Website Defacements – How to Protect Your Website

By: Krista M. | Cyber Threat Intelligence Analyst, NJCCIC

Imagine you wake up one day to find that your company’s website no longer displays your logo, products, or contact information. Instead of providing an online presence for your business, your website is now promoting a hacking group or terrorist organization. Your customers are angry and your employees are confused. You open your website only to be greeted with a message like this:

So, how did this happen and what should you do now?

The first thing you need to know is that you were the victim of a website defacement, a cyber-attack that occurs when someone hacks into a website server and replaces the original files with new files. These new files are designed to display an ideological message, promote a hacker or group, or distribute malware to unsuspecting victims who visit your site.

It’s important to note that most website defacements are a crime of opportunity. This means that your website contained at least one security vulnerability that wasn’t patched and a hacker came along and took advantage of the situation. Usually, those who engage in this behavior are low-level hackers who are trying to prove their skills to others within their group and gain notoriety. Others may target websites of individuals or organizations they do not like, to promote fear or to show support for a specific cause. Whatever the case may be, you’ll need to know what to do if this happens to you and how to prevent such attacks in the future.

To proactively prevent website defacements, please take the following recommendations into consideration:

  • If you maintain and update your own website, run reputable anti-virus software on the machine you use to access your website’s administration page to see if keyloggers or other malware may have stolen your site’s login credentials.
  • If available, enable two-factor authentication (2FA) on website administrator accounts.
  • Restrict file and directory write permissions for any account that doesn’t require it.
  • Disable anonymous FTP connections on your server. If possible, use a secure FTPS connection with user ID and password instead of an unsecured FTP connection.
  • Implement automated backups of the website and any supporting database. Keep the backups off-site and in a secure location.
  • Make sure that your website and any associated web applications are running the most updated software versions and apply any necessary security patches.
  • Conduct penetration tests and vulnerability scans to detect known exploits and weaknesses. This process can either be outsourced to a third party that provides these services or done in-house using various tools available online.
  • Implementing a website firewall plugin, if applicable.
  • Consider hosting your web server behind a demilitarized zone (DMZ) and firewall, especially if users submit sensitive payment or personal information through your website.
  • Maintain awareness of current exploits.
  • Check all incoming IP addresses against standard DNS blacklist databases to prevent them from reaching your website.
  • Regularly check log files for any unusual traffic patterns.
  • If offered, sign up for SMS or email alerts that notify you if and when changes are made to the website.
  • Be aware of search engine blacklists and sign up for alerts and notifications that could warn you if something about your website is raising a red flag.

If you’ve been the victim of a website defacement:

  • If your site is hosted or maintained by an external party, notify the webmaster as soon as possible and have him or her take the necessary steps to remediate the problem.
  • Reset all passwords to website administrator accounts and make sure they are complex and not used anywhere else.
  • Replace all files located on the website server with files from an isolated or standalone backup source.
  • Be sure to remove any additional website links created by the hacker. Consider temporarily removing or quarantining your website until the situation has been rectified.
  • Report the incident to the NJCCIC by completing our Cyber Incident Reporting Form or emailing njccic@cyber.nj.gov.

Additional information about hacked websites provided by Google is available here.

PunkSPIDER is a free online tool you can use to scan your website for common vulnerabilities.

VirusTotal provides free URL scanning to detect malware hiding within websites.

Additional tools are available by searching online for “website vulnerability scanner.”