A person in hoodie with the hood pulled up. Lines of code float around them.

Your website has been hacked: what to do in the first 24 hours

Digital Boutique
2 minutes
Wednesday, November 24, 2021
MORGAN HIPP

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

A hack is every online business’s worst nightmare. Whether your site has been redirected, infiltrated with ads or had customer data stolen, you can minimise the impact by thinking clearly and acting quickly in the first 24 hours.

Identify what you’re dealing with

Triage the attack as quickly as possible. Your understanding of the incident’s severity and implications will guide your response. At this stage, you need an overview of:

  • The type of attack, for example phishing or ransomware
  • The areas of your site affected – and whether any have been rendered non-functional as a result
  • Whether the integrity of your site’s components has been compromised

Close down your site

Unplug your servers as soon as you are aware your site has been compromised.

Put up a holding page

Let site visitors know there’s a problem and that you’re in the process of resolving it.

If you don’t already have a holding page ready as part of your disaster management plan, put together what you can. As a minimum, it should:

  • be branded
  • provide reassurance
  • Include actionable information for your customers – whether that’s providing alternate contact details or simply asking them to check back later.

Work out what data was accessed

Information you should ascertain at this point includes:

  • What personal data was accessed
  • The volume of data involved and the number of data subjects affected
  • Whether living individuals can be identified from the stolen data
  • Whether the data was encrypted and, if so, the strength of encryption used
  • The damage, distress or disruption that could be caused to data subjects

Collect and preserve evidence

Back up the change log for all affected files to make sure you can access them for the duration of any investigation into the attack.

Set up a response log

The hours after a breach can be chaotic and difficult to recall after the fact. Documenting everything allows you to report what you did accurately, should this be required in an investigation.

Inform the relevant people and authorities

Who you need to tell depends on the nature of the attack. It may include:

  • Senior management
  • Your wider business
  • Police
  • Customers
  • The ICO

For serious breaches, UK data protection laws require you to report the incident to authorities within 72 hours. Use the ICO’s self assessment tool to find out more. 

Identify how your website was hacked

Knowing the attack point means you can implement a patch that protects you when you go back online.

Remove malicious code

Eliminate unauthorised access, close all entry points and disable any injected backdoors.

Make sure you remove all instances of the malicious code, including any in duplicate copies of the codebase.

Restore your site

If possible, use a secure backup to return your site to its pre-attack state. Make sure the backup is from before the attack began.

Run updates

If you aren’t already running the latest hardware and software with the latest patches tested and applied, update this now. This is especially important any applications that process payment data.

Upgrade or remove the vulnerable component

You can usually resolve vulnerabilities using a security patch provided by your ecommerce platform. For a breach through a third-party app, remove the component from your production environment.

Clear the cache

Vulnerabilities can still exist in cached pages after a problem has been patched. Clearing the cache ensures they are eliminated entirely.

Block the hackers

Once you’ve identified the IP addresses used in the attack, block these to prevent further malicious activity.

Implement malware monitoring

Running malware monitoring software makes sure you have full visibility of issues. A temporary option is fine at this stage and buys you time to investigate the commercial aspects of a longer-term solution.

Secure your admin area

Restrict access as far as possible:

  • Change your admin url
  • Remove all non-essential admin users
  • Enable IP restriction
  • Change all administrator passwords to secure computer-generated passwords
  • Set up password rotation
  • Establishing a process for storing and sharing passwords securely

Check hosting security

Liaise with your hosting partner to identify vulnerabilities at server level. Your provider may also need to check that other sites on the same server aren’t affected by the breach.

Stay offline as long as necessary

Repeated attacks are common and multiple personal data breaches decimate customer confidence. It’s far better to sacrifice sales in the short-term to protect your long-term customer relationships.

For support securing your site

Get in touch

Resources
Back to Insights