You wake up on a fine morning, fire up the system, and discover the worst – your Drupal site is hacked. Possibly, there was an unnoticed vulnerability on your platform that got misused by a passing hacker or even an automated hacker. While the clean-up can be quite a pain, at least you noticed the hack at the right time instead of letting it unknowingly fester in the background and hit your analytics and customer loyalty.
What Should You Do Next?
There are a couple of steps you can follow to make the best out of the situation:
Make a Forensic Copy of Your Site
If all the signs add up to a hacking of the site, your ideal first step is to make a forensic copy of your website and its content. Switching off your computer, the system, or your network cable is not a viable solution at this point, especially if the content is stored on any cloud computing service.
A forensic copy can be defined as an operating, system-level screenshot of all involved servers. If this is impossible, a physical copy of your files is also adequate – store the database in offline locations where the data can’t be modified such as hard drives or pendrives.
Keep or Throw?
At this stage, you’ll need to finalize if you’d like to keep the original site or throw it away. It’s not as simple as just two options, since you can always choose to rebuild your site, change the content, or any other possible way of handling it, but these are the two extremes in consideration.
It is a good idea to think about how you’d like to handle the entire process since you could have already thought of giving a fresh, new outlook to the site, or been planning to delete it due to its temporary nature and just save a static copy.
Choosing to rebuild or delete the site still doesn’t completely erase the remaining work that needs to be done, but it eases the later stages of decision-making. Also, as you go through your site, make note of features or faulty code that may have allowed the hack.
Who Should you Notify?
You have the responsibility to present the situation to your customers and users of the platform since their private and sensitive details most probably compromised such as IP details, email addressed, and other login details. If you’re not the owner of the site, you must inform a stakeholder who is immediately available, as they could have been exposed to the malware.
Taking the Site Offline
This is your decision, but if there is evidence that your platform is being used as a source of malware distribution, spam, and initiating further attacks, then take your site offline. Or at least, create forensic copies and delete out the infected sessions.
Check the Diagnostic Pages
Your Drupal site might have been blacklisted by Google or authorities on website security, so you can use their diagnostic tools to check the Drupal’s site security status and verify the hacking.
Under the Google Transparency Report, check the Safe Browsing Site status, enter your site URL and check the safety details and testing details of recent scans if any malware was found. Remove any unfamiliar users created by hackers and check the ‘last access time’ of legitimate users that will provide an indication of which account was compromised.
Removing the Drupal hack
You can identify the Druapl hacked files by comparing the current version of the website to previous copies that were clean. Also, ensure that you have a web server and database access to manipulate the database tables or edit PHP files. For manual removal of Drupal software, log into the platform server via SFTP or SSH, creating a backup of all site files and note the changes to find malicious domains or payloads. Conduct an integrity check to review the flagged files for suspicious content, remove any malicious code, and make sure the file is operational after all the changes made.
Exercise caution – make sure to compare the same version of your Drupal core files and extensions, since the 8.x version is not compatible with 7.x.
Back-ups are the first step to conduct any checks or removal of hacks in case any content is lost.
Clean Hacked Database Tables
For this, you need to open a database admin table with tools like Adminer and search for spam content to manually remove the infections. Remove any hidden backdoors which are often embedded in files index.php within the official Drupal framework.
Make sure to implement future security procedures of Drupal and resolution of loopholes to avoid recurrences. After a quick update of the Drupal core platform and its extensions, your Drupal is good to proceed with your goals.
A Drupal firewall will be best suited to secure your website in real time against the attacks
