If your website has been infected with malicious content, you should clean your website files as soon as possible to prevent further damage to your hosting account.
Firstly, it is recommended to completely disable your site and allow access only from your own IP addresses while cleaning up. This way you will quarantine your site so that hackers will not be able to reach it. Furthermore, if you don’t disable your site your visitors will access harmful content. In addition, search engines (Google, MSN, etc.) might also end up blocking your site. The easiest way to quarantine your site is to edit your .htaccess file and allow access only from your own IP address. Use the following two lines (they work on Apache based servers):
deny from all allow from IP_ADDRESS
Replace IP_ADDRESS with your own IP address. Once you do this the site will be down for your visitors. Taking your site offline during the recovery will not affect your future search engine rankings.
To start the clean-up, download all of your website files to your local computer via FTP and scan them with your Antivirus software. Once the scan is completed you should receive a list of the suspicious files that you need to review.
Most of the time the infected code is easily noticeable since it is heavily obfuscated (encrypted), unlike regular code used in open-source applications, which is much more orderly, and usually includes comments explaining the purpose of the different pieces of code. Below is an example excerpt of malicious code:
Make sure to review all of your files, remove the infected code and upload your files back on the hosting server.
When the malicious code has been removed, you should upgrade all applications on your hosting account to their latest stable versions.
To ensure you are the only one who has access to your account and therefore prevent attackers from reaching it again, you should as well:
- Update the Antivirus software on your computer to the latest version;
- Run a complete antivirus scan on your local computer, including all hard drives;
- Ensure your Operating system (Windows, Linux or macOS) is up-to-date, and all security patches are applied;
- Ensure your Internet connection is secure. If you are using wireless connection, the only secure encryption is wpa2. For more information, contact your router vendor or ISP;
- Change the passwords related to your hosting account (including FTP accounts, email accounts, etc.);
- Change the dashboard administrator passwords for your web applications.