How to Deal with ‘Hacked’ CMS Websites?
Content management systems (CMS) provide an excellent way of producing websites that can be easily maintained, easily edited and worked on by a large set of developers from around the world.
One of the disadvantages of these CMS is that their code is publicly available, which makes it easier for the less desirable developers on the internet to find a way of trying to get into your sites code and do some even less desirable things.
Some common symptoms include:
- Links to third party sites (usually related to tables for erectile disfunction…) being injected into your theme
- The whole site being redirected to a third party website. These are usually landing pages for activist hacker groups
- Hijacking Google search results
- Hijacking click-throughs from search engines
There’s no answer to how to deal with any of these problems, but there are some general guidelines you can follow to try and track the problem down, prevent it and help with quickly dealing with it in the future. There are also some specific things you can look out for in specific CMS, but that’s a subject for another time.
What can I do?
First of all, stay calm. The chances are that this isn’t some kind of attack that’s targeted at you or your website directly, it’s most likely a blanket attack trying to exploit holes in the CMS or the plugins you have installed. The chances are that somebody else has already had this problem and you’ll be able to find some resources to help.
The key things to understand are:
- Why your site was able to be compromised in the first place
- What files have been edited or added when the site was compromised
- What you need to do to get the site back to normal
- What to do after you’ve cleared up issues
- How to prevent the problem in the future
Why was my site compromised?
The number one cause of this issue is an out of date CMS or out of date plugins. It’s an easy trap to fall into as sites will work for some time with no problems and you can grow complacent. Don’t become complacent, pro-activity is key to keeping your site secure.
It’s also possible that the issue could be related to a server security issue, but if you use a reputable hosting provider, it’s fairly unlikely.
What files have been affected?
One of the easiest ways to do this is to use a PHP script that lists when files were last modified. You’ll have to sift through the results and ignore the valid changes such as new images, cache files and CMS and plugin upgrades (although I’d expect the latter won’t be relevant otherwise you probably wouldn’t be in this position).
This will help you quickly draw up a list of files that have been added recently that shouldn’t be there. Find them and delete them. Don’t be tempted to download them unless you know what you’re doing.
We use one here that we found some time ago but I can’t confirm who the original source of the script was. I’ve published it here too, but this isn’t my work.
How do I get my site back to normal?
This very much depends on what happened when the site was compromised.
If you have a backup that you know works and isn’t too old to be useless, use it as it’s likely to be the quickest way to get you back to normal. All reputable hosting providers will maintain backups but they tend to be server level backups and can take time to get hold of. Find a backup plugin and use it – you won’t regret it in the long run.
If for any reason you can’t do that or you’d like to understand more about what’s happened then you’ll need to do some more digging. Usually it’s just a case of identify the files that have changed and either deleting them or if they’re a core file (such as a theme file), remove the code that’s been injected. Usually the code that has been injected would have been added at the beginning or the end of the file.
Some common files that could have been edited are:
- .htaccess file – this is the usual way of redirecting your site visitors to another website
- main index.php file – this is the usual way of injecting links to third parties
- Theme index.php file – this is the another way of injecting links to third parties
If you don’t feel you’re capable of dealing with it yourself, contract a third party specialist to deal with it on your behalf. There are plenty around. We’ve used Sucuri in the past and they’ve always provided excellent support.
What shall I do after I’ve cleaned up my site?
This is one part of dealing with a compromised site that can have a solid process to follow.
- Update your CMS and plugins
- Change all key passwords, including FTP, SFP, SSH, cPanel, database and CMS administrator logins
- Scan yours and any other computers that connect to the site using FTP or through the CMS admin panel for spyware
- Remove any plugins that are no longer required. The less scripts you have, the less places there are to get into your site
How can I prevent this in the future?
There are a few things you can do to help.
- Keep your CMS and plugins up to date
- Use a reputable hosting provider, especially one that regularly scans their servers for known malware and can pro-actively help
- Keep your CMS and plugins up to date
- And in case I didn’t mention it already…. keep your CMS and plugins up to date