|Practical Computer Advice |
from Martin Kadansky
|Volume 7 Issue 1||January 2013|
| || |
|What To Do When Your Web Site Gets Hacked (Broken Into and Destroyed)|
Whether you have your own independent web site for your business, your hobby, your volunteer work, or your own personal mission to spread the word about aliens among us or the benefits of flossing, it's becoming more and more likely that your website will be "hacked." This means that:
This is not just theoretically possible, it's a growing trend. In the past few months this has happened three times to two of my clients, possibly more.
- One day, without warning, instead of seeing your well-written text with pictures of your smiling face (and the tin-foil hat or waxed floss that you recommend), visitors to your site will instead see a fake search page or dating site that tries to download infections to anyone landing on it, or a phishing scam designed to trick visitors into revealing their personal information, or a collection of pornography, or a combination of these, or something worse.
- This may not only convince new visitors to your site never to come back, it will probably also start to ruin your reputation with existing visitors, customers, potential customers, and more.
- Then, if you don't notice and take action right away, and enough concerned visitors report your site as malicious, your site will be added to the "blacklists" and "block lists" that many ISPs and others use to prevent unsuspecting users from even visiting your site. So, instead of landing on the hijacked site they'll see a warning that will, in essence, say "We have prevented you from visiting this site because it appears to be malicious or infected." Or, your site will be blocked so completely that your visitors will get a "Can't find the server" or "Failure to load" error, just as if you had closed your site and gone out of business or left town.
My focus here is to talk about independent web sites, where you have bought your own domain name (e.g., kadansky.com), created (or hired someone to create) your own content, and arranged for your own web hosting (24-hour worldwide access to your content). Every day plenty of hackers also break into and destroy or replace content that you may have posted on someone else's web site, including your Facebook page, your Twitter account, your blog on someone else's blogging site, etc., not to mention trying to hack into your email account. Some of my advice here can also be applied to those situations, but my goal here is to address attacks on your own web site, which is a more involved topic, in part because you have more control.
Let's start at the end: What to do after your web site has been hacked
So, it's happened to you. Either a friend or colleague has emailed you about it, or you just discovered it yourself. You visit your web site and see that all of your material is gone, replaced by junk or a big warning or emptiness or an error message. What should you do?
First of all, don't panic. Take a breath!
Then, working from the simplest explanation to the most sinister, here's my advice on what you (or your web design person or computer consultant) should try.
Maybe your web site wasn't hacked. It might just be you (or your computer).
If you see a blank page or an error message:
No, it's your web site. It really was hacked!
- First try to Refresh or Reload in your web browser.
- Then try loading www.google.com or www.mfa.org or any page that is not part of your web site. If they also don't load, there may be a problem with your internet connection (try resetting your equipment) or your computer (try Restarting it). If those other web pages do load, then your connection is probably working.
- It's possible that your firewall software or other security measures is interfering with your computer's ability to load your web site. Try turning it off temporarily, or try a different computer, or ask a friend or colleague to check your web site from a computer at a different location.
- Could your domain registration have expired? Did it fail to renew automatically because your credit card expired? Did you turn off auto-renewal and fail to renew it manually? Check your registration online or contact your domain registrar or web design person.
- Could your web hosting account have been suspended for similar reasons? Check your hosting account online or contact your hosting company or web design person.
If you visit your web site and something loads (with no errors), but instead of seeing your content you see something significantly different, that would be direct evidence it's been hacked. I recommend that you (or web design person) do the following:
Once your web site is back, take these steps as well
- Capture what's on your screen by taking a screen shot, printing it out, taking a picture with your smartphone or camera, or printing it to a PDF file (requires extra software on Windows, a built-in feature on Macintosh). Don't try to save it or copy-and-paste (unless you have prior experience saving web sites that way), what you'll end up with probably won't be as useful later.
- Try to sign into your web hosting account. This is where the raw data comprising your web site (your text, pictures, layout, and other information) is stored. If you're successful, immediately change your password to something unique (different from all your other passwords) and "strong" (8 characters or more, something difficult to guess). If you can't sign in, use the "forgot my password" mechanism to reset your password to something new, unique, and strong. If for some reason that doesn't work, call your web hosting company immediately.
- Once you can sign into your hosting account, look at what's there and assess the damage to your data. In the simplest case, the hacker may have changed only a few key files. In the worst case, you'll need to delete what's there and replace it by uploading a backup copy of your web site's content.
- If your web site had malicious content on it long enough for it to get noticed and "blacklisted," then once your content is restored you will also need to contact various companies to get your web site removed from their blacklists before the rest of the world will be able to see it again. This is a somewhat involved process, so I recommend contacting your web design person or computer consultant, or google "remove my web site from blacklist" to get started yourself.
