Recovering your Hacked Site

Your Website has been Hacked

Almost every company puts up a webpage these days. Many individuals run small online business off WordPress installations too. If you have ever done this on any kind of scale your will inevitably run into hackers doing all kinds of things to your site. These things can include content removal, posting of advertising links and even hijacking your Google site verification. These actions can even disable you from registering your own site with Google and other online companies. The most touted answer to these kinds of concerns is increased security. While security is always a concern it doesn't address what to do when your site is hacked and Google is actively warning people not to go to it because of malicious software. Here is what it looks like when some hacker in Japan hijacks your site

Recovery

If your website is hacked what can you do? You can try to isolate specific problems and troubleshoot them one by one. You can also fail back to the last known good state. In this post I'll show you a combination of these two philosophies that help you reliably recover a Wordpress site in a few a mins. There is no right and wrong way to do this. The only thing that matters is success. Can you recover?

Lightsail

In this post I lobbied for AWS as a hosting provider using Lightsail for Wordpress installations. Lightsail has gotten even better by offering snapshotting of your instances and export capability to Ec2. The snapshot should become your first line of defense for disaster recovery. If someone takes down your site and locks out your authentication you can shell into the server running it use a snapshot to spin up a potential replacement. Once your replacement is ideal you can simply use Route 53 to cut the traffic over to the new ip via it's A-record.

Locked Out Authentication

A common hack on Wordpress sites is to lock you your login. Wordpress comes with a default user. You should never use this user because it is a simple attack vector. Instead, create a new user with admin privileges and delete all the others. You can use the Wordpress command line interface to recover locked out authentication though. Use wp user list to list the known users.

Then you can change any password with the command
wp user update USERNAME --user_pass="PASSWORD"

A Full Restore

If you have been hacked it can be very difficult to fix every issue that has crept into your deployment. In the preceding paragraph I showed you how to fix a common login hack. However, if you have been a victim of url injection or other aggressive attacks you are probably better off with a scorched earth approach. I've had success with this by using snapshots. It's true that there are many Wordpress plugins that can export your posts and comments and even large scale design, but they will likely miss some things. For example, if you had inserted a Javascript tag for Google Analytics tracking in the head.php file a plugin might not recover that. A snapshot will recover everything though.

Step by Step

If you using Light sail then you can see how I'm snapshotting my releases as I go.

If my current deployment got hacked then I can choose a snapshot and then create a new instance from it. This will be a pristine deployment that will be accessible from the public ip assigned to the server. This instance will even recover user logins and proprietary logos. At this point you can even have your current hacked version accessible from your domain name and it's potential replacement up at the same time to make sure you capture the latest content excluding exploited data. To cut the traffic over edit the A-record like this

Take note of the ttl in the DNS record because propagation can take time. Now that we are up and running you can safely kill your old instance.

Hot Back Up

If you are the paranoid type and willing to spend some extra money, you can maintain a hot back of your site. Don't do this as a subdomain though. If you are attacked, it's trivial to get to the subdomains. It is possible to maintain a hot back up with no public visibility. Doing this will leave you with the easiest recovery of all.