The next step on this process is going to be a little more technical than many of the others. If you have a team that can help you, this is advisable. Generally your webhost will be able to (or may have already) get a majority of the next step done for you.
The two main things that need to be done before you even start to investigate fixing the hack, is to quarantine your site; and see if you have a non-corrupted back up available.
Quarantining Your Site
In some cases, you may be finding out about your website being hacked from your webhost, as they let you know that they have just quarantined it for you.
I guess in this instance, you don’t need to worry about setting up the quarantine yourself at least.
The primary reasons you will quarantine your site are:
- To remove the core files away from the hackers ability to get to them
- To minimize the damage that is done to the greater public from your hack
There are a lot of opinions out and about regarding site quarantining.
Many people will argue that it is not a necessary step, regardless of whether Google has made it an official step within their site cleanup process.
You may also be facing external pressure from a client, or your boss, to not take the website down.
Times when you may consider not quarantining
You may consider not quarantining if you know that you have a reliable back up ready to restore the site to its pre-hacked form. If you know that you can quickly get it shifted back to a safe and clean state, then you may decide to skip the quarantine.
Note: even the pre-hacked form will require some additional work, because whatever security vulnerabilities allowed the hacker in, will still be present. This means that the hacker may be immediately trying to regain access through whatever route they took initially, during the clean up process. Quarantining would prevent this.
You may also consider not quarantining your site if it is immediately clear that the hacker is primarily focused on syphoning off SEO authority by placing invisible links. Often in this situation you will only be receiving a “this site may be hacked” warning, and not a full “this site may harm your computer warning”.
In this situation, many people are going to opt to fix the problem whilst the site is live. Just remember, this may draw it out to a much longer process than could potentially be the case if you had quarantined the site.
In my perosnal experience, between pressure from on high to not close the website, the fact that the warning was only a ‘this site may be hacked’, the absence of a search console warning, and the fact that I quickly found the spam links; we decided not to quarantine.
Times when you absolutely must quarantine
If your site is distributing malware, or you have the warning stating that “this site may harm your computer”, then you must quarantine it. It would be unethical for you to potentially allow more people to receive malware just because you wanted to keep the site live whilst you dealt with the incursion.
What does quarantining a Website Entail?
Quarantining a site is setting it up so that the host your website files are stored on, can no longer serve content to users.
Your webhost may have a specific way that they set up a quarantine in this situations, often the folder will be marked “quarantined” and you will still have access to the files so that you can repair and clean up the damage.
One method of setting up a quarantine is to simply change the DNS of where your domain is pointing, and make it point to a static page on a different server and have it deliver a 503 HTTP response code.
This is a step that can be done from within the DNS settings of your domain registrar. However, if you are unsure about how to proceed with the quarantine, I strongly suggest that you contact your webhost to have them assist with this.
The 503 response code lets any visitor to the site (bot or human) know that the website is currently down, but that this is a temporary problem and that they should check back later.
Website Backups and Potential Restorations
One of the quickest ways that you can get your site cleaned and operational again is to restore it from a backup. Ideally, you would have a recent backup from a time prior to the hacker gaining access to your site.
It is important to note, that your backup should not be coming from the same database as your website. Backups should be stored on a separate database, otherwise you run the risk of having your backup infected at the same time as your website, thus rendering it useless.
Many site owners keep their backup with their webhost, if this is the case then you will need to work with your webhost to:
- Ensure that the backup is from a point in time before the hack
- Ensure that the backup is not corrupted also from the hack
- Restore the backup version of the site to the live version
Note: simply restoring a backed up version of the site will not prevent this from happening again.
If you simply restore from a backup, resubmit to Google that your site is clean, then this leaves the door wide open for the same hacker (or another hacker) to simply walk straight back in.
You do not want to get into a long standing game of whack-a-mole with the hackers.
Take the time to clean up your site, remove outdated plugins, review all user access points, and ensure that you are better prepared for next time.
If you do not have a backup
Retrospect never helped anyone. This is not the time to be angry at yourself or your company for not having appropriate measures in place.
If like many webmasters, you assumed that no one would ever want to hack your website, then it would make perfect sense to have not spent the time ensuring security protocols and making sure that you have backups prepared.
You can still clean your site up, you can still close the security holes, and you can still get back on the road.
It may take longer without a backup, but this extra workload now will help to make you more vigilant in the future.
When our site was hacked, we did not have an appropriate backup in place.
This meant we had to clean up the site from scratch and did not have the fortune of hitting a semi-magical ‘reset’ button. I feel your pain.