Episode 532 Security With Tim Nash How To Recover From a Website Hack

---

Show Summary

In an episode of the SDM Show hosted by Rob Cairns, featuring Tim Nash, the discussion centers on website security, specifically addressing the crucial steps to take when a website has been hacked. They emphasize identifying the signs of a hack versus other website issues and caution against relying solely on backups for restoration due to potential reinfection. Nash details the common stages of a website hack, explaining why immediate detection and clean-up are essential, often recommending a complete rebuild for severely compromised sites. The conversation also covers misconceptions about SSL certificates, the limitations of website malware scanners, and the importance of transparent communication with customers following a security incident. Practical advice includes verifying local devices for malware, the risks associated with shared hosting and public Wi-Fi, and the necessity of securing e-commerce data like order information during recovery. Ultimately, the podcast episode provides valuable insights and actionable steps for website owners facing the challenges of recovering from a hack.

Show Notes

Identifying a Hack:

• It’s important to accurately determine if a site has been hacked. Symptoms can include:
  • High CPU usage
  • Site slowness or unresponsiveness
  • Changes to the site’s appearance
  • Defacement or malware warnings
• Be cautious of attributing slowness solely to hacks, as shared hosting or other issues can also be the cause.
• Check for local malware or spyware on your own computer before assuming the website is the source of the problem.

SSL Certificates:

• SSL/TLS certificates encrypt communication between the server and the client, protecting data in transit.
• While they offer some protection against certain attacks, they don’t prevent all hacks.
• Their primary purpose is to provide consumer confidence and secure transactions.

What to Do If Hacked:

• First Steps:
  • Engage with the client and emphasize the need for cleanup.
  • Assess the extent of the compromise.
  • Determine if a backup is available, but be aware that backups may also be compromised.
• Cleanup Strategies:
  • Using internal scan tools may seem like a quick fix, but they often miss parts of the hack.
  • External scan tools are better but may not address database issues.
  • Hackers often leave multiple backdoors, making cleanup a “whack-a-mole” situation.
  • In many cases, the most effective solution is to “burn it all down” and rebuild the site.
• Rebuilding a Hacked Site:
  • This involves:
    • Extracting and cleaning data from the database.
    • Nuking the site and spinning up new hosting.
    • Reinstalling plugins and themes from original sources.
    • Manually reviewing any custom code.
    • Restoring the cleaned database.
• This process can be done efficiently to minimize downtime.

Antivirus and Malware Scanners:

• The effectiveness of website scanners varies.
• Safe browsing lists can be outdated.
• Free malware scanning plugins may have outdated rules.
• Paid versions of security plugins often offer more up-to-date protection.
• Hosting companies can also perform server-side scans.

Communication and Disclosure:

• Be transparent with customers about a hack.
• Hiding the breach can damage your reputation.
• Clearly communicate what data was potentially affected, especially payment data.
• A sincere apology can help build customer confidence.

WooCommerce Considerations:

• When restoring a WooCommerce site, ensure you recover the order tables.
• Switching to High-Performance Order Storage (HPOS) can simplify WooCommerce management and restoration.

Key Takeaways:

• Website security is crucial, and it’s essential to have a plan in place for dealing with hacks.
• Thorough cleanup and rebuilding are often necessary to ensure a site is truly secure.
• Clear communication with customers is vital for maintaining trust.

It’s always a good idea to consult with a security professional if you suspect your website has been hacked.