In order to make sure that whatever way they got in is not simply a way they will walk straight back in, you will first need to figure out how they got in.
This section will cover some basic principles of how a hacker may have gained access to your site, and some simple processes you can go through to check which doors may have been open and therefore need to be closed now.
Front Doors and Back Doors
Often when people discuss a website hack they talk in terms of front doors and back doors.
Simply put, a front door is an entry point to the secure area that would be normal for someone to enter through.
For example, many sites use the following admin page location: www.example.com/admin
This is an example of a non-visible, yet completely obvious front door.
Another front door is if you display a link for people to log in anywhere else on your website or homepage.
Back Doors are essentially lines of code that have been placed somewhere within your site, that will allow the hacker to walk straight back in whenever they feel like it.
It is quite common for a backdoor to be added after a hacker has first gained access to your site.
They may have gotten in through a front door, but they then make sure that they can get back in once you have closed all the front doors and changed all the locks (aka passwords).
It is also possible that a backdoor has been programmed into your site by someone who was previously working on it for other reasons.
Note: There are legitimate reasons for backdoors to exist, such as for a system admin to be able to reset passwords.
The best way to inspect your site for backdoors is to check which files have been updated or changed recently within your core files, and by which account user. Your webhost should be able to help you with this.
Closing The Doors
An important step in the clean up of your website will be closing every door you can find, and then trying to locate any other potential doors that they could be using.
For the non-technical, you can assist this process by taking a comprehensive look at the users panel within your CMS.
Look for any names of users that you do not recognize, or any users that are no longer working with the website.
After the hack I received on a website I was working on, I went and checked the user panel within our CMS and found that over the years as employees and contractors had finished working on the site, that they never actually had their credentials revoked.
There were user accounts with full admin privileges still sitting there in the names of employees who had not worked on the website in years.
When you find a user account you do not recognize, or that you think is outdated and should be removed; check in with your boss or coworkers, just to make sure that the account should be removed. Then go ahead with the account removal process (this process will be a little different for each person, depending on their CMS).
You will also need to change the passwords for every user across all entry points for your website and website infrastructure, including:
- The hosting panel, or Cpanel
- The server (FTP, SFTP, SSH)
- The CMS (wordpress, magento, drupal etc)
- Your other user accounts, such as social media, google analytics, google search console etc
Remember, it is always safest to assume that all data has been compromisd, and this includes passwords.
If you have been using the same password for your website as you use for other applications and services, then you will need to change these also (e.g banks, paypal, ebay, social media and so on).
Software Vulnerabilities As A Means of Access
There is always the potential that a hacker has gained access through the location of a software vulnerability. For the non-technical people, this is almost entirely a field that needs to be investigated by a professional.
Third Party Software and Applications
You may have heard people often state that wordpress for example is not a particularly secure CMS. The reality is that this is generally due to the fact that vulnerabilities can exist within the extensive plugin range that wordpress users have access to.
When a plugin is not updated, then there is often the chance that a known security vulnerability has not been patched. Often, the main reason a plugin is updated is because a security vulnerability has been discovered and consequently addressed.
When a wordpress user (or any CMS user that uses third party applications and plugins, this is not limited to wordpress) does not update their plugins, yet leaves them within their website; this has the potential to give a hacker a way into their website.
It is possible that your PC, or a PC used by someone who had access to your website, may have been infected by a virus or a Trojan. This PC infection can in turn be used to collect sensitive information that you are entering into your computer, including the log in credentials to your website (as well as every other site you have been logging into).
You will want to ensure that your PC and the PC of anyone else within your company, or anyone else who has access to your site, has a complete and thorough virus scan completed.
As mentioned in the section involving hackers using your site for phishing, social engineering is a process in which log in credentials are stolen by having a hacked or false version of a login screen displayed to a user.
The user then unknowingly enters their details into the log in fields, and the hackers are able to then record the login credentials.
This is potentially one of the ways that a hacker may have gained access to your website.