In the event your website is compromised, we have some suggestions to help you restore as well as secure your site. Please take careful note of the following:
99% of site compromises are a result of insecure scripts and/or insecurely stored passwords.
99% of site compromises are a result of insecure scripts and/or insecurely stored passwords. To avoid this situation always use secure passwords and store them securely (i.e. not in your Browsers or FTP Clients), and keeping all scripts on your account up-to-date with published security patches as required by our Acceptable Use Policy (AUP).
It’s imperative that once you have access to your site you change all of your passwords (cPanel/FTP, email, db-users, secondary FTP accounts, and passwords used in your scripts such as user/backend passwords) and perform a security audit on all scripts/content under your account.
So, what can you do in this unlikely event?
- Take a backup of your site (backup your files via FTP and your database(s) via phpMyAdmin).
- Change all of your passwords (cPanel, mail accounts, database users, FTP subaccounts, and Webdisk subaccounts).
- Make sure the attacker has not created any malicious Cron Jobs in your account.
- Remove any malicious content from your account by either restoring from a known-clean backup if you can determine when the compromise occured or manually auditing all content under your account and removing anything malicious.
If restoring
a) Remove all of your own files/directories (do not remove any system files or directories though) and b) restore your site to an earlier time using the Rochen Vault via these steps.
If auditing
Either audit all content under your account locally, or download it and audit it on your own computer to locate and remove all malicious content.
Secure your scripts and/or local computers to ensure this doesn’t happen again. Update all scripts, and keep them updated within 72 hours of security patches being released. Make sure you are subscribed to update notification mailing lists or RSS feeds for those scripts.
On all of our shared servers we run suPHP, so *never* set file permissions above 644 and folders above 755. You can reset your permissions via these steps.
Configuration files (such as Joomla’s configuration.php) should have file permissions set to 640.