If your website site is down completely or your domain redirects to a spammy site, it’s pretty obvious you’ve been hacked. A total highjacking is not always the case though and stealth hackings are becoming more common. Smart hackers will use your website to benefit their cause without leaving conspicuous tracks.
Stealth attacks are usually done by injecting spam links or executable files into your website files. Hijacking information is also very popular. Malicious code can be injected anywhere on your website’s server, allowing the hacker to steal user input to include passwords, credit card numbers, tracking cookies or any data for that matter.
So how do you know you’ve got a problem?
Google said so
It’s nice knowing that Google’s got your back, isn’t it? As Googlebot crawls your website, anything deemed as spam, malware or malicious will trigger a flag on your site. You will be notified through your Google Search Console account that there is an issue that needs to be addressed. Hopefully you’re using Search Console, because otherwise end users may see a not-so-welcoming “The site ahead contains malware” or “This site may be compromised” warnings when they click to your domain. Esch.
Truth be told, you’re better off fixing the issue before Google flags your website. Once Google is alerted, you’ve got to stand in line and beg for their forgiveness. So prepare to submit your website for an evaluation, and explain the steps you took to clean up the infection. You never know how long this will take, so it's best to find that hack before they do.
Something looks off
To make sure everything is on the up and up, take a few minutes every day to scroll through the front-end of your website looking for anything that sticks out or may be out of place. Below are just a few things to look for:
- Check for out of place links or new links that may not be relative to your web page's content.
- Look out for delayed pop up windows asking you to download files.
- When clicking on your web pages, make sure there are no other windows being opened up or links that are supposed to be internal taking you to external pages.
- View the source code of your web pages. Check for unknown script code in your header or footer areas, as well as the main content areas. Also check that you are not linking to any unfamiliar outside sources or web pages in those areas as well. Any malicious links should stand out fairly easily–common hacks reference Viagra or Cialis.
- Check your Google Analytics and make sure traffic is not being diverted somewhere else or an abrupt drop/increase in traffic.
Issues in administration
If the front-end looks great, stroll through the admin area of the website. A successful log-in is always a good thing. Hackers will frequently block access to any user trying to log into the admin side of the website.
Once logged in, we can start to look at a few of the things listed below:
- When initially logging in, be sure you are not being redirected to different url.
- Check out the authorized users to ensure there isn’t an unfamiliar user with full access rights.
- Check page/post publish or modification dates.
- Is everything functioning as it should?
Go under the hood of your server
Hopefully all of the checks above haven’t turned up anything amiss and your ship is still sailing smoothly. If you're still in doubt, a sure fire way of checking for a breach is checking your server files and logs. A bit more technical knowledge is required to check these items, but there are things that non-programmers can review.
Log into your server, usually through a cPanel or Webmin that your hosting provider has setup for you, and browse through your servers file directories. Check for unfamiliar folders or new files. Have existing files been modified? You can find the file modifications dates usually to the right of the file’s name. If you happen to find any of these, compare them to your server log.
Your hosting provider can usually provide you with a copy of the server log, or it may be accessible within the root of your server for download. This log provides all sorts of information about users accessing your website. Comparing the date of the suspicious file or folder against the IP address in the log file is a good way to determine if the file or folder is supposed to be there. If the file/folder is odd to you, and the IP addresses in the log at that particular time are not you or someone working on your website, then it should definitely be reviewed further.
Best case scenario is that everything has checked out. If you do happen to find a breach, it is best to notify your hosting provider and contact a professional to track and clean up any files that may be associated with the hack. Hopefully you have been keeping backups of your databases and server files, so reverting to a previous version is possible if necessary.
Once a clean bill of health has been achieved, make sure your server provider locks down permissions on all files. Also research any plugins or packages that you may be using to ensure they don’t have any security vulnerabilities. If it is not obvious, be sure you keep your website and or plugins up-to date with the latest versions of any open source code you may be using.
Sure, it’s practically inevitable in the life of your website that it will be compromised at some point. But wouldn’t it be nice to know you are at least keeping your doors locked to keep your website safe? Make good on your New Year's Resolution with regular website maintenance moving forward. In the meantime, you now have the basics of what to look out for before Google issues you the big red flag.