First steps – immediate action
- Switch site to maintenance mode, check you know how to do this. Maintenance mode logs out any users.*
- If you cannot do this contact your web developer straight away and ask them to do this, or remove access
Who to contact
- Contact your web developer as soon as you can
- Contact your host if they are different business/organisation
Generally, they will review the incident immediately and are likely to roll back the server, then review the code and or database to resolve the issue.
Follow up action
- Understand if it’s the website or database that has been compromised
- Speak with your developers and find out how it happened, understand how they resolved the issue
- Check your website software (e.g. WordPress, Drupal, Joomla etc) is kept up to date
- Change any admin passwords for the site, and for FTP access
- Run a security checking program on the site – e.g. Security Review or Hacked module for Drupal, Sucuri for WordPress.
- Has any sensitive data been taken? If so, you need to inform the ICO (website contact here) and every individual
- Has other valuable, or useful information been stolen, like passwords to your site? Users tend to use similar passwords
- Ensure you force password changes to users the next time they visit your site and inform users to change passwords on other sites if they are similar to ones used on your site
- Expect a second attack and be prepared -Review the changes made, are there any other ways to prevent a further attack and check your backup copy
- Inform Action Fraud (website contact here)
- Consider whether you need a 3rd party security audit/review
*If you can, block access via the server e.g. for Apache use .htaccess file to block all except your own IP. Often this can be done via your Control Panel, so you don’t necessarily need to use ftp. If you have Cpanel or similar, learn how to do this.