I will quickly explain the first good reflex to have the day or it will happen to you. Indeed it is not if it happens, but when it will happen to you . Moreover, the latest study by Wavestone is not reassuring with 100% of the sites audited having a security breachYou will see steps to follow on the process from discovery to commissioning.

This is not a technical article, it must be read as a person with no or little security knowledge . The technical subjects will be the subject of other articles.

How to know that my site has been hacked?

Or the big bad question. Generally you receive the call of a friend, an SMS where you realize it for yourself. Often this is obvious when the page of your website has been changed to display anything else including claims. This is called a "deface". This is very common and if the hacker realize that it's a safe bet that he has done something else .
When it is a more subtle hacking you will be warned by your browser with a display that may look like that of the screenshot below, otherwise your anti-virus (and even under Mac OS) can warn you in case of malicious code on the site . Of course your agency-web service provider or host will warn you as soon as they have detected the attack and it will not always be the first .
For the rest of the article we will assume that you have made your website yourself and that you have a hosting service somewhere. But these steps are also valid if you manage websites for customers .

Step 1: Take back the pirate's hand

Already do not roll in a ball in a corner, it is not productive. A little oath or two why not that can relax. Once the bad surprise swallowed and your minds found, 30 seconds later, what to do?
When your website is hacked the most urgent is to disable it. Create a maintenance index.html page to warn your users. By cons I advise you to be rather elusive and just put a message like "Site under technical maintenance, return very soon!".
Before sending it via FTP to your website, connect to the management interface of your host. You will have to change the FTP passwords as well as the passwords of the databases. If you ever use one of these passwords elsewhere, it's wrong, but you will have to remember to change it on the account (s) where it is used. I also advise you to strengthen the password to access your account at your host.
Once you have changed your passwords, install your maintenance page.

Step 2: / maintenance-mode on

I advise you to download your entire website in a folder, we'll see later why. Once the download is finished, do not forget to upload the downloaded files to the antivirus. While your anti-virus is at work delete all files via FTP from your website, except your maintenance page.
Also make a backup of your database, we will also come back later on sure about what to do with it. This is your site is no longer harmful, phew! What to do now ?

Step 3: Return to service?

This is the most complicated part, concretely do not just return your last backup to restore your website. Indeed it was attacked either via a flaw in the application or due to a weak password on your database or FTP access and why not on your hosting management. Or even worse is the server where your site was attacked . In the latter case contacted your host quickly to have information and know when to restart your website.
To put it back into service in good condition it's rather complicated ... In fact you only have three solutions  :
  1. You are a security expert you audit your code and can correct it (we still ask a colleague to take a look is a good idea).
  2. You are not a security expert just a developer, or an untrained security developer, contact a security expert to repair your website
  3. Same as case 2, but contact an expert scares you ... Call the police or the national police, they have specialized unit to accompany you.
Whichever solution you choose, you will have to give your last backup before the attack. As well as what you downloaded in step 2 of this article.


If your website contains personal information, e-mail, name, surname, etc. you will then have to inform the CNIL . If you go through a security expert he can suggest you to do the process for you.
If you choose a provider, be sure to agree with him an annual monitoring of the website. Because a site that has been hacked once will be very regularly visited . The same goes for a server or an e-mail account.
Newest Older

Related Posts

Post a Comment

Subscribe Our Newsletter