The scene:  you’re sitting at your desk drinking coffee when your phone rings. “Have you seen your website today?”  You’ve been hacked!  Suddenly images have been replaced, content includes links to sites that you wouldn’t want visitors visiting and, in some cases, your URL redirects to a completely different site!  A sinking feeling hits you right in the pit of your stomach.  What do you do now?

A hacked website can be very frustrating.  It can be time-consuming to fix and harmful to your business and visitors, but there are steps you can take to recover.  First, let’s talk about what you can do to prevent a hack in the first place – after all, “An ounce of prevention is worth a pound of cure.”

  • Keep your software up to date – WordPress (and other similar software providers) are constantly upgrading their software and plugins to respond to the latest known security threats.  If you’re using a managed hosting company, your software should be upgraded automatically, however, it’s certainly a question to ask when choosing a hosting company, to begin with.
  • Watch out for unknown coding – if you’re more experienced in website design, check the coding occasionally, to ensure no one has inserted backdoor codes giving them access to your website and database.
  • Avoid file uploads – allowing users to upload to your website leaves you open to malicious files. If you must, ensure you know who the file is coming from and that they are a trusted user.  If an unexpected file is uploaded, treat it as if it were suspicious and don’t open it.
  • Use an HTTPS – you’ve probably seen URL’s beginning with HTTP and HTTPS, so what’s the difference? The “S” in HTTPS indicates that your website is protected by a security certificate, proving that the website you are trying to access is indeed the website you are trying to access.  High-level encryption makes it more difficult for hackers to access your database.  Side note – this is particularly important if you users need to access or supply confidential information (such as credit card numbers).
  • Website security tools – website security tools help identify potential weak spots in your website that would allow hackers to access your database and wreak havoc. There are several free online tools to choose from.  Your hosting company can also assist with this.
  • Change your password often – one of the easiest ways for a hacker to gain access to your site is by stealing your password. If you change your password often, you’ll make it more difficult for a hacker.  It goes without saying, your password should never be “password.”

So, you’ve taken every step to secure your website and you still get hacked!  Unfortunately, even the most secure sites aren’t immune from hackers with malintent.  Now, what can you do if your website is hacked?

  • Try to locate the hack – are you able to log into your site?  Is your site redirecting to another site?  Does your website contain any illegal or unintentional leaks?  Has Google already marked your website as insecure? Knowing the answers to these questions will help your or your hosting company find where the hack occurred initially.
  • Contact your hosting company – good hosting companies are experienced in how to identify and remedy a hacked website, and many can help you clean your site, removing any malware.
  • Hire a professional – if your hosting company cannot provide the support you need or if you host the site yourself, consider hiring a professional to clean your site.  If you are not experienced in the backend of your website, especially if the hack is extremely vicious, it is very easy to make the situation worse and not better.  There are many online sites that can help identify where the attack came from and remove bad files.
  • Restore an old version – most hosting companies will backup your website automatically for you, but if you are hosting the site yourself, make sure to backup your database frequently.  If an attack does happen, a restore can bring your website back to where it was prior to the hack.  Unfortunately, any changes you made after the last backup will be lost, but sometimes it’s the lesser of two evils.  Remember, your site was hacked, so somewhere in the older version a weakness exists.  Make sure to find it and fix it to prevent another attack.
  • Change your username and password – if a hacker has gained access to your site via your username or password, changing it will prevent them from doing additional harm.  It wont fix what they’ve already done, but it will make it easier to clean your site and get it back up and running.

Having your website hacked can be very stressful. The best thing you can do is be proactive – understand how hacks occur and ensure you’ve done everything possible to prevent them in the first place.  If your website his hacked, remember to stay calm.  It’s not the end of the world.  You will recover.