How to deal with compromised websites

This guide will show LCN web hosting and WordPress hosting customers how to respond when their site has been compromised.

You may be made aware that your site has been compromised by Google search console or safe-browsing warnings that could appear when accessing your site.

We also regularly carry out malware scans of sites hosted on our shared hosting platform and will contact you to notify if we identify that your site has become compromised. Depending on the severity of the problem, the hosting for the site may be suspended and we will contact you with instructions for requesting unsuspension and securing your site.

Preventative Measures

We’ll start by looking at some preventative measure your can take to help keep your site secure against hacking attempts. Whilst this wont help if your site has already become compromised, it’s important to be aware of this information to try and avoid future problems and to gain an understanding of how your site may have been compromised.

  1. Password policy – Setting strong passwords for all accounts associated with your website will help to keep your site safe from brute-force/dictionary attacks. Your FTP, database, admin accounts and any other passwords associated with your LCN account should always use strong passwords.
  2. Software updates – If your site uses a content management system like; WordPress, Joomla or Drupal, it is very important to stay up to date with all updates/patches released for the CMS. This includes making sure that any plugins, themes and add-ons for your site are updated regularly to their latest versions.

    These updates are often released to patch known security vulnerabilities and failure to promptly apply them will leave your site at risk.

  3. Security plugins/add-ons – For WordPress based sites and other content-management-systems, adding a security plugin can help to keep your site secure against the most common security threats. For WordPress based sites hosted with LCN, we recommend the WordFence plugin. Using security plugins can help to apply the following security enhancements to your site:

    • Changing admin account usernames from the default of: admin.
    • Changing the URL to access the dashboard for your site.
    • Enabling brute-force protection/firewalls.
    • Components for scanning files for malware/virus signatures.

  4. File Permissions – File permissions define the level of access granted to a user on the folder and files for your website; Allowing you to specify read, write and execute permissions to three user types: owner/group/public.

    Allowing read/write/execute permissions to your files and folders to the public could leave your site open to attack. The LCN hosting platform disables the use of 777 permissions (allowing read/write/execute permissions to all users) but it can still be important to make sure that file permissions are set to suitable values. In most cases file permissions should be set to 644 and folder permissions to 755.

  5. Backups – An important measure that you can take to protect your site against hacking attacks is to have a backup that can be used to restore your site to a working/clean state. The following guides will explain how to use the LCN backup utility or how to manually take a backup of your site:

    How to backup and restore your website using the LCN backup utility

    How to backup your website

    If you use a backup to restore your site, you should be aware that you are restoring an insecure site and that the vulnerabilities that allowed the site to become compromised will still exist. It is important to make sure that the backup that you are restoring is not compromised and that appropriate steps are taken to secure your site after restoring from a backup.

If you suspect that your site is compromised

If you suspect that your site has been compromised, we would recommend that you get in touch with the LCN support team: https://www.lcn.com/contact

We can carry out a malware scan of the site and help with changing any passwords associated with your site. If the malware scan returns any results to indicate that your site is compromised, we will provide further recommendations for securing the site.

Please note: Each malware scanner works differently and no one scanner can provide 100% reliability. We recommend that you also use a third-party malware scanner as well as our own to ensure your website content is free of any compromised files.

If your site has been compromised

If you’ve been notified, or have identified that your site has been compromised the following steps are recommended to start the process to secure your site:

  1. Check your computer for virus/malware problems. Before carrying out steps to recover your site we recommend to run virus/malware scans on any computers/devices used to manage the site.
  2. Reset Passwords – It is recommended to reset the passwords for any logins associated with the site. This includes but may not be limited to; your LCN account password, FTP and database passwords and admin account passwords for the site.
  3. Restoring/recovering your site:

    • If you have a backup of your site

      If you have a clean backup of your site that can be restored – we’d recommend using this to restore your site to a point before the compromise occurred.

      Please note: There will be further steps needed to secure your site after restoring, to fix any security vulnerabilities that allowed the site to become compromised in the first place.


    • If you don’t have a backup of your site

      If you haven’t used the LCN backup utility to manage backups of your site, or taken a manual backup of your site, it may be more difficult to recover the site after being compromised.

      If you have identified the problem quickly then it may be possible for the support team to recover a working version of your site from our disaster-recovery backups. However, Data recovery requests using our disaster-recovery backups are charged at £50+VAT per request. You can contact the support team to check the backup restore points that are available. Our backups for website files will usually cover the last two weeks and daily database backups will be stored for approximately seven days.

      Please note: These backups are designed for internal purposes only and we cannot guarantee a clean working copy of the site can be provided.

      You can attempt to recover your site without restoring from a backup, but in many cases, this may not be possible or steps to secure the site may not be sufficient depending on the extent of the hack.

If a clean backup of the site isn’t available and the site cannot be recovered manually, the safest option is to re-build the site. In many cases it is quicker and safer to re-build the site if the core files of the site have been compromised. If you need any help building a new site, we offer a WordPress web design services to help you get up and running again as quickly as possible.

Steps to secure your site

The following steps would be recommended as a minimum to make sure that your site is secure going forward.

Please note: this list of recommendations is not exhaustive, and you may need to consult the documentation or support for the software in use for your site to check if further steps would be recommended:

WordPress Based sites

If your site is developed using WordPress, the following steps will be required to secure the site:

  • Update WordPress to the latest available version. If you are already using the latest available version of WordPress consider manually reinstalling WordPress to replace all of the core files for the software: Updating_WordPress#Manual_Update
  • Update all installed themes and plugins to the latest available versions
  • Delete any unused themes and plugins from the dashboard for your site
  • Reset user account passwords and delete any unneeded admin accounts
  • We would recommend installing the following security plugin for WordPress: https://wordpress.org/plugins/wordfence/

Disabling script execution in WordPress directories

Disabling PHP execution in the following WordPress directories can help to improve security for WordPress sites:

/wp-includes/
/wp-content/uploads/

The following page will provide instructions on how to disable PHP execution within these folders: http://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/

The links below will provide some further recommendations on how to improve security for WordPress based websites:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
http://codex.wordpress.org/Updating_WordPress
https://codex.wordpress.org/FAQ_My_site_was_hacked
http://codex.wordpress.org/Hardening_WordPress

Other Content-Management-Systems

For sites using other Content Management Systems, make sure that all available updates are applied to the CMS version and to any installed add-ons/extensions.

That’s it, you should now have an understanding of preventative measures you can take to protect your site against hacking attempts and how to respond if your site does become compromised.

Check out some of our related guides

Need a hand? Search over a hundred step-by-step support guides