You may learn how to safeguard your website even after it has been hacked from our knowledge base. You’ll also receive instructions on how to defend your website against assaults in the future.<\/p>\n\n\n\n
The first step to secure your website from attacks and bring it back to normal operation mode is to identify how it was hacked. Generally, hacks occur due to one of the following reasons :<\/p>\n\n\n\n
\u2022 Your FTP\/SSH password can be easily identified.<\/p>\n\n\n\n
\u2022 You might have given easy permission for the files or directories in the public_html<\/strong> directory.<\/p>\n\n\n\n \u2022 The software application installed on your website might contain vulnerability. The vulnerability doesn\u2019t allow arbitrary code to run on the server.<\/p>\n\n\n\n Due to the huge growth in pre-bundled software applications, the software vulnerability hacks can be found more common than FTP\/SSH password hacks. Most of the time users set up an application and then forget to apply security updates, leaving their sites vulnerable to the attack.<\/p>\n\n\n\n Likewise, if a file or directory in the public_html<\/strong> directory has given permissions set to 777<\/strong> (i.e. full access), then code or data may get exposed and potentially gets exploited by an attacker.<\/p>\n\n\n\n First you need to determine, if someone has hacked your password and logged into your account. To do this perform following steps :<\/p>\n\n\n\n 1. Using SSH<\/strong>, log in to your account.<\/p>\n\n\n\n 2. Type the following command :<\/p>\n\n\n\n This command will display the last 1000 commands that run on your account with their time. You can review recent entries in the list that seem suspicious to you or that you haven\u2019t type.<\/p>\n\n\n\n This may not be the 100% fool-proof method, because the command history can be altered and forged by a malicious practitioner.<\/p>\n\n\n\n 3. Type the following command :<\/p>\n\n\n\n The command will display the IP address of the last user who had logged in to your cPanel account.<\/p>\n\n\n\n Remember<\/p>\n\n\n\n In-case, you find or suspect that an unauthorized user is accessing your account then :<\/p>\n\n\n\n \u2022<\/strong> Change you cPanel account password immediately.<\/p>\n\n\n\n \u2022<\/strong> Don\u2019t use FTP now. Regular use of FTP transmits your password over the internet in unencrypted plain-text form and can be easily intercepted. Instead use SFTP or SSH.<\/p>\n\n\n\n \u2022 Be assure that you are running up-to-date virus and malware protection on any computers that you have used to access your account.<\/p>\n\n\n\n Once you have followed all these steps, go to the Cleaning up after a hack section below. However, if you haven\u2019t found any suspicious behavior, then go to the next section.<\/p>\n\n\n\n Malicious actors can effortlessly take advantage of well-known security flaws in outdated software products by utilizing automated scripts. Software applications can include any packages you have manually installed as well as those you have loaded using Softaculous. The majority of these apps are content management systems, shopping carts, blogs, forums, and picture galleries.<\/p>\n\n\n\n Every piece of installed software on your website has to be reviewed. You may be confident that you have installed all updates and the most recent versions. Make sure you have examined the plugins as well as the software programs while updating them. Do a web search for the name of the plugin and the word “vulnerability” if you discovered any non-standard plugins loaded with your apps to see if there are any known problems with your version. If you find any known vulnerabilities, you should disable the plugin or update it right away.<\/p>\n\n\n\n Additionally, you should use cPanel’s Error Log function to see if there have been any recent difficulties on your website. These error pictures aid in identifying the files or software programs that are susceptible.<\/p>\n\n\n\n After securing your website, the next procedure is to clean up the mess left behind by the perpetrators and restore the normal operation.<\/p>\n\n\n\n Stop the malicious process :<\/strong><\/p>\n\n\n\n In the cleanup process, firstly you need to ensure that there are no malicious processes currently running on your account. Or else, you can go through the following cleanup steps, to eliminate the havoc that can be caused later. 1. Using SSH<\/strong>, login to your account.<\/p>\n\n\n\n 2. Type the following command :<\/p>\n\n\n\n 3. Inspect the list of running processes and find out the suspicious activities. If any suspicious process is found, note its process ID (PID) number<\/strong>.<\/p>\n\n\n\n As you run the ps command in step 2, it is not a malicious process and thus, should not be terminated.<\/p>\n\n\n\n USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND<\/p>\n\n\n\n username 2847697 0.0 0.0 108504 1900 pts\/2 Ss 16:37 0:00 -bash<\/p>\n\n\n\n username 2885143 0.0 0.0 109960 1016 pts\/2 R+ 16:44 0:00 \\_ ps faux<\/p>\n\n\n\n These two are the normal processes.