My site was defaced ("hacked"). Now what?

Attacks can happen in a variety of ways. Even if the only web application running on your server is Drupal, it's possible that the attacker used a different method of gaining access to your server to deface your site.

Rule out other attack vectors

• May not be Drupal at all, but easily guessed passwords on admin accounts, weak ssh credentials, or other attack vectors.
• Check Apache's logs for suspicious activity. This might indicate a vulnerability in a web application and possibly Drupal.
• Other applications on the server
• Other accounts on a shared server
• Make sure you are not running an out-of-date Drupal core or contributed project version
• Check the recent security announcements for Drupal core and contributed modules. Would any of them enable the kind of attack that happened to your server?

Template of what to report to the Drupal security team

You may report the problem to the security team. However, unless you have specific information about Drupal code that is involved in the site being hacked, this report will only be used to look for common patterns that might indicate a widespread vulnerability. The Drupal Security Team is not able to provide individual support, and can not help you to recover your site.

• Drupal version
• List of contributed modules and their versions
• Apache/PHP versions
• How do you manage the code of the site (e.g. git, composer, cpanel)? Is your site accessible using FTP/SFTP/SCP?
• Name of your hosting company
• Permissions on the files in your Drupal directory (e.g. from ls -l in the Drupal installation directory)

Please visit https://www.drupal.org/support to see what your support options are if you need more assistance.