What is an FTP compromise?

To move files between your computer and your website, you use File Transfer Protocol (FTP). Like most things computers do, there's a password associated with it — this makes sure that only those you've given the password can access your files.

However, simple passwords are easy for attackers to guess, granting them access to your website's files. From there they can insert malicious code on your Website, which can harm your visitors' computers — redirecting them to other Websites or installing malicious software.

If your account has been compromised via FTP, we'll identify some of the red flags that should let you know, as well as steps that you can take to clean the infected files and prevent further damage.

Identifying an FTP Compromise

There are a few signs that your Website's been hacked, including (but certainly not limited to):

• Bad code inserted onto your Website
• New directories with strange names — particularly named after banks or social media Websites
• New files with strange names

However, there are many types of compromises, each of which has its own calling cards.

Malicious Injections

After compromising your password, attackers can place code on your Website that can contain malware or phishing content. Typically, when viewing the website's code, you will see these injections at the top or bottom of the files. Additionally, the injected code will often repeat in in each of the affected files. This means that you might be able to search for this code and find it quickly when reviewing the content. Here's an example:

<iframename=Twitter scrolling=auto frameborder=no align=center height=5 width=1 ·src=hxxp://badsite.tld/badfile.php?id=someid</iframe>

Phishing Content

Phishing schemes attempt to steal sensitive personal information such as passwords, credit card numbers, and social security numbers. Typically, the attacker will send spam email to people with links to a phishing Website that poses as a legitimate website — that's where they've set their traps. For more information, see What is Phishing?

Protecting Your Website

There are a few things you can do if you think your Website's been the victim of an attacker.

Resetting Your Password

The first thing you need to do if you think your Website is compromised is change your password. For those instructions, check out Reset your FTP username and password.

If you have a website that uses a database, like WordPress® for example, you should also change your database password. You can find that info in Reset your MySQL database password.

Cleaning up and Restoring Your Account

After resetting your password, you should review all of your hosting content and remove any malicious content from it. You can do that using your control panel's file manager (more info) or an FTP client (more info).

If that sounds like something you're not comfortable accomplishing (or you simply don't have the time), we offer a security product called WebsiteLock that will remove most malicious content for you. You can get more details about it on our website here.

For most customers, we recommend the Professional WebsiteLock plan. This includes access to WebsiteLock's 360-degree scanning along with automatic malware removal.