After news broke in late 2013 that 40 million credit card numbers were stolen from Target in a data breach of epic proportions, many customers got to work by checking their accounts for fraudulent purchases and replacing cards they had used to make Target purchases. There are standard steps you can take if an organization you work with is breached. In much the same way, there are some common actions that businesses should know if their websites becomes compromised.
Millions of websites are compromised and infected with various forms of malware every year. Thousands of sites are blacklisted by search engines every day, often accompanied with a warning stating “this site may harm your computer” or “this site may be hacked” in a search. If this happens to your website, recovery is your priority ‒ especially if customers or revenue are impacted by the site. Unfortunately, the recovery process is complex and may take some time. Here we’ll give you an overview and recommend tools that can help you in the event of a breach. You can, however, also consider enlisting a cybersecurity professional for help.
Verify the Compromise
This step may seem obvious, but malware may not be discovered just by visiting a site because the longer it goes undetected, the more damage it can inflict. Moreover, simply visiting a site to look for malware is possibly the worst thing you can do because you’ll expose your PC to the infection!
If you suspect a compromise, you should check to see if you’re on a search engine blacklist. An easy way to do this is to perform a search for your site and look for the warning in the search results as shown below. Another approach is to use Google Search Console.
In many cases, your hosting provider can help. You should contact them immediately.
A more comprehensive approach is to use a website malware scanner to search your site. The best malware scanners will require access to the files on your site via FTP so that source code can be scanned.
Quarantine the Site and Change Passwords
As soon as you determine that your site is infected, you should take it offline until it had been disinfected. This step will prevent your site from doing more harm and is an especially important consideration if you collect sensitive information from visitors. You should assume that all of your passwords have been compromised and immediately change them.
Assess the Damage
Many states have passed security breach notification laws. If you collect any type of information from your visitors, you should have knowledge of any legal obligations and consider consulting an attorney.
This is also a good time to determine if you have a recent backup of your website. Even if you do have a recent backup, consider making another current copy of your compromised site and associated log files. This may be useful in determining the source of the infection or exactly what data may have been taken. Just be careful not to overwrite a backup of your clean site with the backup of the infected files!
Decide How to Fix It
You have a few options at this point:
- Ask your hosting provider for help. Many providers offer this service as a surcharge.
- Subscribe to a malware removal service. Many of the companies that provide website malware scanners are also experts at removing malware from websites. In some cases, they have automated tools that will quickly fix the problems and in other cases they have a team standing by to repair your site.
- Restore a backup. If you’re confident that you have a complete backup of your site that was created prior to infection, restoring it can be an effective solution ‒ as long as you follow additional steps to prevent a recurrence.
- You can also attempt to remove the malware yourself. There are a number of tutorials online that describe the telltale signs of malicious content.
Scan Your PC
If the PC you use to maintain your website is infected, this could be the source of your problems. Make sure that your antivirus software is up to date and scanning any system you use when updating your website. This is also a good time to ensure that the latest patches have been installed on your computer(s).
Upgrade Website Software
Another very common source of website infection is vulnerable software. Many content management systems are constantly being patched, leaving older versions at risk. You’ll also need to update any plug-ins to the latest versions.
In many cases, your hosting provider will regularly patch your server’s operating system, but if you are using a cloud provider or dedicated hosting environment and have complete control of the operating system (OS), it may be your responsibility and you should apply patches regularly. Applying OS patches monthly is a good practice followed by many IT organizations.
Change Encryption Keys
Once your website has been compromised, you should assume that all content was available to the intruder. This means that your encryption keys need to be replaced to ensure that others can’t intercept your communications.
Change Passwords Again
Once you are confident that your site is clean, you should again change all passwords. Weak passwords are another very common way that sites are compromised, so make sure your passwords are long, strong and unique.
Ask Search Engines to Delist Your Site
If your site ended up on a search engine blacklist while it was infected, you can log in, select the website and request a review. If the search engine finds that your site is free of malware, it should remove its warnings within a day or so. You can do this with Google here and with Bing here.
Make Sure It Doesn’t Happen Again
We recommend that you regularly scan your website for vulnerabilities that could lead to an infection. The same services that perform website malware scanning will also scan for vulnerabilities. By scheduling recurring vulnerability scans, you will be alerted when new vulnerabilities are found and likely be able to fix them by patching software before another infection occurs. An alternative to patching your site is to subscribe to a web application firewall (WAF) service, which will act to protect your site even if vulnerabilities are present.
Finally, this experience will probably leave you with a renewed sense of value when making copies of your data. Ensure that your site is being backed up regularly.
About the Author
Wayne Thayer is the general manager of security products at Go Daddy, responsible for Go Daddy’s rapidly growing SSL business. He joined Go Daddy in 2003 to launch their Certificate Authority. Since then, he has held a number of leadership roles, including vice president of IT operations, vice president of product development and chief technology officer. Wayne represents Go Daddy at the CA/Browser Forum, the standards body that defined Extended Validation SSL. He holds an MBA and a B.S. in electrical engineering from Penn State University.