Hacking of websites, as well as devices and accounts, is all too common and this article looks at some of the tell-tale signs that your website may have been hacked, and what to do about it.
Signs
The kinds of signs that alert website owners to the fact that their website may have been hacked include:
– Visitors to the website are blocked and shown a warning message by the browser such as ‘Site ahead contains malware’ or ‘Phishing attack ahead’.
– The website domain redirects to another, unknown website.
– The website has spam adverts e.g. for adult content, unfamiliar popups, and/or displays other unfamiliar signs/elements.
– The website is suddenly terribly slow which could indicate which could indicate SQL injections, Coinhive attacks or brute force attacks by bots.
– The analytics or SEO programme e.g. Google Analytics shows the website ranking for spam keywords.
– A message is received from the website host (by email) saying that a hack has taken place and that the website has been taken offline to prevent the infection spreading.
– A message is received informing you that your website is being used to attack other sites.
– An alert is received from your malware scanner.
– The website is blacklisted by search engines and as such, cannot be found in normal web searches.
Further Investigation
Although these are likely signs that a website hack has taken place there are other proactive steps that can be taken to establish whether a hack is the cause of the website’s issues. These steps include:
Malware Scan
Run a malware/security check with a website Malware (source code) scanner. Example s of this kind of scanner include Indusface, ScanTitan, System Mechanic Ultimate Defense, Wordfence or MalCare. With a WordPress website, these can be installed as plugins.
Google Search Console
If you have signed up to Google’s Search Console (and consequently received a warning of a possible hack), login to the Search Console and check the ‘Security Issues’ section (left-hand side menu).
Google Safe Browsing Tool
Putting your website domain into Google’s Safe Browsing Tool will tell you whether the website is currently safe to visit by detecting the presence of malware or other issues. It can also tell you how to clear your website of malware. Go to https://transparencyreport.google.com/safe-browsing/search
Check Analytics For Traffic Spikes and More
If checking your website analytics e.g. Google Analytics reveals a large spike in traffic having been recorded, this could be a sign that the website has been included in a spam advertising campaign.
Warnings From Host and Port Blocking
The website host may have sent an email or given a notification on the dashboard of the hosting account to inform of a possible hack. Hosts will also first issue a warning before a website is deleted and hosts lock down outbound ports e.g. 80, 443, 587 and 465, to stop the malware from spreading.
Also, making a simple telephone call to (or raising an urgent support ticket with) the host may be a fast way to find out if a hack has been detected and/or if it is part of a wider hack of websites with that host.
Website Monitoring Service
If you are signed up to a website monitoring service e.g. WebsitePulse, Pingdom, StatusCake, Monitis, Uptrends or Host Tracker your website is monitored for changes and alerts are sent if changes are detected. This can be an extremely useful way to track aspects of website performance as well as checking for potential hacks because hacked websites do not always serve malware.
Remote Scanner
If you have signed up to a remote scanner to study the rendered HTML of the website rather than the source code, this could be another way of detecting infection from malware introduced by a hack. These types of tools include urlquery.net and VirusTotal.
It should be remembered, however, that hackers often only display malware to certain visitors at certain times, meaning that remote scanners may miss infection.
Cloaking Check
Where different content is being shown to different types of users, this is known as ‘cloaking’ and can make it more difficult to see if a website has been hacked. To check for cloaking of hacked content, go to Google’s Hacked Sites Troubleshooter. See: https://support.google.com/webmasters/troubleshooter/6155978?hl=en
Other Checks
Other checks to confirm a possible hacking and the negative results of hacking of a website include:
Blacklist Checking
Search engines often blacklist unsafe websites. To check whether your website has been blacklisted because of e.g. malware added in a hack,
open your browser in incognito/private mode, and go to https://www.google.com/. Type the following in the search field: site:https://yourwebsiteurl.com. This will display links to the pages in a website and if clicking on a link results in being prevented from going to the website and instead of being shown a warning (The site ahead contains malware/Phishing attacks ahead/Deceptive site ahead), this may be a strong indicator that your website has been hacked and then blacklisted.
Manual Investigation
Those who are confident, knowledgeable, and experienced enough in dealing with websites may wish to manually check aspects of the website themselves. In a WordPress website, for example, this could involve checking critical files and folders such as the plugins and themes folder, the .htaccess file (for a re-direct), the wp-config file and other PHP files. It may also be worth checking whether a new user has been set up within the website and if there is any evidence that details of any contacts stored on the website have been exported/downloaded.
What To Do Next
If your website has been hacked it will be a priority to get a clean, current, safe, and functioning version back online as soon as possible, and to ensure that protections are put in place to minimise the risk of further hacks. Measures that can be taken to make this happen include:
– Acting quickly and contacting your website host and asking for help.
– Assessing the nature and extent of the damage.
– Taking the affected website down temporarily (if it has not already been done by the host).
– Restoring a backup version of the website.
– Identifying how the website was compromised and focusing on fixing those weaknesses.
– Cleaning the hacked website of malware e.g. using a plugin such as MalCare, WordFence, Sucuri Security or Quttera.
– If it is a WordPress website, removing any inactive themes and unused plug-ins to close any possible back doors.
– Running a full virus scan of your computer.
– Using Google to check for blacklisting, plus using other relevant Google tools as detailed earlier in this article e.g. Hacked Sites Troubleshooter.
– Changing the password.
– Once all issues have been fixed, requesting a Google review for unflagging the website as dangerous.
– Going forward, making sure that the website is visually checked at least once a day, every day.
– Ensuring that regular backups of the website continue to be made so that a recent version can be reinstated when necessary.
– Making sure that any software/plugins are updated on the website, and that the programs on your computer are updated with the latest versions and patches.