Hacked Website or CMS - General Information
Hacked Website or CMS - General InformationThere are five main steps to fixing a hacked website, and they MUST all be completed:
- If it is at all possible, the website/server should be taken offline while it is being fixed.
- All of the infected files must be removed.
- The CMS and all plugins and extensions must be updated to the latest and most secure versions.
- Be sure the server itself is secure, or ask a system administrator to perform a security audit.
- All passwords must be changed. Strong passwords should be used, and two factor authentication added wherever possible.
Take your website offline: The whole time that a server is infected, it poses a threat of some kind to the rest of the Internet (spam, DDoS, botnet command node, malware infector, phishing websites, etc).
- Domain reputation will suffer as a result of any infection. That drop in reputation will affect not only websites but also email… and not just due to Spamhaus listings.
- It is very important to temporarily suspend an infected website, if possible, while it is repaired and secured.
- Taking it offline will help protect domain and email reputation: this is a strategic decision with the fewest bad consequences for both the website operator and the Internet at large.
A good place to start is with Spamhaus’ news blog on how to Stop Spammers from Exploiting your Webserver. Additional in depth information:
- Spamhaus CBL’s page about CMS vulnerabilities.
- MELANI.admin.ch offers a paper to on how to clean up compromised websites, in English, French, Italian and German.
- Alternatively, Google Translate can be used.
Website software known as Content Management System (CMS) is a common vector for security attacks on websites. This can result in domains being listed by Spamhaus.
In all cases, the website’s software – including the CMS and any related extensions or plugins – must be patched to a secure version and the infected files must be removed and the server itself must be secure in order for a domain to stay out of Spamhaus lists.
- If hacked pages are detected after a domain has been de-listed, the domain will quickly be re-listed.
- That re-listing should serve as an alert that the website and/or web server are still compromised, and that quick corrective action is required.
- If re-listing happens too many times, we will prevent further removals until we are assured that the problem has been properly fixed.
These infections can and do affect any operating systems (OS). We see these infections on Windows/WINNT, Linux, FreeBSD, Darwin and more, and on Apache, nginx, squid, Microsoft-IIS and other web servers, too.
Anti-virus scans usually do not detect these infections. Running an a/v scan is a good thing to do, but negative results do not mean that the website or server are clean of infection.
We are also receiving reports of accounts with compromised FTP passwords.
- Be sure that the FTP password is strong and secure.
- Use secure SFTP for end-to-end encryption to avoid having passwords stolen during transmission.
For ISPs: some possible solutions – unknown, untested and not vouched for by Spamhaus but still of possible interest:
Hacked websites in the news (Arstechnica); old but still relevant: Active malware campaign uses thousands of WordPress sites to infect visitors – Sep 18, 2015, by Dan Goodin Back