- Test loading your web site to make sure it's back, using your computer and a friend's or colleague's.
How did this happen? How did they break in?
- Exactly as I would suggest to someone whose email account was broken into, check the rest of the settings in your hosting account for other changes that the hacker may have made, including your security questions, alternate email addresses, or other mechanisms they could use to break back in.
- If you changed any passwords, update your password chart or database, and notify anyone else who needs to know them, including your web design person, but don't send any passwords via regular (insecure) email.
- Talk to your hosting company about what happened. Were they aware of this break-in? Has it happened to other customers? What security measures do they have in place?
- Seriously consider moving your web site hosting (and your domain email and registration, if they're also at the same company) to a different company. Some hosting companies just haven't invested in good security, and they're not likely to start just because you've been hacked.
It's difficult to know for sure without evidence, but here are some likely explanations:
Who would do this? Why?
- When you first sign up (and sometimes for other reasons), many hosting company actually send your username and password to you via regular (insecure) email, which is a major violation of your security since it exposes that information to the open internet, including hackers who have ways of capturing it.
- The hacker may have broken into your account by guessing your password, tricking you into revealing it (phishing), or possibly hacking into the hosting company's customer records, etc.
- The hacker may have broken into another customer's web hosting account, then found a way to "poke around" the hosting company's system and got into your account without ever needing your password.
From what I've read recently, apart from someone targeting you personally, the most common types of hackers are:
How can you find out promptly that your web site has been hacked so you can get it back more quickly?
- Gangs of thieves from all over the world looking for ways to eventually steal money, and
- Bored teenage hackers with excellent computer skills and nothing better to do with their time than destroy someone's digital life, and you had the misfortune of coming to their attention.
Early detection of your web site getting hacked boils down to two methods:
A few months ago, after one of my clients' web sites got hacked the first time, out of curiosity I added her web site's home page to my www.FollowThatPage.com list of monitored pages. Last week it emailed me that the text describing her professional services on her web site had been replaced with a link to a "search" site. So, after looking at her site myself to confirm this very suspicious change, I notified her right away, and she then had her web design person restore her site to normal, and it was back up within a day or two.
- Manual checking: You could check your web site's home page every day, either by making the effort to visit it, or making it your web browser's home page so you'll see it every time you open your browser.
- Scheduled monitoring: There are a number of services out there that you can use to monitor any web page(s) you're interested in (within reasonable limits). I've had good experiences using http://www.FollowThatPage.com, which offers free accounts that can check a list of web pages for textual changes once per day, and paid accounts that can check even more often.
How can you make it easier to recover from being hacked?
I recommend the following for you (or your web design person) to do:
How can you prevent your web site from being hacked in the first place?
- Maintain an up-to-date backup copy of your web site's content.
- Keep track of your current hosting account passwords in a secure chart or database.
- Keep written instructions on how to get into your web hosting account and upload your web site's content. This online storage area is usually called your "FTP site" (file transfer protocol).
Prevention isn't easy or obvious. I recommend:
This last point is very important. Finding a good web host is similar to finding a good car mechanic. I suggest asking for recommendations from your web design person, your colleagues, or anyone you know with experience having a web site. Ask questions like these:
- Use unique and strong passwords for your web hosting account.
- Keep your passwords safe, and don't send them by regular (insecure) email.
- Scan your computer for malware on a regular basis, since it is the mission of many infections to steal passwords.
- Back up your computer on a regular basis, which (especially if it's encrypted) further protects your passwords and your backup copy of your web site. Store your backups in a safe place.
- Use (or move to) a reputable web host company.
- How long has this web hosting company been in business?
- How good is their technical support? Will they help if your site gets hacked?
- What security measures do they have in place?
- Do they monitor their systems for unusual or suspicious activity?
- What do they do when a break-in is detected or reported?
- What is their history of break-ins? Are they open about discussing breaches, or do they take a "no-comment" approach?
- Do they maintain backups of your content? Doing so may not be standard practice, but it's better to know now than to assume they do and be disappointed. Also, I'd be impressed with one that did!
Where to go from here
- Having your web site broken into and destroyed is terrible, but it doesn't have to be devastating. Take some preventive measures, but also be prepared. It's not that difficult!
- If it happens, the sooner you can detect it and recover, the less "downtime" you'll have and the fewer blacklists you'll need to remove your web site from.
- Your web site's vulnerability to hacking boils down to your own security measures (did your hosting passwords getting stolen or guessed?) and the level of security and quality of systems at your web hosting company.
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to email@example.com
and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2013 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.