Over the last couple of months I have been forced to, twice now, deal with compromised websites. This entails finding the problem, getting them cleaned up, the warnings removed and then back in the Google index. Luckily it was not one of our main sites but cleaning up even a small blog can be a time consuming process. In that I have collected these tips to help when anyone else sees that little message under your site stating “This site may harm your computer." I know for some of you this may be to much on the surface, but for others they may never know to do some of these things.
I know it is horrible to see your livelihood be infected by malware, but the worst thing you can do is panic and start to desperately run around wondering why something like this would happen to your site. This will not help your site to get cleaned up so the best thing you can do is keep a level head and follow the steps to see how it is happening and how you can quickly address it.
Get the Site Scanned
When working with a hacked site I always head over to a good site scanner, such as the Sucuri SiteCheck and have them scan my site. Most often they will tell you what the issue might be and will give you information on how to fix it. If you are not savvy with htaccess files and other parts of your site you may want to opt for their paid service which will clean your site and monitor it for you to make sure no other infections take place. If you are savvy then run the test, get the details and start implementing their ideas.
Check the htaccess
One of the sites that I was working with had an issue where if you typed in the domain name the site worked fine; however, if you tried to enter the site from a search engine you were directed away from the site to a Canadian drug store. One of the reasons why this is a preferred method for hackers is that many site owners will not search their site in a search engine, they will just type it into a browser. So if you are hit with something like this then it can take people weeks or months to realize it is happening. Here is an example of what the htaccess file looked like for the hacked domain as it may help you to notice what to look for.
Check Google or Bing Webmaster Tools
If your site is doing more than simply taking over the htaccess, then it is a good idea to check webmaster tools and see if Google has any notifications as to what is going on with your website. Many times they will tell you there is malware on it or try to notify you that something weird is happening. They also have a great series of steps you can do to clean up your site here as well.
Fetch as Google Bot
On the second site that was hacked, they were not having the htaccess issues but had a little piece of code that was in the footer of the site which was showing Google bot a whole bunch of links that a normal user would not see. In order to find this I did a fetch as Google bot in webmaster tools and was able to notice that Google was seeing something different then I was. I found the piece of code and removed it from the site and then it stopped giving Google those extra links.
Of course this is just the tip of the iceberg and not all hacks will fall into these types of fixes, but these are a lot of the common things to look for. Now you may ask what to do after you have cleaned it, to which I would recommend these things.
Change your Passwords
I know passwords are hard to remember as is, but you should change them right away, change the FTP, Hosting, Site, Database, etc. This is the most important thing to do right away. If you do not do this then whatever work you do can be just as easily erased as soon as you fix it, by whoever has access too it already.
Set Up Google Webmaster Tools
Setting up Google Webmasters Tools for your site is easy and free. It will give you tons of data for your site such as what users are searching for to get there and who is linking to you. It will also let you know whether your site has been compromised or not. If you do only one thing after reading this blog make sure it’s setting up webmaster tools.
Keep Your Installs Up to Date
By far one of the most often exploited parts of a site is the database or content management system. Whether that is Wordpress, Drupal or something else, making sure it is up to date is the number one way you can combat attacks. The same is true for the plug ins that you use. Keeping all of them up to date can help you stop would be hackers from exploiting your site.
Do Not Share Hosting Access
Having a shared hosting account for multiple sites is fine, but making sure that the other people who are sharing your hosting are keeping their installs up to date is a must. Even if your site is up to date, another site on the hosting account could let in the hackers. Make sure you only share hosting with someone you know and trust will keep up their site.
This is by far one of the most important things you can do. Even if you don’t back it up every day make sure you are making a backup at least once a month. This way if all else fails at least you can fall back on a time when your site was not infected.
After your site has been cleaned and you have verified that with the scanner that I mentioned above, make sure you file a reconsideration request with Google. This is one of the most forgotten tasks and probably the most important. Google will not bring your site back into the index and remove the warning without having your site cleaned and reconsideration request filed. You can do this through your Google Webmaster tools account and it is very straight forward and easy to use. In my two times doing it I have seen a response and the warning removed within one to two weeks, so make sure you fill it out as soon as your site is fixed.
So there it is, my tips on both fixing a hacked site and then keeping it safe in the long term. Make sure you leave a comment if you have another tip as well.