A post-hack survival guide: cleaning your website after being hacked
Very often, web hosting administrators start to take security measures only after a website has been hacked. So, let us imagine the situation when ImunifyAV has been installed on such an infected server. All malware has been cleaned in one click, and all malicious activity has been stopped.
Are we good to go? Are there any safety steps required?
Actually, the answer is, "Yes, there are still some steps that can be taken after cleanup".
Make sure you use all the product's benefits
Imunify360 consists of multiple modules, including a WAF, malware detection, Proactive Defense, IDS / IPS, and others. I recommend you check out the documentation for each part of the product to get the maximum advantage of it, and adjust the security settings to your security needs.
Wise Password Management
Store all your passwords securely, and be sure to change them all
Store your account information (e.g, SFTP/FTP details, control panel, email, database, etc.) in a secure location, not in your mailbox and not in plain text files on your desktop. It is highly recommended not to store passwords directly in your browser, or, for example, in your FTP manager software. The best practice in this field is to store passwords either in your head (in other words, memorize them), or use special password-keeping software such as LastPass, KeePass, 1Password, Dashlane or similar. Make sure your password is a complicated one. Weak passwords are one of the most common causes of reinfection.
If you choose to memorize your password instead of using a third-party password manager, the best way is to use passphrases. These are much easier to remember and are very hard to break. In the example, "my heart's in the Highlands, wherever I go", there are 42 characters, including punctuation, capital letters and spaces. You can choose a phrase from a favorite book to ensure no one can easily guess it.
You also need to keep in mind that after your hosting server or website is hacked, even if it is now clean, it may still have some of the passwords or password hashes compromised. This means that next time, attackers can get into your host much faster, and with greater ease, unless you change all hosting-related passwords for SFTP, FTP, SSH, the database, CMS user passwords (at least for your administrator users), and so on. You should also check your CMS configuration files. Everything there may already be uploaded to some third-party attacker's server, and all user logins and passwords there must be treated as hacked—all of them must be changed.
Make sure no new fake users were created
It is very important to audit all users with elevated (administrative) access on the system (e.g., CMS administrators, hosting administrators, users having FTP, SFTP or SSH access). If some people are no longer working in the company, it is always a good idea to suspend or remove their accounts as soon as possible. It is also important to check that there are no new administrative users injected or added by attackers. This is another common way of reinfecting a website.
Change your passwords regularly
It is good security practice to change your passwords at least once every 3 months.
If some third-party professionals (e.g. SEO specialist, web designer, developers) were granted access to some of your websites or the whole hosting account, it is highly recommended changing the relevant passwords after their work has been completed.
Use secure connections while logging in
If your host gives some choice, it is preferable to use secure connections, e.g. HTTPS instead of HTTP, to connect to hosting panels or CMS dashboards. Use SFTP instead of FTP to upload files to your host. Such approaches gives another layer of protection to your passwords, when, for example, your ISP network gets compromised.
2FA and captcha protection
Another good idea to protect your login form is with CAPTCHA. This will significantly reduce the chance of malicious bots being able to make brute-force attacks on your user accounts.Together with enabling 2FA (if your hosting infrastructure allows it), this should almost eliminate the chance of password compromise.
Secure your workstations
Keeping your workstation in a secure state is very important.
Antivirus
It is highly recommended using a commercial security solution on all workstations.
Regular virus checks, a robust network firewall, and malicious link filtering, are essential to the reality of modern security threats. Also, don't forget your mobile devices, if they have access to e-mail or any other hosting server or website-related services—these should have some antivirus protection as well.
Licensed software from secure vendor sources
Try to avoid using software from unofficial or "pirated" sources. This includes both your desktop, where "cracked", "repacked" or stolen software can be hidden in binary packages, and server software, which uses commercial scripts, themes, etc.
You should always keep in mind that hackers usually "crack" software for profit, not for altruism. This includes a really large variety of options, including stealing credit card details, credentials and identity theft, spamming, scamming, phishing, and so on. Such malicious functions might be secretly injected into hacked software, which can lead to your web hosting being compromised, or worse.
Working with third parties
Third-Party Agreements
It is important not to forget about all the developers, freelancers, subcontractors, and other third-party services working on your servers. All their accounts and access rights should go undergo a strict audit, with details clearly stated in work agreements. These should be the same as, or stricter than, the security policies followed by yourselves.
I highly recommended including security issues mitigation in your SLA agreements. Your NDA should also protect you from anyone who discloses information about hacker attacks without your prior authorization.
Of course, this is all based on the assumption that you already have some contract or work agreement—giving access to third parties without sorting out the legal side is highly discouraged.
Providing access to third parties
It is always better never to send any permanent user passwords, via email or chat, to subcontractors when they start work. Here are some tips for dealing with third-party credentials.
- Always try to use SSH keys authentication to authorize new users on your hosting accounts. One way is to ask your new web developer to provide their SSH public key, so you can provide access to the required hosts.
- Enable 2FA whenever possible. This will ensure that, even if third-party access details get compromised, an intruder will still not be able to login.
- If key authentication is not possible, and you have to send access details, use a one-time self-destructing link, a password-protected archive uploaded to a secure location (you can provide the passphrase for it via a separate channel), secure chat or PGP encrypted email, and always send temporary passwords, which the user must change on first login.
- Make sure that high-strength requirements are applied to all third-party user passwords.
Backups
Always store backups in a separate location to your website hosting (with your live data): on your workstation, on a backup server, on a cloud storage, etc. If your website gets infected, attackers might corrupt or infect your backups as well, if they are stored in the same place.
Make sure that backups are done on a regular basis. For example, if daily and proper backup rotation is configured, then only backups made in the past 30 days will be stored. This helps to avoid running out of disk space on your target backup location.
Another good option is to use a version control system like Git or similar. Such an approach has the added benefit of providing a backup, and integrity and change control at the same time.
Conclusion
Security is not a one-step action. It is a mindset you must implement within your daily routine.
There should always be a healthy balance between total paranoia and negligence, a balance that strives towards a robust security layer, one that is almost invisible to the end-user, one that filters out malicious activity, creating a safe and comfortable place for work and leisure. Additionally, read our website hosting security article and learn how to keep your website secure in 2021.
Learn more about all-round website security at Imunify360.com.
Imunify360 is a comprehensive security suite for Linux web-servers. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to make your websites and server secure now.