Sometimes, you notice your traffic drop for seemingly no reason. You haven’t made any changes to your site recently, certainly nothing that would flag you for a penalty. You poke around and find nothing obviously out of place, but then you see it. When you run a Google search, beneath your search result is that little blue line; “This site may be hacked.” Uh oh.
There are any number of different types of hacks that may flag this warning. In fact, there are two different messages you may receive.
• This site may be hacked.
• This site may harm your computer.
The difference between these is the threat level of the hack. Basic hacks will serve up ads and spam links, generally to the same sorts of sites you see in your spam email folders. Sometimes they’re tacked on to the bottom of your pages. Sometimes they’re hidden so they only appear to search engines. Sometimes, if the hacker is just trying to damage your site, they only show up when the Googlebot fetches your site.
The second warning is the more dangerous warning. It means Google has detected something on your site trying to download and install malicious software. Malware, adware, spyware, viruses; they come from different sources. A hacker might have compromised your site and installed a script to serve up a virus. More commonly, something in your ad network was compromised, leading to malicious scripts tied to external ads.
In every case, the message warns users away from your site, meaning your traffic drops. It’s damaging to your site and you need to fix it right away.
Fixing This Site May Be Hacked
This message appears when Google has reason to believe your site has been compromised in some way. Sometimes it’s a militant hacker that replaces the content of your site entirely with their message. Sometimes it’s replacing some of your content with spam content or adding spam links to the background of your site. Note that this message won’t appear if your site has been compromised but not tampered with. In other words, a hacker can crack your admin access and steal user information and Google has no way of knowing.
The first step is to sign in to Google Webmaster Tools. If for some reason your site isn’t registered with Google, you will want to do so. In the Webmaster Tools suite, you can visit the security issues section to see some of the URLs Google lists as compromised. This may not be a comprehensive list and, occasionally, may be empty.
Google recommends that you build a support team, if you don’t already have one, involving your web host and your web security team.
For recovery, the first step is to quarantine your site entirely. There are a number of ways to do this, depending on your web host and your server configuration. You are essentially taking your site offline. This is for two reasons; first, it prevents the hacker from accessing and undoing any changes you make. Second, it prevents your site from serving up malicious content to your visitors. Ideally, the method you use to quarantine your site will be quickly reversible, for later testing purposes.
While you’re quarantining your site, check your user accounts. It’s possible the hacker created additional admin or user accounts to give themselves future access. Note the names and delete the accounts to prevent future hacker access. At this time you should also change all passwords for all accounts in your system, to prevent stolen passwords being used against you. Advise all members of your staff that if they had a password protected account, they should change the password of any other account that shares that username and password.
Next, you should visit Google Webmaster Tools and make sure the hacker did not alter your settings in some way. Change this password as well. You can do this through the Manage Site option to view all authorized users.
Analyzing the Hack
What was the purpose of the hack? Typically, one of three purposes comes up.
• The hacker is using your site to create links to spam content or to serve spam content directly.
• The hacker is installing keylogging software or backdoor access to steal user information.
• The hacker is using your site to distribute malicious software.
Sometimes, Google Webmaster Tools will offer advice into the nature of this attack. For sites serving spam content or keylogging, Google will mention the “Hacked” heading and will inform you of content injection, phishing or another sort of spam hack. For malicious software, the heading will be “Malware” and will list the detected types.
Determine the Extent of Damages
Google has different guidelines for helping you assess the damage done to your site and recover. If you don’t already, having a technical team available to help you may be beneficial for this step.
• Spam Damages: https://support.google.com/webmasters/answer/2600721
• Malware Damage: https://support.google.com/webmasters/answer/3024274
This is the meat of recover; determining what was affected and how. The specific steps will depend greatly upon what was done to your installation, what software you’re using and what symptoms you have.
Mend and Defend
Once you know what was done, you can take steps to recover. This will involve repairing or replacing infected files, restoring backups of affected content and patching the security hole that allowed hackers to access your site in the first place. Once again, this will depend greatly upon the hacks used and the damage done.
Once all of your site software is up to date and the security holes have been patched, you should establish a regular maintenance routine. Always make sure your software is up to date. Take steps to make sure that any user account capable of making administrative changes is protected behind a strong password and make sure that password is changed regularly.
Appeal to Google
Once you believe your site has been fully cleaned and is not at risk of further infection, you can petition Google for a review of your site status.
For phishing attacks, you can complete a review here: http://www.google.com/safebrowsing/report_error/. This will notify Google that you believe your site is clean. In 1-2 days, Google will either confirm or deny your review. If confirmed, you’re all set; just protect your site in the future. If denied, Google still detects malicious code on your site. Unfortunately, that means you missed something the first time around.
The process for malware or spam content is a bit different. For these, you need to visit the security issues section of Webmaster Tools and request reviews for any listed pages. It helps to tell Google what infection was diagnosed and what steps were taken to fix the security hole. Malware reviews are quick and automatic; spam content reviews take much longer.