Matomo Analytics

If you suspect your server has been compromised, you're in the right place. Server security incidents require immediate attention, but with a systematic approach, we can help you assess the situation, contain any potential breach, and restore your server to a secure state.

How do I know if I'm actually hacked?

First, let's check if your server is really hacked. Here are some common signs:

  • Your website looks different or has been defaced

  • Your site is suddenly really slow

  • Google has marked your site as "suspicious" or "hacked"

  • You're seeing weird files or folders you didn't create

  • Your server resources (CPU/RAM) are super high for no reason

  • Your users are complaining about redirects to strange sites

  • You're getting reports about spam being sent from your server

Okay, I'm pretty sure I'm hacked - what now?

1. Don't panic, but act quick

First things first - we need to stop the attack from spreading and prevent any more damage. Here's what to do right away:

  1. Take Your Site Offline

    • Disable your sites, maybe turn of your complete server

    • This might feel scary, but it's better than letting the hackers continue doing damage

  2. Change ALL Your Passwords

    • WordPress admin password

    • Database passwords

    • FTP passwords

    • Server user passwords

    • Any other services connected to your site

2. Find out what happened

Now let's figure out what the hackers did:

  • Check your WordPress files for recent changes

  • Look at your access logs for suspicious IPs

  • Check for weird new admin users in WordPress

  • Look for strange new files (especially PHP files)

3. Clean up time

Here's how to clean things up:

If you're running WordPress:

  1. Download a fresh copy of WordPress

  2. Back up your wp-content folder and database

  3. Scan your theme and plugin files for weird or unreadable code

  4. Check your database for suspicious admin users

  5. Install a security plugin like Wordfence or Sucuri

For any server:

  1. Check for unauthorized SSH keys

  2. Remove any suspicious cron jobs

  3. Scan for malware using maldet or ClamAV

  4. Check all your PHP files for weird or unreadable code

4. Make your server secure again

Let's prevent this from happening again:

  1. Update everything

    • WordPress core

    • All plugins

    • All themes

    • PHP version

    • Server software

  2. Lock things down

    • Add a firewall

    • Set up proper file permissions

    • Use strong passwords

    • Enable two-factor authentication

    • Keep regular backups

    • Install a security plugin

Quick reference: "Is this suspicious?"

Here's a quick list of things that should raise red flags:

  • Files with names like eval.php, base64.php, etc.

  • Files containing weird encoded strings

  • Unknown admin users in WordPress

  • Files modified at strange hours

  • Unexpected outbound network connections

  • Files in your uploads folder ending in .php

Remember: When in doubt, ask for help! It's better to be cautious than to ignore potential security issues.

Stay safe out there! 🛡️

02 December 2024 (last updated 2 weeks ago)

90 views

Written by Dennis

Dennis brings over 6 years of hands-on experience in server management, specializing in optimizing web services for scalability and security.

Back to Server

Also interesting

How do I delete my server?

You can delete your server by visiting the 'Settings' tab inside your serve...

Disable bin logs for MySQL on Ubuntu

Bin logs in MySQL are used for various purposes, including point-in-time re...

Start free trial