Clients are often surprised when a backup is compromised. But it’s very common at shared hosting providers. Hostgator, Siteground, Godaddy, 1+1, all of the shared hosting providers offer “secure backups” but they are not secure.
For example, a common attack is what’s known as a SQL injection. A simplified explanation would be something like this; 1. The attacker gains access to your database through a vulnerable theme or plugin. 2. Code is added inside your database that adds code to your posts and pages. 3. Visitors to your site can get infected or just experience a warning depending on the browser and many other factors.
The reason most attackers do this is to access A. Your website so they can add links to your site that point to their client’s sites or B. Gain access to all the websites at a certain IP Address. Attackers usually want access to all sites. The aforementioned website hosts will put hundreds of databases and their website files on the same machine in the same location using the same IP Address and security.
So what’s up with my backup?
It depends. If your attacker gains entry and after doing so decides to go get a cup of coffee, I may receive a notice of increased attacks on your site. If I do, I will immediately review and lockdown your site by permanently blocking any agents that are accessing your site nefariously. It takes me about ten minutes to do this if I’m in front of my computer when I get the message that you are under an increased attack. If I’m able to stop the active attacker while they’re getting coffee, I can also block their reentry. But I still have not determined how far they got into your website or database.
So the next step is to basically perform a website and database scan to determine if any of your core WordPress or SQL database tables were compromised. I’ll then follow up with an email to let you know what happened and what actions were taken. However, if the attacker performed the SQL Injection before they got a cup of coffee then I am likely faced with a compromised website and database.
In this case, the next step is to scan your most recent backup to see if it was compromised and if it was then I try to find a secure backup that’s older. There are only two places to check. If both backups were compromised, your website is compromised. At this point keeping the site harms your online domain reputation until it is secure again.
Next, I will contact you with the bad news, possibly some alternative situations and prioritize my tasks for recovery. I’ll review server health be sure any of your other sites were not also compromised.
What does recovery mean when backups are compromised? To explain, “recovery” is not the best descriptor. Repair is now the correct way to describe what happens next. Repairs can be done by third-party contractors we hire to repair your database and website files. Experts can repair a site in a day. Meaning they have tools to that can effectively search and replace code in your database and files. It’s not uncommon to have thousands of files and tens of thousands of database entries to clean. The cost could be as low as fifty bucks for small websites. The cleaned website is not the same as your pre-hacked website. Removing malware can also remove code that affects the way your site looks and feels or worse, your site functionality.
If I did the malware cleanup and I originally built the website, I can more easily get the site back into its pre-hack condition. But the bottom line is time. In a scenario where either your database or website files are compromised, your site will be down for an unknown period of time. From days, to never. Some folks will just give up after learning the real cost of the fifty-dollar website clean ups.
The moral of the story is, “It’s easier and less expensive to protect your site than it is to repair your site”.
What Can I Do To Make Sure My Site Is Protected?
- Use our Managed Hosting services. We use industry best practices. firewall, blocking, and scanning services. If you’re not already a managed hosting client, take appropriate action now. We take the time to manage your site security and download backups of your site to our local, external hard drives. This will provide you with a working backup that might be a little dated but at least we’ll have a way to wipe clean your infected site and upload a replacement.