Actions to take after your open-source application site is hacked

(Original Source: http://codex.wordpress.org/ , http://docs.joomla.org/ & http://www.itoctopus.com )
Although open-source applications (such as WordPress, Joomla!) are an established and reliable CMS, it does not mean it is 100% safe. Hackers are becoming smarter, constantly looking for vulnerabilities in the applications and introducing new hacking methods updating their malware.

You may refer to the following articles to find out why your open source applications being hacked:

http://www.itoctopus.com/10-reasons-why-your-joomla-website-got-hacked
http://www.esecurityplanet.com/open-source-security/top-5-wordpress-vulnerabilities-and-how-to-fix-them.html


In the unfortunate event where your website is hacked, please refer the following steps:
First of all, stay calm!
You have to stay calm to be able to deal with this situation. The first step before you respond to any security incident is to calm yourself down to make sure you do not commit any mistakes.

Assess the situation:
Is the website no longer functioning? Is the website attempting to download some malicious content to the visitors' machines? Is the website showing a blank page or obscene images/text on the homepage? Assess the situation of your website in order to know what to do in the next steps.

Scan your local machine:
Sometimes the malware was introduced through a compromised desktop system. Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice generally only applies to Windows systems.

Check with NewMedia Express Support Team:
The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with NewMedia Express Support Team in case we are taking steps or need to. Support Team is also able to confirm if a hack is an actual hack or a loss of service, for example.

For NewMedia Express customers, after receiving support ticket from the account administrator, Support Team will confirm with the administrator whether the hacking is through server back-end. If the server is running secured at the moment, the customer is advised to perform the below steps.

Change your passwords:
Change passwords for the blog users, your cPanel, FTP access and MySQL users etc. If you misplaced your password, simply use your admin email address to send in a request to support@newmediaexpress.com for a reset of the cPanel password.

For WordPress, Change your secret keys:
If they stole your password and are logged into your blog, even if you change your password they will remain logged in. How? Because their cookies are still valid. To disable them, you have to create a new set of secret keys.
(For WordPress, please visit the WordPress key generator to obtain a new random set of keys, and then overwrite the values in your wp-config.php file with the new ones)

Take a backup of what you have left:
If your files and database are still there, consider backing them up so that you can investigate them later at leisure, or restore to them if your cleaning attempt fails. Be sure to label them as the hacked site backup.

Identify and fix the problems:*
If you have some programming experience, you need to examine what are the files/data that were changed (and how they were changed) and then fix them immediately.

* Kindly Note NewMedia Express mainly provide web hosting services, we do not provide website maintenance services, therefore if you do not have any programming experience, or if you cannot locate/solve the problem by yourself, please contact your website developers. The website was initially built by them; they will most likely be able to restore your website to its previous condition faster than you do and fix the issue accordingly.

Check your .htaccess file for hacks:
Hackers can use your .htaccess to redirect to malicious sites from your URL. Look in the base folder for your site, not just your blog's folder. Hackers will try to hide their code at the bottom of the file, so scroll down. They may also change the permissions of the .htaccess file to stop newbies from editing the file. Change the permissions back to 644. For NewMedia Express cPanel users, please check your /home folder and also public_html folder, sometimes hacker will place an affected .htaccess file in the home folder.

Consider deleting everything:
A sure way to remove hacks that currently exist is to delete all the files from your web space (cPanel home all its child folder including "public_html" folder, and clear out your database. Of course, if you do this, you would need backups to restore from.

Consider restoring a backup:
If you restore from a known clean backup of your database and re-upload your backed up plugin, extension and theme files through FTP or SFTP, that will ensure that all those bits are clean of malicious code are gone. NewMedia Express does backup website files on the server; however, it is only for disaster recovery purposes. It is still customer's responsibility to ensure that you backup your files regularly. If you would like to request a restoration of NewMedia Express Backup service, kindly note that an Adhoc Service Charge of S$100 will be applied.

Replace the core application files with ones from a freshly downloaded zip:
Replacing all your core files will ensure that they are no longer left in a hacked state. If you did not restore backup copies of your plugin and theme files, replace them too.

Upgrade!
Once the site is clean, you should upgrade your application to the latest stable version. Older versions are more prone to hacks than newer versions. Please ensure that all the themes, plugins and extensions of the applications are updated too.

Change the passwords again!
Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now.

Secure your site.
Now that you have successfully recovered your site, secure it by implementing some (if not all) of the recommended security measures.
(WordPress: http://codex.wordpress.org/Hardening_WordPress)
(Joomla!: http://docs.joomla.org/Security)
Do a post-mortem.
Once your site is secured, check your site logs to see if you can discover how the hack took place. For NewMedia Express cPanel customer, just simply login to cPanel, under "Logs" section, click "Raw Access Log" to view the full access history of your website.

Keep regular backups.
Now that the nightmare is over, start keeping regular backups of your database and files. If this ever happens again, all you will need to do is restore from the last known clean backup and change your passwords and secret keys.

NewMedia Express provides Shared-Hosting Service Data Backup Service:
https://www.newmediaexpress.com/sharedhosting.html#DataBackup 

NewMedia Express provides R1Soft for Premium hosting service and Server users:
https://www.newmediaexpress.com/r1soft.html 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Reset Control Panel Password

Note: Only shared hosting (Linux and Windows) are able to enjoy this feature.To reset your cPanel...

SSL Certificate Warning

SSL certificate warning message is displayed to protect visitor from potential websites that may...