1. First things first – Preserve evidence and clean up your website!
As soon as you discover the defacement, backup all your website data as well as database to preserve evidence for investigation purposes. Take the site offline especially if you suspect presence of malicious content. If required deploy a temporary web server up to date with applications that offers the same content as the compromised web server or show the site as “Temporary unavailable”. Displaying static content will prevent further infection.
In case of shared hosting, notify your ISP/host. Make sure you immediately change all passwords (FTP, database access, email, Control panel etc.). Scan for malicious content and do a thorough clean-up of your website. Update to latest patches of operating system & other software.
In case of a serious attack, restore the most recent and clean backup of the website and any database supporting it. Update the site with any missing code or data since last backup. Make sure you regularly update the Content Management Frameworks (CMF) such as Joomla or WordPress, as many defacements exploit CMF’s vulnerabilities. Also, if any of the plugins, widgets, or modules you are using are vulnerable then replace them now.
2. Investigate how your website was breached.
Find out what attack vector was used – XSS, SQLi, easy FTP password, etc. and patch it. Examine all logs including FTP logs. Check for any changes in dates and permissions for files with static content. Scan the code as well as the database for malicious content. Also have a look at the site analytics to get an indication about who is targeting the site.
3. Inform your customers about the breach and force a password change.
Inform all customers about the breach and provide an explanation as to how it happened. If your website requires user authentication, and you suspect or have evidence about passwords being compromised, ask all customers to change their passwords.