Recovering Hacked Sites

The following examples illustrate some methods that hackers may use to get into websites or the hosting. In each case there are some likely reasons why the websites or their respective hosting spaces were compromised.

I am publishing them for several reasons. When you look at the security aspects of shared hosting there are some areas where we have control, some areas where I have control and you do not, and some areas where the hosting company has exclusive control. Because we use shared hosting we are not on a single compartmentalised, or virtual server. We share the space with other accounts. This inherently has risks, but we are dependent on the hosting company that manages the servers to contain that risk.

What is left is down to you and me. As you will see in the cases I refer to at the end of this page, if something happens it is generally down to me to resolve the situation. That can and has taken hours to resolve. So I inherently take a lot of care with security.

While I very much doubt that a vulnerability has occurred because of security on my systems, as a professional, I cannot rule it out; because we simply don’t know what we don’t know. So I start by changing all of my passwords for key areas which range from supervisor password access to hosting accounts to the passwords I use for email accounts (these are all changed from time to time anyway).  So it is a lot of work for me to change them all and record them.

When I get to look at the site in question I have to try to figure out what has happened, what has been affected, how was it affected and where a security hole may exist.

I then need to recover what content I can from the site, secure a backup, or use a backup that occurred before the site was hacked. Then start to rebuild the site based on a clean code base and recovered content. I also work my way through the page contents to make sure nothing has been buried in there.

For each of the following cases they fall into one of several categories. All of which are preventable with a little care.

Master Email Account

An important client email account has been hacked, and information that was sitting in that account has been used to access the hosting or recover a password from the website.  This may happen without your knowledge.

Solutions: Change your email and site password regularly. Use several layers of authentication so if anything changes on your account you are aware of it. Don’t leave sensitive information in an email account on the web.

Viruses and Malware

Someone who has access to the charities systems (broader than just the website), has a virus on their computer and it is logging key strokes. Passwords and other information is being sent to a third party.

Solutions: Use an independent high quality anti virus product on all systems that are important to your charity or group. Particularly where information is shared between systems. Try to use a product that incorporates a personal firewall as well.


A form a user has innocently filled in has sent a user name and password to a third party.  These are increasingly common.

Mitigation: Anti virus and firewalls can offer some protection if the signature of the phishing scam can be detected. If you get caught by this method it can usually be detected by entering information into a form and then nothing happens. Change your passwords regularly, particularly after something odd has happened.  If you are asked for personal information, ask yourself why? Never put your email password into any box other than the one provided by your email hosting provider.

Cross Hosting Hacking

As long as someone has a higher authority than I have (the hosting company) and we are not located on our own private server that only I have master access to, there remains the risk that something that happens in the hosting may affect your site. Extremely unlikely, however it is a risk.

Mitigations: I get reports of activity on sites all of the time. 99.99% of these messages are noise. If I see something unusual I flag it to the hosting company for investigation. I also use more than one company for hosting. So if a problem persists I can isolate the site and move it. Backing up the website is the single most important aspect of protection and recovery

Is WordPress safe?

There is a lot of positive and negative press out there about WordPress and how it can/ cannot be hacked. Some of these messages are marketing messages to promote other solutions.

WordPress is used on over 10% of the World’s websites. That is over 74,000,000 sites currently on the Internet based on WordPress. If it was an inherently weak system then large corporations would not use it. It strikes a balance between the higher end/ greater complexity of Drupal and  Joomla and the simplicity of an HTML site. These three systems are also popular and used by Governments for medium and larger sites.

If someone takes WordPress out of the box and does not configure it correctly, uses a simple password, pays no attention to security, uses poorly supported plugins …… then the site will be targeted and hacked.

I have extensively researched security and employ many different techniques for keeping your sites secure. These range from login names, strong passwords to well respected and supported security plugins, file scans, logging and other methods.

What happens when things go wrong?

Take a look at the following case studies, what happened, what the investigation showed up, and how the sites were recovered. There are learning points on all of them.

(Note that some of the following pages are password protected as they will largely be of interest to my client base.)

Case 1: Email account compromised leading to website compromise.

Case 2: Pharmacy and Dating site links inserted into site

Case 3: Wrapper added around a site (referrals create money)

Case 4: Recovering a hacked site process. Detailed steps you can take to recover your site without my help. 

Return to Home