Our client was about to start work with us to redevelop their website when we discovered that the site had been hacked. They had to take the site down to protect their visitors but it needed recovering quickly.
A lesson in backups
Although the client was paying for a backup plugin, it had not been configured correctly. This meant that there was no recent backup. We initially restored a 3 month old backup, only to discover that this was also compromised. After investigating the nature of the hack, we felt that rebuilding the site from scratch would be quicker and more cost effective that attempting recovery.
The site had a large number of pages, posts and documents: some of these were official records. At a meeting with the client, we set priorities for the different content:
- Top priority for current content that users were visiting the site to read.
- High priority for content that was not time dependent.
- Medium priority for historic information which was wanted for completeness.
- Low priority for out of date content.
Rather than re-configuring the theme of the original site, we replaced it with a modern responsive theme. We left the styling simple: there would be time to fine tune thre site once restoration was complete.
Recovering the site
We chose to repopulate the site manually:
- We did not want to introduce malware stored in hidden text.
- It meant we could check the many links in the pages.
- Some of the content was recategorised to make it easier going forward.
- We could limit access to the site from the start.
We scanned all the images and documents before uploading. The site went back online once the top and medium priority content was in place. Thereafter we published content as soon as it was transferred.
After all that hard work we did not want the problem to recur, so we took precautions by:
- changing all passwords (internal and external) to new complex ones
- checking who had access to the site
- keeping all software up to date
- regular scanning
- configuring regular backups and storing away from the site