For almost seventeen years now, we’ve been helping individuals as well as hosting providers with hacker clean up.

Please allow me to share with you some of that experience in terms of what you should do should you find your site is hacked.

First, backup your site. Even though the site is hacked, you want to have a backup should you have to undo any of the clean up steps, and have a fresh start at cleaning up.

If your site is based on WordPress, Joomla, Drupla, or any other database-driven method, be sure to include a backup of the database as well as the files in your HTML directory structure.

Second, If any of the hacked areas include defaces or other visible clues (or even in your face writings), then take screen shots of those areas. Basically, you want to document what you know about your site being hacked.

Third, contact your hosting provider technical support giving them as much information as you know along with any screen shots and notes you’ve taken to date.

If your hosting provider cares about you as a person, and cares about your site, they will do what they can to help you clean up from the hack(s) on your site. Depending on how quickly they are told, they might be able to review server log files to identify how the hacker(s) gained access and when such access was gained.

Some hosting providers do have the right to charge for clean up per their terms of service; prior to asking them to do any work, ask them if their help in the case you are facing will be done freely. If yes, move forward; if not, then find out the charges involved and make a decision as to how much you need their help.

In any event, you should still notify your hosting provider so they know you know; AND, that the intent is to clean up the site as quickly as possible.

The main reason you want this notification (even if you are going to clean up the site yourself, or use another party) to the hosting provider is to ease any effort the hosting provider might make against you if they receive pressure to shut down your site.

Fourth, if you are unsure of how long the cleanup will take, put your site in maintenance mode so your site is not infecting others (or has less of a chance to infect others).

Fifth, scan any device (mobile, PC, etc.) you or any authorized person who has access to the site for virus AND malware / spyware. Anti-virus software will often not find any malware, and anti-malware software will often not find any virus. You need to run two different scans — one for viruses using an anti-virus program; and another for malware using an anti-malware program.

I recommend NOD32 for anti-virus and malwarebytes.org for anti-malware.

Sixth, change your passwords — FTP, SSH, control panel, WordPress, etc.

Read Revealing the secret of creating secure passwords that are easy to remember and hard for hackers to crack if you want to learn about using pass phrases as a means to create relatively secure passwords.

Seventh, now you are ready to go through your site and database (if database driven) to find and remove the hacks / defacement.

FTP / SFTP to the site and grab the .htaccess file along with all php and html to start the review.

While there, make sure the .htaccess file and .php files are chmod 644 (most FTP clients allow you to see / set permissions. 644 = _rw_r__r__ where r=read and w=write).

If you see any file with 777 — _rwxrwxrwx (the preceding _ will be a “d” for directories), then note the file name and that file will have a higher priority for being checked for hacks / malware.

Review the .htaccess file (it is a text file) for any redirects that should not be present; it there are redirects, check if the redirect is local (i.e. on the same server your site is on) or external (pointing to a site off the server).

If internal, then the directory and files that the redirect is pointing to need to be reviewed.

i.e. you might see a redirect like “includes/ice/ice.js” and then go to the includes/ice directory and see a number of .php and .htm[l] files present you didn’t put there (but the hacker did). Then that entire directory tree can be backed up (play safe), and deleted.

Then check for all files you grabbed for (in the above example) stuff like

Or you might see in the HTML a php encode base 64 statement…

Now, based on what you see, clean up might be as (relatively speaking) editing the various files to remove what was injected.

Lastly, once the site is backup and running clean (no more hacks, malware, defacement present), then (if you are running WordPress) review http://codex.wordpress.org/Hardening_WordPress and http://blog.softlayer.com/2012/tips-and-tricks-how-to-secure-wordpress/ to see what additional security you can put into place for your site.

If you are running WordPress, two of the better plugins we’ve found for security are Better WP Security and WordFence Security.

Now, you might find yourself on the find malware, hacks, defacement step and be lost. If that’s the case, you might want to reconsider either having your hosting provider get involved in the clean up, or contracting a person or firm to do the clean up for you.

If it comes down to getting outside help, please review our Site Security page for options.

Contact us if you have any questions.