Tutorial - What to do if your Website is hacked

Learn our tips for repairing your hacked website

Last updated 15th November 2022

Objective

This tutorial is designed to help you when you find that your website has been hacked. Below you will find the 4 steps to follow in order to correct this situation.

Hacking can occur in several ways (non-exhaustive list):

  • Your website no longer appears correctly or at all, without any changes (FTP, SQL or DNS) on your part.
  • Your website is redirected to another website.
  • Your website generates unwanted "ads" (pop-ups, error windows, etc.).
  • Your website’s database is suddenly filled up.
  • You receive SPAM generated by infected scripts from your hosting.

This tutorial explains some tips for repairing your hacked website.

OVHcloud provides services that you are responsible for with regard to their configuration and management. It is therefore your responsibility to ensure that they function properly.

This tutorial is designed to help you with common tasks. Nevertheless, we recommend contacting a (https://partner.ovhcloud.com/en-au/) or reach out to the OVHcloud community if you encounter any difficulties. We will not be able to assist you. You can find more information in the Go further section of this guide.

Requirements

Instructions

Hacking of a website is systematically linked to at least one of the following:

  • A lack of website updates.
  • Spyware on one of the devices you use to manage your website.
  • Using an "unofficial" plugin or theme, especially if you are using a Content Management System (CMS) like WordPress, Joomla!, PrestaShop or Drupal.
  • Passwords (FTP, SQL, back-office for CMS, etc.) are too short or easy to find, especially when they are never changed.
  • A script from your website that deliberately opens ports on your web hosting plan without checking what is received by these ports.
  • FTP access rights ("CHMOD") are a bit too permissive.

The hacking of a website does not come from a security defect of the web hosting. Only the scripts/files that it hosts are able to give orders to the hosting. They may or may not require the user to open certain access ports that are closed by default, or to perform certain actions.
Scripts give commands, the hosting carries them out.

Step 1: Scan all your devices

Carry out an anti-virus and anti-spyware analysis of all the devices (PC, Mac, smartphone/iPhone, tablet, ...) from which you manage the administration or management of your website.

If you are using devices that run Linux, Mac OS, or other operating systems for which it is commonly stated that there is no risk of having a virus or spyware, still perform this scan.

No operating system is immune to malware/viruses.

We recommend that you use multiple anti-virus/anti-spyware (free or paid) for each of your devices. Effectively, some viruses or spyware may persist depending on the anti-virus software used. There are versions of anti-virus/anti-spyware that you can install locally on your device or use directly online on the Internet.

If a virus or spyware is found, remove it using your anti-virus/anti-spyware software before proceeding to the next step.

Step 2: Change your passwords

When a website has been hacked and as a precaution, change all passwords related to it.

For OVHcloud services, please use our documentation to:

We also recommend using a password manager.

When changing your database password, remember to also update the password in your website's configuration file. Otherwise, the link between the database and the files in your web hosting plan’s FTP storage space will be interrupted, and your website will receive an "error connecting to your database".

If you use a CMS like WordPress, Joomla!, PrestaShop or Drupal, please refer to the official documentation for your CMS to change the password for accessing your CMS administration interface (backend).

Step 3: Scan for malicious files and security vulnerabilities

If you experience any difficulties carrying out the actions described below, contact a specialist provider in cyber security.

Use our guide to your web hosting plan’s statistics and logs to search for malicious elements injected into your website. You can find the information in the web logs.

Start searching from the date you first noticed the hack, then go back to your logs.

Identify unusual "POST" requests. Generally, malicious files have alphanumeric names with no particular meaning (examples: az78e4jFn.txt, oij8bh4.html, udh73hd45.php, mlkjc23d.js, ...).

Locate the IP address that made the malicious request. Then search your logs for this address to see all the actions requested from your website by this IP.

Usually, several malicious IP addresses call, during the same period, the malicious scripts present after the hack. Take the time to analyse all your hosting logs.

Trace the security vulnerabilities in your website and list the malicious files you encounter.

Several websites (not managed by OVHcloud) can be used to obtain information on malicious IPs. You can use one of them to retrieve information such as the IP provider, its geolocation, the manager, etc.