<\/p>\n\n\n\n 4. To eliminate any suspicious processes that you found, type the following command for each of the processes.<\/p>\n\n\n\n Use the process ID (PID) that you noted in step 3 at the place of process_id.<\/p>\n\n\n\n Go through all the files present in your account and delete anything that you haven\u2019t put in there. In case you are using an FTP client, make sure that it is set to show hidden files. Likewise, in case you are using the command line in SSH, make sure that you use the -a option with the \u2018Is\u2019 command so that it will show all files. ( Many malicious files are marked \u201chidden\u201d).<\/p>\n\n\n\n While going through all the files, you can prioritize the search. Like first look for file modification timestamps that have changes since the last modification of your site or that has occurred around the time the hack took place. In case you have identified a file that has been modified during the hack (like a defaced index page), then you may be able to locate other affected files by searching for similar timestamps.<\/p>\n\n\n\n For example, find all the files that have been modified in your public_html directory, by performing the following steps :<\/p>\n\n\n\n 1. Using SSH<\/strong>, login to your account.<\/p>\n\n\n\n 2. Type the following command :<\/p>\n\n\n\n Note:<\/strong> You can edit the -4 option to control for how many days in the past the file command should search for modified files. For example, to search back 6 days instead of 4 use, -6.<\/p>\n\n\n\n By default, every directory under the public_html directory should have its file permissions set to 755 (i.e., full access for the only owner, and read and execute access for everyone else). Moreover, every file should have its permission set to 644 (read and write access for the owner, and read access for everyone else). Now perform following steps to set these permissions for your account :<\/p>\n\n\n\n 1. Using SSH<\/strong>, login to your account.<\/p>\n\n\n\n 2. Type the following command :<\/p>\n\n\n\n Note:<\/strong> Once you have made these changes then you need to adjust permissions for a few individual files depending on the applications that you have installed. Also, it a good practice to set permissions initially, and then make any individual adjustments as necessary.<\/p>\n\n\n\n Do you know, SQL injections can attack against vulnerable Joomla installations, that may alter the database with malicious code? These modifications can easily grant an attacker with the access to your account even after you update applications and remove the altered files.<\/p>\n\n\n\n Thus, you need to review your database to see if there are any suspicious changes. You can also store the database from a backup that was completed before the attack occurred.<\/p>\n\n\n\n Do you know, SQL injections can attack against vulnerable Joomla installations that may alter the database with malicious code? These modifications can easily grant an attacker with access to your account even after you update applications and remove the altered files.<\/p>\n\n\n\n Thus, you need to review your database to see if there are any suspicious changes. You can also store the database from a backup that was completed before the attack occurred.<\/p>\n\n\n\n Use the Server Rewind feature in cPanel to restore files in your home directory that have been lost or modified within the past month.<\/p>\n\n\n\n If you are using WordPress then you need to take some additional steps that secure your site after an attack. For example : you need to reset the WordPress security keys.<\/p>\n\n\n\n Enabling Cloudflare on your account is something you should think about if you want to stop assaults in the future.# Settling the FTP\/SSH password :<\/h3>\n\n\n\n
history<\/pre>\n\n\n\n
cat ~\/.LastLogin<\/pre>\n\n\n\n
# Finding out software vulnerabilities.<\/h3>\n\n\n\n
# Steps for cleaning up after a hack :<\/h3>\n\n\n\n
Perform the following steps to view the user processes running on your account :<\/p>\n\n\n\nps faux<\/pre>\n\n\n\n
kill process_id<\/pre>\n\n\n\n
# Remove the hacked files<\/h3>\n\n\n\n
cd ~\/public_html\n\nfind . -mtime -4<\/pre>\n\n\n\n
# Set the correct file permissions :<\/h3>\n\n\n\n
cd ~\/public_html\nfind . -type d -exec chmod 755 {} \\;\nfind . -type f -exec chmod 644 {} \\;<\/pre>\n\n\n\n# Restore databases<\/h3>\n\n\n\n
# Restore databases<\/h3>\n\n\n\n
# Restore the lost and modified files<\/h3>\n\n\n\n
# Reconfigure the WordPress<\/h3>\n\n\n\n
# Cloudflare\u2019s use to enhance the security<\/h3>\n\n\n\n
Hostvento offers<\/span><\/a> <\/strong>Cloudflare, a content delivery network (CDN) service, at no cost. The network of Cloudflare restricts abusive bots and prevents threats before they may reach the website. This reduces bandwidth waste while also enhancing security.<\/p>\n\n\n\n