I’ve Been Hacked! Now What?

For many site owners, the first indication that their site has been hacked is when they try to access their website and get the Browser Warning Screen instead. The screen tells them that their site has been deemed an “Attack Page” — Google has found malicious code & blocked the site as a precaution. So, for all intents and purposes, your site is down. Now what?

Many of you contact me to take care of it, which is a good start. I generally have all the info to help you expedite the cleanup, reset passwords, etc. However, if I’m not available for some reason, or if you would rather take care of it yourself, this is what you need to know:

Clean malware off of the server

First, the server needs to be cleaned of all malware files. If you don’t already have a Sucuri account (which monitors your site for malware), go to Sucuri and sign up for their services ($199/year for their basic package which includes a firewall to prevent attack, server monitoring & clean-up if an attack happens). As soon as you’ve paid for the account it will allow you to put in a Malware Removal Request. Do this! Even if you have received a notice from Sucuri saying that they have detected malware on your site, you MUST put in a Malware Removal Request — that does not happen automatically.

They will need your server FTP info. It’s a good idea to keep your FTP/Host info on file (for times like this), but if you don’t have it, you will need to get it or create a new FTP user at your site host (that’s where ever your site is hosted – GoDaddy, Network Solutions, Hostgator, etc).

If you don’t have your FTP info, here are instructions on creating an FTP user from some of the main hosts. To get to the FTP area of your cpanel for any of these hosts, you will need your cpanel login. If you cannot find your general cpanel login for your host company, you can do a password recovery.

• GoDaddy instructions on how to add an FTP user
• Network Solutions instructions on how to add an FTP user
• Hostgator instructions on how to add an FTP user

Once you have your FTP info, go ahead and log into your Sucuri account and submit a Malware Removal Request.
The Infected Website is your domain name (example: mydomain.com)
The FTP Hostname is generally also your domain name (example: mydomain.com) — this can also be IP address.
The Username & Password is the FTP username & password you had on file or the one you created in the steps above.
Enter a description of the problem. If you received a notice directly from Sucuri, make mention of it here. If your site is being blocked by Google, make mention of it here.
Sucuri will email you when they have completed the cleanup.

Change passwords and run updates to prevent reinfection

Once the site is cleaned, it’s important to change all passwords associated with the site to prevent future attack. This includes the site admin level login pw, your FTP pw, your cpanel pw. It’s also important to make sure all site software is updated (platform & plugins).

Again, I can help you with this process, but it is always a good idea to be able to tackle it yourself if I am not available. For more on site security, check out the article: Is My WordPress Site Secure? Being Proactive in Protecting Your Site and let me know if you have any questions!