We tend to think of a website hacking as one of two things. The first is the major data breach; someone breaks into your website somehow and steals user information, like the massive Target or Equifax data breaches. This can happen, but more often this is not a breach of your website, but rather some physical interface within the storefront, be it the pin pads or a retail server room.
The other is a sort of terroristic takeover of the site. Vogue UK was once taken over and had dinosaurs plastered over their homepage, a Bitcoin forum was hacked to promote a joke coin CosbyCoin, and the main site for the European Union was hacked to replace the prime minister of the UK with a photo of Mr. Bean. Examples like these – and more dangerous examples, like ISIS takeovers of sites and so on – are immediately noticeable and obnoxious.
When a site is hacked and user data is stolen, it doesn’t really leave traces on your website. In order to discover it, you either need to check access logs to sensitive data and find unauthorized access, or you are rudely informed when your customer data goes public. That, or the hacker needs to sabotage your back-end somehow, which is more immediately obvious.
Examples like the site takeovers are instantly visible. Your users will notice and will report it to you, and Google will notice when they crawl it. You’ll end up with the big search warning “This site may be hacked” or “This site may harm your computer” when a user tries to Google for you or access your page.
There is, however, a third and more insidious kind of compromise on your site. This is when a hacker takes over your page and installs malicious code, but takes pains to make it not obvious.
In some cases, the site looks normal, but some script is added to try to force users to download a malicious file. It might come through a compromised advertisement. It might just be a script on the page. It might tell users to download a font, or an image.exe, or something else. These pieces of malicious code, when downloaded and executed, often ransomware the infected computer.
I’ve even seen some even more dangers versions of this kind of compromise, where the hacker is not even targeting your audience. Rather, they sabotage your brand by using hidden pages on your site as landing pages for spam email. They don’t touch any of your existing pages; they just create a long series of directories and subdirectories, sometimes even buried in your system folders where you wouldn’t obviously notice them. Then they refer to those URLs in spam email campaigns.
This is very dangerous for two reasons. First of all, it’s hard to notice, unless you have change logs for your site and can see when malicious pages have been added. Secondly, none of your users will ever see these pages. They aren’t linked or indexed, and they may even have robots directives to keep them out of Google’s index. However, they show up in spam emails, which gets your domain blacklisted by email providers like Gmail, and brands your domain as a spam domain.
In essence, you can see a sudden and massive drop in both email open rates and in organic search traffic, along with potential blacklisting from PPC ads from Google, and there’s no outward sign of why it happened.
So, you know, there are a lot of different ways a hacker can screw up your website with malicious code. This isn’t even touching someone motivated against you specifically, who can deface your old content, delete databases, or keyword bomb your pages to destroy your Google ranking.
Scanning a Site
If you’re worried about your site being compromised – and you should be – you can take a few different routes.
The first thing you should do is check your server access logs. In general, your web host should have access logs you can check. The log will be little more than a list of IP addresses and dates, but it can indicate when a strange IP address is accessing your site on an unusual date. Some hackers will clear, disable, or edit the access logs to remove their presence, but many don’t care if they’re discovered, so long as their code is executed a few times first. Accessing an access log will vary based on your server, though.
Better than an access log is a change log. A change log will show details of everything changed on your site. It won’t show when you change the text of a blog post, but it can show when a file is overwritten or edited, or when new files and folders are added. A change log can show you when unusual activity happens and can identify specifically what pages were affected.
Of course, you won’t always have logging enabled. If you don’t, or you aren’t able to access the logs due to the way your web host is set up, you might have to opt for another approach.
You can take a critical eye to specific parts of your system as well, to scan manually. Here are some tips:
- Examine your files critically. Take a look at your .htaccess file, and see if it’s hiding any files you didn’t expect it to be hiding, or if it has any directives you don’t want it to have. If you don’t know what a good .htaccess file looks like, Google some examples, or compare it to a known good backup version of your site from a fresh install or from right after it was fully implemented. You can also look into media files, particularly .JS files, as well as .PHP files that might be making calls to other files that they shouldn’t. These are harder to analyze unless you know what you’re looking at, though.
