How to deal with compromised websites
We also regularly carry out malware scans of sites hosted on our shared hosting platform and will contact you to notify if we identify that your site has become compromised. Depending on the severity of the problem, the hosting for the site may be suspended and we will contact you with instructions for requesting unsuspension and securing your site.
We’ll start by looking at some preventative measures you can take to help keep your site secure against hacking attempts. Whilst this won't help if your site has already become compromised, it’s important to be aware of this information to try and avoid future problems and to gain an understanding of how your site may have been compromised.
- Password policy – Setting strong passwords for all accounts associated with your website will help to keep your site safe from brute-force/dictionary attacks. Your FTP, database, admin accounts and any other passwords associated with your LCN account should always use strong passwords. We have a guide to help you make a strong password here.
- Software updates – If your site uses a content management system like; WordPress, Joomla or Drupal, it is very important to stay up to date with all updates/patches released for the CMS. This includes making sure that any plugins, themes and add-ons for your site are updated regularly to their latest versions.
These updates are often released to patch known security vulnerabilities and failure to promptly apply them will leave your site at risk.
Security plugins/add-ons – For WordPress based sites and other content-management-systems, adding a security plugin can help to keep your site secure against the most common security threats. For WordPress based sites hosted with LCN, we recommend the WordFence plugin. Using security plugins can help to apply the following security enhancements to your site:
- Changing admin account usernames from the default of: admin.
- Changing the URL to access the dashboard for your site.
- Enabling brute-force protection/firewalls.
- Components for scanning files for malware/virus signatures.
- File Permissions – File permissions define the level of access granted to a user on the folder and files for your website; Allowing you to specify read, write and execute permissions to three user types: owner/group/public.
Allowing read/write/execute permissions to your files and folders to the public could leave your site open to attack. The LCN hosting platform disables the use of 777 permissions (allowing read/write/execute permissions to all users) but it can still be important to make sure that file permissions are set to suitable values. In most cases file permissions should be set to 644 and folder permissions to 755.
- Backups – An important measure that you can take to protect your site against hacking attacks is to have a backup that can be used to restore your site to a working/clean state. The following guides will explain how to use the LCN backup utility or how to manually take a backup of your site:
If you use a backup to restore your site, you should be aware that you are restoring an insecure site and that the vulnerabilities that allowed the site to become compromised will still exist. It is important to make sure that the backup that you are restoring is not compromised and that appropriate steps are taken to secure your site after restoring from a backup.
If you suspect that your site is compromised
If you suspect that your site has been compromised, we would recommend that you get in touch with the LCN support team.
We can carry out a malware scan of the site and help with changing any passwords associated with your site. If the malware scan returns any results to indicate that your site is compromised, we will provide further recommendations for securing the site.
If your site has been compromised
If you’ve been notified, or have identified that your site has been compromised the following steps are recommended to start the process to secure your site:
- Check your computer for virus/malware problems. Before carrying out steps to recover your site we recommend to run virus/malware scans on any computers/devices used to manage the site.
- Reset Passwords – It is recommended to reset the passwords for any logins associated with the site. This includes but may not be limited to; your LCN account password, FTP and database passwords and admin account passwords for the site.
- Restoring/recovering your site:
- If you have a backup of your site
If you have a clean backup of your site that can be restored – we’d recommend using this to restore your site to a point before the compromise occurred.
- If you don’t have a backup of your site
If you haven’t used the LCN backup utility to manage backups of your site, or taken a manual backup of your site, it may be more difficult to recover the site after being compromised.
If you have identified the problem quickly then it may be possible for the support team to recover a working version of your site from our disaster-recovery backups. However, Data recovery requests using our disaster-recovery backups are charged at £50+VAT per request. You can contact the support team to check the backup restore points that are available. Our backups for website files will usually cover the last two weeks and daily database backups will be stored for approximately seven days.
You can attempt to recover your site without restoring from a backup, but in many cases, this may not be possible or steps to secure the site may not be sufficient depending on the extent of the hack.
- If you have a backup of your site
If a clean backup of the site isn’t available and the site cannot be recovered manually, the safest option is to re-build the site. In many cases it is quicker and safer to re-build the site if the core files of the site have been compromised. If you need any help building a new site, we offer a WordPress web design services to help you get up and running again as quickly as possible.
Steps to secure your site
The following steps would be recommended as a minimum to make sure that your site is secure going forward.
WordPress Based sites
If your site is developed using WordPress, the following steps will be required to secure the site:
- Update WordPress to the latest available version. If you are already using the latest available version of WordPress consider manually reinstalling WordPress to replace all of the core files for the software: Updating WordPress
- Update all installed themes and plugins to the latest available versions
- Delete any unused themes and plugins from the dashboard for your site
- Reset user account passwords and delete any unneeded admin accounts
We would recommend installing the following security plugin for WordPress: Wordfence
Disabling script execution in WordPress directories
Disabling PHP execution in the following WordPress directories can help to improve security for WordPress sites:
The following page will provide instructions on how to disable PHP execution within these folders:
The links below will provide some further recommendations on how to improve security for WordPress based websites:
- Wordfence – How to clean a hacked site.
- Updating WordPress
- WordPress site hacked FAQ
- Hardening WordPress
The following page will provide best practice guidelines for security with Joomla based websites including a checklist you can follow in the event that your site becomes hacked/defaced:
The following pages provide best practice guidelines for Drupal based sites and a checklist that you can follow if your site has been hacked/defaced:
For sites using other Content Management Systems, make sure that all available updates are applied to the CMS version and to any installed add-ons/extensions.
That’s it, you should now have an understanding of preventative measures you can take to protect your site against hacking attempts and how to respond if your site does become compromised.