Data breaches and site hacks are all too common these days, and hackers are becoming more creative in how they attack sites and databases. Many webmasters and site owners are unsure how to react after a hack, but there are a few basic steps that you must take to secure your site following an attack.
In this episode of 352 Noodles & Doodles, DevOps Engineer Dennis Pelton walks you through want to do immediately after your site gets hacked. Enjoy!
[Dennis Pelton:] Hi, I’m Dennis Pelton, DevOps engineer at 352 Inc. Today we’re going to talk toy ou about what to do if your site gets hacked.
So the first thing you want to do is change all of your passwords – yes this means all of them. You’llwant to change your FTP, your admin password, your database connection string password – anything you can get your hands on. This does not include your email or your banking password.
After you have all your passwords changed, you’ll want to step back and assess the situation. You have to know exactly what the hacker did, what he had access to, you know, what they could have gotten into. Once you have this assessed, then you’ll know how you’re supposed to proceed from there. It will greatly change all the rest of these steps based on how you assess the situation. You need to check things like: is this an e-commerce site? Are you dealing with any kind of sensitive information? Did they get access to just your website, or did they get access to the database?
You also need to know how your site is running. You know, did you use a database on a separate server from this same server, or did you use a Content Delivery Network to deliver your images and different files? This is all going to change how you’re going to react later.
Once you know exactly what’s going on, you can begin to restore and notify your clients. Restoring cabe as simple as blowing away the entire server if it was just website data, in which case you can pop the new data back on there and you’re good to go. Or if you can’t blow away the server, then you can just restore the files themselves that the hacker changed or modified in any way.
And it also says notify. The reason we say that is because if you do have sensitive data, or client data or anything like that, you need to notify whoever you need to about this. So this is when you want to do that.
Once you have all that done you want to start your server clean up. If you blew away the server to begin with, then you don’t really have much clean up because everything they had access to is gone. You have a new site up and running with the new code, and you’re fine.
If you didn’t blow away the whole server and you just pushed new code up there, you’re going to need to check out the rest of the server. What else could they have had access to, could they have created any new accounts, did they set up any back doors? Did they run any programs? You need to find out what else they did or they could do and make sure all of that is remedied.
Once you’re done with that the final step is prevention. This happened to you once and that was bad enough, you don’t want it to happen again. Make sure that you always keep all of your accounts up to date. Never leave any accounts around called “test” or “user” or anything like that because those are the most common ways for hackers to get in.
Make sure you always delete old temporary accounts and data, make sure they have no way to get back in. Once you’ve done all of that, you’re good to go.
That’s all I have today. Make sure you subscribe to 352 on YouTube.