What is an FTP compromise?
To move files between your computer and your website, you use File Transfer Protocol (FTP). Like most things computers do, there's a password associated with it — this makes sure that only those you've given the password can access your files.
However, simple passwords are easy for attackers to guess, granting them access to your website's files. From there they can insert malicious code on your site, which can harm your visitors' computers — redirecting them to other sites or installing malicious software.
If your account has been compromised via FTP, we'll identify some of the red flags that should let you know, as well as steps that you can take to clean the infected files and prevent further damage.
Identifying an FTP Compromise
There are a few signs that your site's been hacked, including (but certainly not limited to):
- Bad code inserted onto your site
- New directories with strange names — particularly named after banks or social media sites
- New files with strange names
However, there are many types of compromises, each of which has its own calling cards.
After compromising your password, attackers can place code on your site that can contain malware or phishing content. Typically, when viewing the website's code, you will see these injections at the top or bottom of the files. Additionally, the injected code will often repeat in in each of the affected files. This means that you might be able to search for this code and find it quickly when reviewing the content. Here's an example:
<iframename=Twitter scrolling=auto frameborder=no align=center height=5 width=1 ·src=hxxp://badsite.tld/badfile.php?id=someid</iframe>
Phishing schemes attempt to steal sensitive personal information such as passwords, credit card numbers, and social security numbers. Typically, the attacker will send spam email to people with links to a phishing site that poses as a legitimate website — that's where they've set their traps. For more information, see What is Phishing?
Protecting Your Site
There are a few things you can do if you think your site's been the victim of an attacker.
Resetting Your Password
The first thing you need to do if you think your site is compromised is change your password. For those instructions, check out Reset your FTP username and password.
If you have a website that uses a database, like WordPress® for example, you should also change your database password. You can find that info in Reset your MySQL database password.
Cleaning up and Restoring Your Account
After resetting your password, you should review all of your hosting content and remove any malicious content from it. You can do that using your control panel's file manager (more info) or an FTP client (more info).
If that sounds like something you're not comfortable accomplishing (or you simply don't have the time), we offer a security product called SiteLock that will remove most malicious content for you. You can get more details about it on our website here.
For most customers, we recommend the Professional SiteLock plan. This includes access to SiteLock's 360-degree scanning along with automatic malware removal.