Prepare to be HACKED!

With a degree in computer information systems from Mohawk Valley Community College, John worked for small businesses and performed freelance work before joining Site-Seeker in 2007.

What to do if my website is hacked

Getting hacked is scary; even the possibility of getting hacked is so scary that some people become paranoid and take extreme measures. Some contact their developers constantly as if their very lives are in danger. Lately, there is no shortage of people telling you how to prevent hacking. I don’t want to discount any of that information and advice – most of it is valuable and well intended.

But prevention is only half of the equation. If you’re only looking at prevention, then you’re not prepared, and there’s a hole in your defenses. I don’t want to scare you even more, but no matter what preventative measures you take, the chances are extremely likely that,

sooner or later,

You Will Be HACKED!

If you aren’t prepared for when that eventually happens, then you’re already behind the ball. If your developer tells you he/she has taken the “necessary precautions” and not to worry about, then both of you are delusional.

I’m sorry if I’m the bearer of this bad news, or if that comment shocks or insults you. Simply put, there are no 100% guarantees, and anyone that tells you there are is lying to you. Keeping everything updated, or installing some plugin, or putting some other preventative measure in place cannot protect you from all threats.

The first step? Realize, no matter what precautions you’ve taken, that your site can be hacked and prepare for it. If you’re not prepared for the worst then it doesn’t matter what preventative measures you take – recovering from it will be a nightmare that you’ll not soon forget. (Oh, that’s assuming you can recover from it.) Without proper preparation, you may lose everything and have to start from scratch, an even bigger nightmare.

So What Am I Talking About?

It’s a single, simple word but it’s a word that I’ve seen overlooked more times than I can count. That word is:

Backups

I’m not just talking about a WordPress site either. Why would a company pay a hacker to get control of their computer back? Because they have no other choice. Obviously, they didn’t have a sufficient recovery plan in place. If they’d backed up their system (properly, might I add), they would be able to recover. In my humble opinion, there isn’t any excuse for allowing something like this to happen. It makes you wonder if they’ve given any thought to security in the first place or what might happen if the hard drive on their server crashes.

I have never had to dig through files of something I maintained and have never had to figure out how to “un-hack” it. Some people call me a pessimist because I always expect the worst and I prepare for it. I don’t see myself as a pessimist, usually what happens is far from the worst.

When it comes to being hacked, I’ve had a bit of experience. For the better part of the 80s and 90s, I sat on the other side of the fence. I spent my free time doing the hacking; trying to get into places I wasn’t supposed to be. I didn’t do this for personal gain or to cause damage; I simply did it for the same reason some people climb mountains: because it was there. During that time, I also visited some of the darker places on the Internet and ended up with a hacked computer by doing so. It was relatively easy to do and something that happened regularly.

Backups and having a recovery plan kept me from tossing several computers in the junk heap or spending endless hours trying to figure out how to undo whatever was done. I lost a computer once and learned my lesson. Some don’t learn until it’s too late.

Hosting Provider Backups

Do not count on your hosting provider to backup your site. If they do perform backups, don’t expect them to provide those backups to you should something go wrong. There are cases when even if they provide a backup, it won’t solve your problems 100% of the time. This is an error that many people make.

Yes, more than likely your hosting provider does do backups on a regular basis, at least you hope so. But if you read your service agreement, those backups are for their own disaster recovery, not for yours. Usually, in the small print, you’ll find that they are under no obligation to provide you with those backups, to recover your site, or to guarantee the ability to recover your site. If you lose your site and your hosting provider does not have either a backup, does not provide a backup, does not restore your site, or the backup they have does not correct the problem, then there’s nothing that you can really do about it. Trusting them with this responsibility does not sound like a good plan to me. You need to take responsibility for this and have your own backup and recovery plan in place.

Backup Procedure

1) Backup Your Database

Backup the database daily. I do this using a “Cron.” When I set up a new site and a database I automatically set up a cron that runs every night, usually at around 2 AM. This exports or backs up the contents of the database. These backups are stored between 30 and 60 days and then automatically deleted. WordPress provides plugins that will do this for you if you don’t have access to running crons.

2) Backup Your Files

Every time you make a change to the site, backup the site files. I’m not just talking about uploads; I’m talking about every file on the site. I do this manually by downloading the files through FTP, but there are plugins, usually the same one used for backing up the database will do it.

Why do I do this manually? Well, it’s simple. I already have a copy of every site I work on sitting on my computer, and it’s easy to download new files or files that have changed using FTP. Hence, I’m not really downloading everything, and it usually doesn’t take me that long.

3) Store all Backups in a “Secure Location”

The phrase above does not mean a separate folder on your website. If your site gets hacked, anything stored there is suspect and useless. You need to download the backup files or copy them to some other location that’s not associated with your site or your hosting account. As I said above, I have a copy of every site I work on sitting on my computer. Not only this, but my computer is backed up regularly – every time someone changes a file. Every site I work on backups not just once, but an infinite number of times for as long as I’m maintaining it. I then can go back in time to any point in the site’s history.

Sound crazy? Tell that to the ex-client that came to us because their site was hacked over a year after I last worked on it. (Not only am I a little OCD about backups, I’m also a digital pack-rat.)

Just downloading them to your computer is not sufficient. Your computer is more likely to be hacked than your website. In some cases, it’s a hacked computer belonging to someone with FTP access to the site that’s the cause of the hacking in the first place. You need to have some other place to store a copy of those files: think backups of backups.

If You Get Hacked With A Backup Plan In Place

You’re prepared. You performed the backups for this reason. Stay calm and recover.

Recovery

If a site gets hacked, I turn to my backup plan and take these steps:

  • Scan your computer for viruses and malware. You should be doing this on a regular basis anyway, but do it again before you start working on the site, just in case. Believe it or not, but most of the sites I’ve seen hacked happened because someone with an infected computer connected to the site using FTP and not because of some vulnerability in a plugin or the coding of the site.
  • Change all FTP and database passwords, ensuring they are secure passwords.
  • Delete everything on the site. Yes, everything! Make sure you delete all hidden files as well. There may be files on the site you can’t delete using FTP because of special characters. This is done on purpose to make it difficult to remove the hack. The best option is to contact your hosting provider and ask how to delete these leftover files.
  • Do not proceed until this is done. Restore your files and database from your backup.
  • Change the database password to the new one you created in step 2 so that the site can connect to it.
  • Log into the admin and change all user passwords.

Conclusion

When it comes to the security of your site, prevention and a good recovery plan are both important. However, without a good recovery plan, any time spent on prevention is a wasted effort because it’s impossible to achieve 100% protection, no matter what that security company might be selling you. Sites, even those that took preventative measures, get hacked every day.

Given the choice between trying to attain 100% protection and prevention versus having a good backup and recovery plan? I’ll put my money on the good backup and recovery plan every time. I’m honestly a little tired of the “How Websites Get Hacked” and the “How to Keep Your Website from Being Hacked” articles that never mention preparing for when you actually do get hacked. Me personally, I’m not too worried or afraid of hackers because I’m prepared to deal with them, and I’m not about to lose sleep worrying about it happening.