Drupal is a free open-source software and website builder with an easy-to-use, accessible structure. It includes a content management platform and development framework, making it a well-known choice for larger websites and technical developers.

Unfortunately, the most popular platforms such as WordPress, Megento and Drupal are prime targets for cyber attackers who are fully aware that some of the most lucrative websites are based on these platforms. Here’s what to do if you suspect your site has been hacked.

How do I know if a Drupal site has been hacked?

With this in mind, below are just a few indications that a site has been hacked:

+ Security warnings by search engines or anti-virus software
+ Spam keywords in nodes search engine results
+ Unknown files under sites/defaults/files
+ Host currently suspending your site for suspected malicious activity

How to identify a hack

Check new or recently modified Drupal files against reliable copies. The quickest way to identify the solidity of files is by using git status to check for changes, which can be done with the steps outlined below:

+ Connect to your server over SSH and run the command ‘git status’
+ Identify new and modified files
+ Search through your files and note anything unusual.

Check and verify any unknown user accounts

+ Log into your Drupal admin port
+ Click People on the menu
+ Review list and remove any unfamiliar users
+ Check the last access time of known users and confirm any that logged in at unusual times.

Check diagnostic pages

If your Drupal site has been blacklisted by website security authorities, you can use their diagnostic tools to check the status of the site.

Once you have logged into your account and reviewed recently changed files, remove any suspicious or unfamiliar coding from your custom files. Once done, you will need to test the site to see if it is still fully operating.

Removing a hack from your Drupal database

+ Log in to your database admin port
+ Back up the database before making changes
+ Search for suspicious contents and open said table of content
+ Manually remove suspicious content
+ Test site to ensure it is fully operational
+ Remove any database access tools you may have used.

How to remove trick doors

+ Confirm Drupal version and download the same version of known core files from the version of official Drupal repository
+ Log into your server via SSH or SFTP and create a backup of files
+ Investigate new files that do not match the known files or are not the same size as the known files
+ Using version control, commit and push new code.

How to fix website blacklisting

+ Call your host company, explain the situation and ask them to remove the suspension. You will most likely need to explain how you removed the malware.
+ Fill in review requests from each blacklisting website — this can take several days. It is worth noting that Google is limiting repeat offenders to one review request per month, so make sure your site is clean!

What do I do after removing malware?

+ Log compromised accounts and force a password reset to ensure hackers lose access to your site.
+ Reset API keys and finally update Drupal software and passwords.