So your Drupal site has been hacked, huh? We feel your pain. Being a cyber-attack victim is stressful and frustrating — it’s difficult to know where to start to get everything back on track.

The “good” news is that you’re definitely not alone. Since the turn of 2015, Drupal have released 6 critical and 3 highly critical patches to try and fight back against the relentless cyber attacks — the latest of which was dubbed Drupalgeddon2, which left millions of Drupal sites vulnerable.

We’ve put together an eight-step guide to help you recover from a Drupal cyber-attack as quickly and as painlessly as possible.

Step 1: Make a Copy of Your Entire Site

If you’ve found out that your site has been hacked, then you need to stop everything right now and make a forensic copy of your entire site. There are many tools available online that you can use to help you make a copy of your site.

Tools like HTTrack and Website eXtractor can copy an entire website from the internet and store it on a local directory. We advise that you save these files in a medium that cannot be modified e.g. DVD or CD.

Step 2: Take Your Site Offline and Quarantine It

This next step requires you to shut down your site and take it offline until the problem has been resolved. Taking your site offline prevents further damage, and also stops people from being confronted by malicious code or spam when they try to visit your website.

Ensure you redirect your site’s visitors to a static page located on a different server which utilizes a 503 HTTP responsive code.

When you’ve quarantined your site, take the time to review your user accounts. Hackers tend to create new accounts which enables them to access your site via the back-end. If you see any accounts which look unfamiliar, note them down (for further investigation) and then delete them.

Then, and this is really important, change all passwords for all your sites and accounts, this includes login access for system administration, content management accounts, FTPs and database access. Changing passwords at this stage prevents the hacker from accessing your Drupal site again.

Step 3: Verify the Ownership of Your Site 

After you’ve quarantined your site, you need to verify the ownership of your site to check if the hacker hasn’t fully taken over it. (You might have to put your site back online temporarily for this step).

On your web browser, navigate to Google Webmaster, click on “Search Console” and then sign in (or register if you don’t have a Google account). Click “Add a Site” and then enter your site’s URL. You’ll then be taken to a page where you will be given the option to choose from a number of verification methods.

Once you have verified ownership of your site, next, you will have to verify the ownership of the Search Console. On the main Search Console page, click on the “Search Console” logo, locate your site and then click “Manage Site”. From here, click on “Add or Remove Users” and then review the list of users/owners. If you come across a user/owner you do not recognize, note it down and then delete.

Step 4: Prioritize Client and Customer Data

Your website(s) may be down, but the real priority here is the data you’ve been entrusted with. If your Drupal site gets hacked, you must prioritize your customers.

To put the customer first, consider taking the following steps:

• Update your SSL certificate
• Double-check all logfiles to check if an client information been copied, updated or downloaded.
• Implement AVS (address verification system)
• Add CVV (card verification value)
• Encrypt connections for all back-end services used for sending user data
• Alert the relevant authorities to remain transparent and compliant with laws such as GDPR.

Step 5: Assess the Damage

Now it is time to assess the damage of your Drupal site comprehensively. If you were able to verify the ownership of your site in the previous step, you can navigate to the “Message Center” and “Security Issues” in the Search Console. The information you find there will help you figure out the full extent of the attack.

We also advise that you conduct an in-depth investigation of your root directory and your front-end. Hackers can do many things to your site, including the creation of “spammy” pages, add harmful files in your root directory and manipulate content on existing pages.

Also, scroll through access, server and error logs and look out for repeated failed login attempts, unknown user accounts, and other suspicious activity. You might want to do a cross-reference exercise with a recent backup of your site.

Doing the above will help you get an overall picture of what happened, who did it, and how.

Step 6: Notify Relevant Bodies

You now need to decide who needs to be notified about the issue after you conducted your investigation. If your site was completely taken over and confidential content such as customer email address and IP address have been compromised, then you must let them know ASAP as they could be at risk of being exposed to malware. Be wholly honest when you communicate this with your customers, it is the only way you can reduce the negative impact this will have on your customer relations.

Also, make sure you inform any governing bodies in case of GDPR compliance. The last thing you want is for your site to be publicly named and shamed. In May 2018, we’ve already seen high-profile news sites come under fire for not following GDPR regulations.

Step 7: Decision Time: Rollback, Rebuild, Or Throw the Site Away?

How you decide to move on after your site has been compromised depends on the nature of your site. There are four options that you can take:

• To keep
• Rollback
• Rebuild
• Throw away

If you decide to keep your Drupal site, you will have to spend a lot of time reviewing it, and your site could be down for quite some time. Rolling your site back to your most recent backup before your site was hacked would mean you lose out on changes you had made before your site was compromised. For scenarios where the extent of the hack is quite severe, you might have to throw away the site and rebuild a new one.

The latter option is quite pricey, especially if you are going to rebuild with Drupal again. You would need to hire an experienced Drupal developer to help you create, customize and implement your site. Implementation costs, with minimum customization, can cost anywhere between $30,000 to $40,000 and can take 6 to 8 weeks to build. And it will cost you more if your Drupal site requires extensive customization (we’ve seen figures as high as $100,000).

Step 8: Investigate More Secure CMS Alternatives 

Whatever you decide to do, it is going to take you a while to get your Drupal site back online, and perhaps even longer to regain the trust of your customers and clients.

You could stick with Drupal and continue hoping that your site isn’t targeted (Drupal’s security history is patchy, to say the least), or you could use this situation as an opportunity to explore the CMS market and find a more secure solution.

The good news is that leaving Drupal is actually pretty straightforward, especially if you’re replatforming to a hands-on CMS vendor who will help you make the move.

Zesty.io for example, boasts a clean track record when it comes to data breaches, and better yet, handles cloud-hosting, backups, and updates behind the scenes, so you can focus on scaling your company instead of preparing for another major Drupal security scare.

Interested in learning more? Let’s talk.