Jul
22
2007
How-to: Recover your Hacked Blog or Site
Posted by Jon Lee in How-to, tags: backup, hacking, security, wordpress
Yesterday I documented what happened to my blog when it got “hacked”. If this ever happens to you, here are steps to consider when recovering from a hacked site or blog:
- Regain Access/Control to your Site
Most likely, your intruder would have changed one or more of your passwords. To regain control, you should contact your web host immediately to change your passwords and to alert them of the situation. It could perhaps be a server-wide vulnerability. - Restore Files and Database from a Backup
Assuming you do routine backups (at the very very least once a month), you can restore your files and database from the latest backup. If you don’t have a backup, check with your web host. Many web hosts do routine backups of entire systems and may be able to retrieve a more up-to-date version of your page. - Restore Missing Information
Files that were not in your backup may need to be restored manually — either by creating the file again or in the case of a blog, you can find your article archived somewhere (i.e. archive.org, Google cache, RSS Reader history). - Locate the Vulnerability
This is very important. You need to pinpoint exactly how the hacker got into the system. Take note of which version of software and plugins you’re using and look at changelogs to see if there were any open vulnerabilities. If you can’t find anything, you can take a look at your access logs to see if there has been any suspicious activity. Detailed access logs may only be available through your web host so ask them for help, they’d know what to look for! - Eliminate the Vulnerability
This step is pretty obvious. Depending on what your vulnerability is, get rid of it. If for some reason it isn’t possible, then work around it. For example, if you find that your contact form plug-in has an unpatched hole, then use another contact form or simply give a regular e-mail link. To be on the safe side, take this chance to upgrade everything to the latest version. - Do a Sweep for Suspicious Files
The hacker could easily have left a malicious file somewhere which will give them a backdoor to your system even after you have eliminated the original vulnerability. One way to check for this is to install the same software in a different location and look for files unaccounted for in your original installation. Likewise, you can usually find a list of installed files from the software’s documentation. If necessary, it would be safest to do a complete reinstallation from scratch. - Monitor Site Activity
Over the next couple weeks, you should keep an eye on your site activity. Note suspicious activity such as access to files that you don’t recognize or log-in attempts.
Steps need not be necessarily done in this order but at the very least, they should all be considered. Let’s hope you’ll never have to refer to this post.
Popularity: 25% [?]
Entries (RSS)
8. Go to police station
yeah i feel you. one of my sites just got hacked same time yours did.
Haha I’m not sure if the police would take this very seriously.. unless you were a corporation.
What happened to yours? Similar circumstances?
Police is forced to take every call srsly unless Canadian ones don’t know how to catch a cyber-stinker, but I guess they do.
dono. but some picture of a guy tied up saying “hacked”.
I hate it when someone’s site gets hacked. All that effort down the drain. It’s a good thing that this hasn’t happened to me yet, but it has happened to a few of my close friends. I’ll send the link to this post to them. They’ll be glad to read it.
I feel your pain; my blog was not hacked, but my host did shut it down when it became overrun by spammers.
Wow your host did that??
What do you mean by overrun? Unless spammers are using your site to send spam I don’t think your host has a right to shut down your blog just because you get a lot of spam comments!
I can’t believe I’m in need of this post right now. *sigh* Thank you for writing it, it’s quite handy!
That’s a great list Jon, I just Stumbled it!
Thanks Saman!
thats really scarryyy
No worries! I though everyone could benefit from the list, bad guys are out there…
[...] my attention the first time I looked over his blog. I was particularly interested in his post How to Recover Your Hacked Blog or Site. That would probably be the worst thing that I could think of happening to my blog. As soon as [...]
[...] blog back to its former state? Well, this process is comprised of 7 basic steps, as described by Jon Lee, who unfortunately has some first-hand experience in the [...]
This is precisely why it’s a good idea to take a few minutes to back up your site and keep a copy of the backup on your home computer. I try to back up every day, when I’m home.
Good read, thanks for reminding us that this sort of thing happens.
JohnCow.com was hacked!…
One of the well known blog site, JohnCow was hacked and held ransom by a/some hacker/s. A message was left on the home page read as:…
wow, the famous jhoncow ? that the thing would happen if you have too much spot at your stuff, it attract people, the good one and the bad one and ironically you could not be selective to your viewer right?
We were a victim of a hacker once, and let me tell you, it isn’t a good feeling when you find out your website has been violated. Luckily the damage was done to a newly setup forum written in PHP only, not to our main website. It seems like these open source codes are really open to anyone!
PHP written forum scripts do have vulnerabilities especially the free ones like PHPBB2. YABB is more resilient to php hack attacks.
our forum got hacked too… We don’t know how to restore it till now… help pls… TT_TT