windows 8 comes with anti-virus (Windows Defender). If you're using Windows 7 & below and you're in need of free anti-virus software, I recommend AVG Free and Malwarebytes Anti-Malware.

How to prevent website hacks

1. Be aggressive with updating your CMS or any third party scripts/widgets in your website.
2. If you're on a PC, run scans with your anti-virus on a regular basis.
3. If you're on a PC, DO NOT browse websites that distribute illegal content (i.e. free streaming of Hollywood movies), free casino/gaming websites, free pornography websites, or free amateur pornography video websites. Those websites are not safe. They intentionally have malicious code, as if they were hacked.
4. Sign up with Google Webmaster Tools if you haven't already so you can receive alerts from Google when they find that your website was hacked.
5. Sign up with StopTheHacker. It's a service that scans your website everyday for malware and viruses, and even removes it upon detection. They offer lots of other features, too. I recommend the “Professional” package; it's around $200 annually.

If you're blacklisted

If you took too long to remove the malicious code and your website was flagged in web browsers as malicious, then you've been blacklisted. Learn more about this here: Google Blacklisted My Website. All you can do is make sure your website is all clean, then request a malware review from Google.

Conclusion

In this article I reviewed how a website gets hacked, how to tell if your website is hacked, how to remove malicious code, and how to prevent future attacks. This article, however, doesn't cover everything on this subject. I covered the most common hacks and what I've learned from my own experiences from being a hack victim. To learn more about website hacks I recommend the following articles.

• Google Help: About malware, hacking, and infected sites
• Common WordPress Malware Infections
• Cross-Site Request Forgery Guide: Learn All About CSRF Attacks & CSRF Protection
• 3 Website Exploits -- Are You Protected?