Chapter 1: Communicate with Your Website Host
In cases of a website compromise, the hosting provider for the site should be made aware that an incident has occurred. They may not attempt to help you in the least. Then again, they might, either offering to fix it for nothing or a greatly diminished fee. It really depends on the host, but, whether they offer to help you or not, for reasons outlined below, they should be notified.
Sometimes your hosting provider has actually notified you. This often happens, for instance, when spammers are going over the host’s email sending limits, or when other server resources are being exceeded. It may also occur when the website is infected w/malware that poses imminent danger to the safety of your visitors. Some site compromises can endanger an entire server, & this is particularly true if the server in question is configured improperly. The result is that all sites on the server can be compromised unless prompt intervention takes place. Such events often necessitate that the site be taken “off line” so that other sites on the server, or your site’s guests, won’t be impacted. Often the hosting provider will ask for your IP address so that you can be allowed to fix the site, but no one else can visit. In order to provide that data, you can go to any number of sites on the web that provide that information. One of the better known places is:
What’s My IP
Even if your host does not bloc your visitors, you may be able to do so yourself, should you feel it expedient to do so. The task is fairly straightforward.
The majority of WordPress sites run on the Apache webserver, which uses a file called .htaccess that contains many rules regarding your website. It is, for example, what makes “pretty permalinks” possible in WordPress, i.e., addresses like https://yoursite.com/yourpost rather than https://yoursite.com/?p=108. It is also, unfortunately, where criminals sometimes store compromise-related settings.
Once you’ve obtained your IP, you can place the following lines in your .htaccess file to bar access to your site by others while you repair & reclaim it. They should come after the following lines, which are likely already present:
RewriteEngine On “
#Allow only your IP access to your site
RewriteCond %{REMOTE_ADDR} !^123.456.789
RewriteRule .* – [R=503,L]
The numbers represent an IP address, & you should substitute yours for them. The 503 signifies that the page is temporarily unavailable. Thus everyone who visits the page except you will get a message that the site is temporarily not available. There are fancier ways to do this, but this works as a quick method to protect your site guests while you repair & reclaim your website.
If your webserver is Nginx, put the following lines in your nginx.conf file.
allow your.ip;
deny all;
where your.ip, obviously, is your IP address.
Once you’ve communicated w/your web hosting provider, it’s time to move onto the next step of the process.