- Run your site through Google’s SafeBrowsing scanner. For example, here’s this site. http://www.google.com/safebrowsing/diagnostic?site=seoblog.com. It’s free to use, and while it doesn’t give many details, it will tell you if your site looks alright or if Google detects something strange about it.
- Use a CMS scanner. Certain specific kinds of CMS platforms, like WordPress and Joomla, are subject to specific kinds of attacks that normal scanners might not pick up or think to look for. You can find specific tools for your CMS, like the WordPress Theme Authenticity Checker or the Jamss.php plugin for Joomla to look for specific kinds of compromised site.
I typically recommend that you use more than one check each time you want to scan your site. One checker is usually fine, but some are more or less thorough than others. Since most automated checks only take a second or two, it’s easy to use more than one just to make absolutely certain your site is safe.
A page like IsItHacked can scan your site looking for common issues associated with a hacked web page.
Specifically, they look for:
- Cloaked URLs. Hackers who place pages on your site will often cloak the URL to hide it from Google, so Google won’t see it. Google can still see it but won’t add it to their index; however, they can add it to their list of compromised sites.
- HTTP Status Codes. Checking these codes can show if there are malicious redirects or compromised pages that should otherwise resolve fine.
- Spam Links. The tool will scan your pages looking for spammy links that might have been embedded by a hacker. Some hackers will add links to their PBN domains or to their tiered link building sites, and hope they go unnoticed; such links can flag your site as part of a PBN and tank your SEO.
- Usage of iFrames. The old iFrame system was a way of displaying content within content, but is also often used as an invisible way to serve display ads or malicious code without actually putting that code on your page. Such iFrames are generally detrimental for any site today, so don’t use them, and make sure there aren’t any embedded on your page without your knowing.
- Blacklists. IsItHacked maintains a list of blacklists from around the web, including the Google Safe Browse blacklist. They will check your URL against these blacklists to see if it appears, which can tell you if you’ve been compromised.
Cleaning a Compromised Site
I already linked to our primary article on how to recover from a site hacking, but I’ll go over some tips here.
The first thing you should do is determine the extent of the hack. If your admin account is compromised, it could access more than one page. If it’s a hack of your CMS, they might not have had access to your back-end data. It’s also possible that the hack came through your advertising rather than your site itself, and so recovery is as simple as reporting and removing that specific malicious ad from rotation.
If your account has been compromised, look into other potential accounts that might have been compromised as well. Too many people share passwords and account names, and if a hacker compromises one, they might be able to compromise another. Check your email accounts for unauthorized access, as well as other important accounts.
One critical thing to check is recovery information. I’ve personally had a Microsoft account hacked where the hacker added their own information to the recovery list; if I tried to change my password, they would get the password reset email too and could change it back. If I hadn’t noticed, they could have then locked me out of the account entirely. Always look for changed or unusual contact information and remove it before you change your account information.
If any third party service, be it your web host, your email, or your bank is compromised, look for any specific hacking recovery information from that service. Some services, like PayPal, have specific processes you can follow to make sure you recover and re-secure your account.
As for your site itself, figure out how much of your site has been compromised, in what ways, and for how long. Ideally, it’s not a widespread hack, and it hasn’t been hacked for long. Look for any backups of your site you have taken, and examine them to see if they were compromised as well. Ideally, you can simply restore your site from a previous backup, recover any lost content, and re-secure your site. If you have no backups, well, now’s the time to start them. Well, “now” as in after your site has been cleaned; you don’t want a compromised backup.
Remove any compromised files and replace them with clean files. Update any and all plugins, themes, and CMS platforms as necessary. If any plugins are older than six months or so without an update, consider replacing them with an actively maintained plugin.
Finally, consider implementing as many layers of security as possible. Two-factor authentication is generally a good idea to prevent unauthorized access to your accounts. You should also install a plugin or monitoring service like Sucuri to help monitor and prevent future attempts to hack your page.
Oh, and make sure you follow any laws regarding compromised user information. In America, for example, if a data breach includes personally identifiable information, you must notify your users within a certain period of time, as determined by state or regional law. Failure to disclose a breach can leave you liable for extreme damages.