Website Compromise

Your website has been defaced, is serving malware to visitors, contains hidden content (SEO spam), or is under attacker control. This damages your reputation and may harm your visitors.

Types of Website Compromise

• Defacement - Visible change to website appearance
• Malware distribution - Website serves malware to visitors
• SEO spam - Hidden pages/links for search engine manipulation
• Cryptomining - Using visitor browsers to mine cryptocurrency
• Webshell - Backdoor giving attacker control
• Data theft - Stealing user data, credentials, payment info

Immediate Actions

1. Take the site offline if it's serving malware (protect visitors)
2. Do NOT delete files - Preserve evidence for investigation
3. Check for backdoors - Attackers often leave multiple entry points
4. Review logs - Web server logs, CMS logs, access logs
5. Identify entry point - How did they get in?

Check If Your Site Is Flagged

Google Safe Browsing

• Check URL: transparencyreport.google.com/safe-browsing/search
• See if Google has flagged your site as dangerous

Google Search Console

• URL: search.google.com/search-console
• Check for security issues detected by Google
• See if your site has been penalized

VirusTotal

• Website: virustotal.com
• Enter your URL to check against 70+ security vendors

Sucuri SiteCheck

• Website: sitecheck.sucuri.net
• Free website malware scanner
• Checks blacklist status

URLScan.io

• Website: urlscan.io
• See exactly what your site loads and connects to

CMS-Specific Resources

WordPress (Most Common Target)

Security Plugins: - Wordfence: wordfence.com - Security scanner and firewall - Sucuri Security: sucuri.net - Hardening and monitoring - iThemes Security: ithemes.com/security - Security hardening

Post-Hack Guides: - WordPress.org - Hacked Site: wordpress.org/documentation/article/faq-my-site-was-hacked - Sucuri Hacked WordPress Guide: sucuri.net/guides/how-to-clean-hacked-wordpress

File Integrity Checks: - Compare core files against official WordPress releases - Check for modified plugin/theme files - Look for unknown files in wp-content

Drupal

• Security Advisories: drupal.org/security
• Hacked Site Guide: drupal.org/docs/security-in-drupal

Joomla

• Security Center: developer.joomla.org/security-centre.html
• Check for vulnerable extensions

DDoS Protection (If Under Attack)

Free DDoS Protection

• Cloudflare: cloudflare.com - Free tier includes basic DDoS protection
• Project Galileo: cloudflare.com/galileo - Free for at-risk organizations
• Deflect: deflect.ca - Free for civil society, media

Commercial DDoS Protection

• Akamai: akamai.com
• AWS Shield: aws.amazon.com/shield
• Google Cloud Armor: cloud.google.com/armor

Evidence to Preserve

• [ ] Web server access logs
• [ ] Error logs
• [ ] CMS/application logs
• [ ] Modified/added files (with timestamps)
• [ ] Database exports (if applicable)
• [ ] Screenshots of defacement
• [ ] Full site backup before cleanup

Investigation Steps

Find Modified Files

# Files modified in last 7 days (Linux)
find /var/www -type f -mtime -7

# Files with suspicious permissions
find /var/www -type f -perm -o+w

# PHP files in upload directories (suspicious)
find /var/www/uploads -name "*.php"

Common Webshell Locations

• Upload directories
• Theme/template folders
• Plugin folders
• Cache directories
• Root directory (disguised as legitimate files)

Strings to Search For

• eval(
• base64_decode(
• shell_exec(
• passthru(
• system(
• Hidden iframes
• External JavaScript includes

Recovery Steps

1. Take a full backup (for evidence)
2. Identify and remove malware - All backdoors, not just visible defacement
3. Update everything - CMS, plugins, themes, server software
4. Change all credentials - Admin accounts, FTP, database, hosting panel
5. Review user accounts - Remove unauthorized accounts
6. Harden configuration - File permissions, disable unused features
7. Request review - Google Search Console, antivirus vendors

Swedish Resources

CERT-SE

• Report: cert.se
• For significant website compromises

Swedish Web Hosts

Contact your hosting provider - many offer malware cleanup services

Guides & Documentation

OWASP Web Security

• Website: owasp.org
• Web application security best practices

SANS Reading Room

• Website: sans.org/reading-room
• Web security articles and guides

Google Webmasters - Hacked Sites

• Website: developers.google.com/web/fundamentals/security/hacked
• Official recovery guide

Need Help?

If your Swedish organization's website has been compromised:

Apply to HackAid - We can help investigate the compromise and identify backdoors.

---

Last updated: 2026-01