Hacked website - what next?

There are two common points of entry which hackers and cybercriminals use to gain access to a website:

Stolen credentials
The website administration credentials (e.g. FTP credentials) have been stolen by criminals. In order to obtain the credentials, cybercriminals normally install malware (a Trojan) on the computer of a website administrator (the webmaster). The next time the webmaster accesses the administered website via FTP or web interface, the login information used (user name and password) is copied and sent to the cybercriminals. They now have unrestricted access to the website and can arbitrarily change the content of the website and add new malicious content.

Outdated CMS
Content management systems (CMS) such as WordPress, Joomla or Typo3, and CMS extensions (plug-ins) are widespread and are thus a popular target for hackers and cybercriminals, who regularly find vulnerabilities in the program code and exploit them to install malware or phishing sites on websites which use outdated CMS versions or plug-ins.

These instructions provide you with a brief overview of how you can clean up your website and make it secure. They apply to all operating systems.

Locating the malicious code on the affected website

A close inspection of the web pages and directories concerned is required. It is quite possible that the same malicious code has been installed on several subsites or that other malicious code has been stored in the same web directory. Malicious code that is intended to infect other computers could also be installed. Often, this is in the form of executable files such as .exe, .bat, .ps1, etc. If it is not possible to locate the malicious code, we recommend that you contact your Internet service provider (ISP).

Removing the malicious code

After the malicious code has been located, it must be removed. Under certain circumstances, restoring an earlier backup can help.

Installing the current version of the CMS

If using a CMS such as WordPress, Joomla or Typo3, make sure that you install and use the most recent version. This prevents criminals from using the same vulnerability in the CMS to install malicious code on the website again. The most recent version of the CMS is always indicated on the manufacturer's website.

Please note: Any plugs-ins which have been installed must also be updated. Vulnerabilities in plugs-ins are also regularly misused by criminals as a point of entry.

Checking all of the webmaster's computers for malware

Before FTP and CMS credentials are changed, all computers used for website administration (i.e. all computers on which the CMS login username, password, etc. have been entered) must be scanned for malware.

Changing the access passwords

After the computer has been scanned and any malware has been removed, the FTP and CMS credentials must be changed. This prevents cybercriminals from once again being able to install malicious code on the website using previously stolen credentials (username and password). If passwords for other internet services (webmail, PayPal, etc.) have been used on the affected computer, these also need to be changed.

If these points are neglected, there is a high risk that cybercriminals will gain access to your website again and install further malicious code.

Further Information

Preventive measures

After the website has been cleaned up, we recommend taking additional measures to prevent cybercriminals from gaining access to the website in the future. To this end, the NCSC has drawn up a checklist of corresponding measures: Measures to secure content management systems (CMS)