I recently had several of my websites hacked within a short period of time.
The first indicator was a message from Hostgator, telling me that my site was exceeding CPU usage and that it would be disabled for violating their terms of service (Hostgator used to fix security issued for free, now they basically say, “it’s your problem and you had better fix it”). At any rate, I knew something fishy was going on, as this is a low traffic site.
The second indicator (for another of my sites) was 2 emails, one from Google and another from a security company that works for Wells Fargo. The security company said that criminals were using my server to post phishing pages that looked like Wells Fargo pages.
Shortly thereafter, a new client’s site was completely blocked by Google for having malware.
Needless to say, this was an overwhelming experience that cost me several days of research, effort and phone calls (to HostGator and Godaddy) to resolve (these companies are of little help if you are hosting with them).
The good news is, with the help of my dedicated coder, fixed everything. We learned a lot in the process that I will share with you in case it happens to any of your sites. I’ll also share what I’ve learned about “hardening” your server to provide an additional layer of protection/prevention.
Note: This is by no means an exhaustive report, only helpful feedback on what we are doing.
“Of course you know, this means war!” ~ Bugs Bunny
If your site has been hacked, avoid clicking through to it (if it’s being blocked by Google). This will help to ensure your browser isn’t effected. If Google (or someone else) sent you a message indicating where the malware is on your server – you will want to access that via FTP and remove it.
Here’s a list of the things we did. I’m sure there’s more to this, but this worked for us each time.
1. Check your site here: sitecheck.sucuri.net
This is a nice/free tool that will help to identify where the malware is on your server, as well as your site has been flagged by other sites as having malware.
2. Change ALL Passwords.
This includes your server, control panel, ftp, and WordPress (if applicable). If you need to send the new PWs to someone, use Skype or put them in a text file, then zip it up before emailing to help ensure it isn’t intercepted if your email is compromised.
3. Remove any extra FTP accounts – ideally, just have one.
4. Locate and delete bad files.
5. If you are using WordPress, make sure to update it and all plugins (and keep it updated).
6. Block the IPs of suspected users.
I looked in cPanel for the most recent visitors, and checked the location of their IPs here: www.iplocation.net – In my case, the hacker appeared to be from Indonesia (as there’s no good reason for anyone outside of the US to be visiting my site). I used Cloudflare.com to exclude their IP and country (see more below).
7. Recheck site here: sitecheck.sucuri.net and remove any remaining files on the server.
8. Request re-inclusion in Google Webmaster Tools (if identified by Google as a problem).
9. Run Malware checks on All Computers with Access.
It’s important that you do this anyways on a regular basis. PC’s running less that Windows 8 should use Microsoft Security Essentials.
Protecting Against Future Attacks
Use Better Passwords
I recommend that you use passwords that are a bit more complex, and save them with a password keeper. Which do you think is easier for a hacker to figure out – “jonny123” or “AxAem3klD90a!”?
Keep WordPress Updated
If you are using WordPress, make sure to keep it updated, as well as it’s plugins. My client’s hack was most likely through an older version of WordPress that their webmaster had failed to update.
We’ve been using a paid plugin called “Hide My WP” that makes it difficult for bots to find your WP-Admin (login). I recommend this as well as another line of defense.
Use Cloudflare.com
We started using Cloudflare in the last 5 months, and I’ve applied it to all of my sites after the most recent string of attacks.
Cloudeflare is free/paid service (I use the free version) that sits between your site and the web, acting as a filter of sorts. It provides a number of tools (such as caching) but for the sake of this article, it provides a higher level of security, in the form of a firewall for your sites.
BLOCK EM!
Once you update your site’s DNS to point to Cloudflare, you can filter Ips and countries from accessing it. This is more effective than using your control panel to block Ips and it won’t slow your server down.
But probably more important than blocking Ips, is the ability to block the countries they are coming from. Under the “Firewall” section in Cloudflare, you can input the country codes for each country you want to block from accessing your site. (The free version show as “challenge” page to users in these countries, which is sufficient to stop automated bots).
I’ve identified that certain countries, such as Indonesia, Russia and other Eastern Block/Asian countries are where our hackers tend to come from, so it makes good sense to simply block them from using our sites I they are not countries you plan on doing business with.
Here’s an additional resource from Google with more technical advice (found in Google Webmaster Tools)
I hope this helps!