Getting your website hacked is very annoying. Recovery takes time and effort and a compromised website can cause reputational damage. Avoid your website getting hacked!

Provide a secure website, make regular backups and updates. Is still hacked your website? db8 use the following procedure to recover ...

1. Securing

1a. old backups

Do you have a clean backup of the hack? Some hosting companies make regular backups of the entire website, but stored only temporarily. Download as soon as possible some backups (the oldest and the most recent of the hack) files and the database.

1b. backup hacked website

Make a backup of the current (hacked) website. If the repair work does not go well, you can go back at least to this point. Furthermore, you can use the backup later for further analysis. Finally, the backup can be used for repair work.

1c. server access log files

Set the server log files safely. Perhaps they can be used for an analysis of the security problem. Log files are temporarily stored. Copy them as soon as possible to another location for further investigation.

2. Analysis

It's annoying when a site is hacked. It gets even worse if it happened again afterwards. Avoid following hack and get behind the safety issue so you can fix it.

2a. Joomla version?

Which Joomla version was installed? Was up-to-date? Are there security problems familiar with the version used?

2b. 3rd party extensions?

Which extensions + versions are installed on the site? Were they up to date? Are there any safety issues known to the versions used?

2c. safety issues familiar?

There are no known safety issues concerning the server software? Eg PHP version?

2d. Analysis hacked files

What files are updated? The sitemap.xml .htaccess and adapted? What purpose did the hackers? Is the method known?

2e. server access log files

Determine the date + time when the hack occurred. Analyze the server access log files to see how the hack could have happened.

Note: date + time files are adaptable. Hacker script is hiding!

3. Restore

Then the hacked site to be restored

3a. Solving security problems

Hackers often leave behind several backdoors on the server. If that remain after the restoration of the site, the site is hacked again in no time. Restore the security problem, update Joomla and all 3rd party extensions. Then create a new backup of the site clean. For example, use Akeeba Backup. Remove the server first all old files, or place them gets in a subfolder permissions 000 so that no one can be more. Rather than restore the backup on the server.

3b. cleanup site

Hopefully you have a clean backup of the hack. Install on an offsite location. For example, in a web environment on a local PC. Clean environment which can also be used in a comparison with the hacked website. Much has changed sind the backup? Those changes can be manually placed back on the clean website. With many changes has to do at the database level, using SQL queries.

If no clean backup is present, the website can best be completely rebuilt with clean software. The content (menu items, categories, items, etc) from the hacked site can then be transferred to the database level later.

Note: Work offline - do all this on a local server

3c. google sitemap

Hacked pages can be indexed by search engines. To get the hacked pages from search results, you need to register a new sitemap to Google. And let generate HTTP error codes on the URLs of previously hacked pages.

3d. passwords

Change all passwords on the server: FTP password, the database password, passwords of Joomla users on your website.
Taking FTP? Consider using sFTP (secure FTP)

4. Inform

4a. customer

In the case of a client's website, it is advisable to inform your client before beginning the repair.

4b. hosting party

Remember to inform the hosting party of the hack: the backgrounds, if it occurred, discovered the security problem and what you did to fix it. A good hosting company will use the information to actively seek the safety problem with other customers and then take action. It is in your own interest that the (shared) server (and shared IP address) is clean and not abused for instance spam bots.

4c. Personal authority

In The Netherlands from January 1, 2016 organizations are required by law to report data breaches of sensitive personal information to the authorities. This must be done within 72 hours of discovering the data breach.

4d. users website

If the leaked personal data were stored unencrypted data breach and the adverse effects could have on the privacy of users, it should be the users informed. But it is sowiezo neatly to make them aware of the data breach, the possible consequences and what you are doing to prevent it in the future.

4e. developer

If an unknown security problem was abused in a 3rd party extension, it is advisable to inform the developer of that software. like when a software update, you can not get back on your website security problem.