We occasionally come across a hosting account that is breaking our Acceptable Usage Policy and Terms and Conditions.
This will usually be because it is running a Phishing
page (spoofing PayPal or another site trying to dupe people to give their login details) or Spamming
(sending our unsolicited email)
An insecure site puts our whole network at risk from blacklisting
or other sanctions, so when we come across a compromised site, we take it offline straight away by renaming the public_html directory to public_html.compromised. This means the site will stop displaying webpages but still be accessible by the owner to connect with FTP.
This is the customer's opportunity to ensure their site is properly cleaned.
The majority of all cases are from very poorly maintained Wordpress sites which are a ripe target for hackers wanting to exploit a website. Such examples are where the customer has not
- Been logging in and checking there are no updates to Wordpress (or any other CMS site such as Joomla, Drupal etc.) that need applying
- Installing security plugins, like the highly recommended Wordfence
- Been checking any other plugins or themes that may have had updates needing applying or even been fully discontinued due to security vulnerabilities
Below are the answers to some of the most common questions we receive:
Q. Will Daily tell me exactly what I need to do to secure my website?
Essentially this is not feasible. We would of course love to be in a position where we could do this, but the thing to remember is that once a site is compromised, there's no end of activity the hacker could have carried out.
A full investigation could literally take days of trawling through various log file entries over multiple servers and still not guarantee to yield results or fully secure a site 100%
What we can do is often highlight the file in particular that is up to no good (i.e. the script sending out Spam emails or the HTML page showing the phishing site), but this is not going to show the vulnerabilities that allowed someone to gain access in the first place. If only the symptoms are addressed rather that the root cause, a hacker will simply continue to exploit that site.
Q. So how do I secure my website?
Our recommendation is to fully wipe your site, reinstall any programs like Wordpress (using the latest, stable version), reinstall any themes/plugins (again, making sure they are stable and secure) and then reimporting any general data from your own backups.
And then monitor and maintain your site. Preventative measures like we listed above are by far the most effective measures.
Q. How do I get my website back online?
Simply renaming your public_html.compromised back to public_html will suffice. It is only in extreme cases that we suspend an account entirely.
Please do not do this unless your site is secure though. We'll simply deactivate it again if it is put back online in a compromised state.
Q. What if I don't want to rebuild my site? Can I have a go at cleaning it myself?
Yes, you are fine to do this, but we must stress the following:
- You must not take a 'trial and error' approach to cleaning your site. You must be confident you can clean your site effectively if you are not wanting to republish completely.
- If we experience repeat instances of a site being compromised, we will have to suspend it indefinitely. This is not a question of the site owner's intentions, but simply that allowing a site to continue to abuse our network puts our other customers at risk and we cannot allow this to happen.
Last Updated: 20/03/2015
Article ID: 1174