If you are absolutely sure that this is a malicious IP, you can block access to your hosting by following our documentation on access restrictions via the .htaccess file.

Step 4: Remove malicious elements and fix security vulnerabilities

For this step, there are three possible scenarios.

Important: In any case, if you delete the malicious codes without fixing the security vulnerabilities, the hacker could exploit them again in order to redeposit malicious code on your hosting. He could even create a new backdoor.

Restoring to a pre-hack date will require an immediate update and an essential security audit to identify any security vulnerabilities.

Case 1 - OVHcloud has a backup of your website (FTP storage space and database)

Depending on the date your website was hacked (less than 14 days), OVHcloud can provide you with a backup (not contractual).

To do this, please refer to our 3 guides:

Make the restore dates for your FTP storage space and SQL database coincide as much as possible.

OVHcloud has security robots that can detect malicious actions originating from your hosting. They will deactivate your hosting plan and notify you via email that your hosting plan has been deactivated. In addition to this email, a "403 Forbidden" page usually appears when you try to access your website.

If your hosting system is in the "disabled" state, the automatic restoration robots available from your OVHcloud Control Panel will be disabled as well. You will need to carry out a “manual” restore of your site, delete the remaining malicious elements, then correct all security vulnerabilities present in this backup. Do this before reactivating your hosting.

To reactivate the Web Hosting, follow the instructions in step 4 of this guide.

Your website should reappear if these actions have been performed correctly.

Case 2 - You have created your own backup before the hack

To do this, please refer to our 2 guides on the subject:

OVHcloud has security robots that can detect malicious actions originating from your hosting. They will deactivate your hosting plan and notify you via email that your hosting plan has been deactivated. In addition to this email, a "403 Forbidden" page usually appears when you try to access your website.

If your hosting is in "disabled" state, perform a "manual" restore of your site, delete the remaining malicious elements then correct all security vulnerabilities present in this backup. This before reactivating your hosting.

To reactivate Web Hosting, follow the instructions in step 4 of this guide.

Your website should reappear if these actions have been performed correctly.

Case 3 - no backup available for your website

You will need to manually delete the files and malicious codes previously detected in step 2 of this guide, then fix your website’s security vulnerabilities.

To log in to your hosting plan’s storage space, please refer to our guide on this subject.

OVHcloud has security robots that can detect malicious actions performed from your hosting. They will deactivate your hosting plan and notify you via email that your hosting plan has been deactivated. In addition to this email, a "403 Forbidden" page usually appears when you try to access your website.

If your hosting is in "disabled" state, perform a "manual" restore of your site, delete the remaining malicious elements, then correct all security vulnerabilities present in this backup. Do this before reactivating your hosting.

To reactivate Web Hosting, follow the instructions in step 4 of this guide.

Your website should reappear if these actions have been performed correctly.

Step 5: Update your site

Update your website with regard to its source code, its security settings and the language versions it uses (including PHP).

Check the FTP access rights ("CHMOD") for each of your folders and files hosted in your storage space. By default, we recommend using "CHMOD" 705 for folders and 604 for files as far as possible.

You can find more details on "CHMOD" rights in the "Useful information" section of our tutorial on using the Filezilla FTP client.

If you use a CMS (WordPress, Joomla!, PrestaShop, Drupal, ...), update your plugins, your theme and the CMS itself. Try to use "official" plugins/themes only and keep your website up-to-date as regularly as possible, in a comprehensive manner.

Secure your contact forms at a minimum by using a "Captcha" type system, to prevent malicious robots from emitting SPAM through it. If PHP’s "mail()" function has also been blocked on your web hosting plan, please refer to our guide for information on how to resolve this block.

Please also refer to our guide on how to secure your website, to minimise the risk of a new hack occurring.

Go further

Logging in to your Web Hosting plan’s storage space

Modify your Web Hosting plan’s configuration

Enable Application Firewall

Optimise your website’s performance

For specialised services (SEO, development, etc.), contact OVHcloud partners.

If you would like assistance using and configuring your OVHcloud solutions, please refer to our our support offers.

Join our community of users on https://community.ovh.com/en/.


Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.


These guides might also interest you...

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community