January 28, 2016 | Sarah Danks
A Hacked Site Is No Laughing Matter
Have you ever been searching for something and run across a weird “warning” in Google search results?
Something that says, “this site may harm your computer,” perhaps?
I’ve seen it before, but thought — naively — it was a nasty site and deserved it. And of course I’d not click on a SERP result like that!
The other day I was talking with a friend who referred me to a German shepherd breeder. Since she and I were chatting on Facebook already I perused the breeder’s page there, but I much prefer learning about a business from its website over its Facebook profile, so I Googled them (yes, I realize I could’ve just clicked on their website link on the About tab, but I wanted to see what else was online about them, thank goodness)…
…and to my surprise I saw this in the SERP:
Whoa. What the hell?
My friend told me about this breeding operation; I know they’re legit. So why would this happen?
As it turns out, their website has been hacked. If you click on the title tag in the search snippet, you receive this information:
Not wanting to compromise my own computer, obviously I didn’t proceed to the website (eager as I was to look at a myriad of puppy pictures).
Instead, I backed out and clicked on the “This site may harm your computer.” link:
Yikes. The previous screen had told me if I wanted to proceed to the website it’d be at my own risk, and I guess that was the truth:
“You’ll see this message when we think the site you’re about to visit might allow programs to install malicious software on your computer.”
And apparently, until the webmaster at teamhuertahof.com fixes the issue, no one will be able to visit that site safely.
For the record, this isn’t a warning Google throws around lightly. What’s scary is this: unless someone’s actively searching for that website, they wouldn’t necessarily know it was hacked.
So, what if it were bookmarked by a client or family member? Someone who’d been to the website before wouldn’t need to Google it to find the domain name; they’d navigate right to it. Or, visitors to the business Facebook page could click on their website link there…
…thus bypassing Google’s warning message entirely.
(For the record, when I searched for this business in Bing and Yahoo, the only website result of theirs I received in the SERPs was a specific URL — at the bottom of page 1 — but other than that their domain name was eerily absent from results. This would suggest that Bing/Yahoo handle these hacked sites differently than Google — just another reason I don’t use those search engines.)
Of course, you can rely on your browser — whichever it is you’re using — to warn you of danger if you’re navigating directly to a website. For instance, I mainly use Chrome:
But you need to be absolutely certain your settings are correct for this to work. Which is why I prefer to put my trust in the Google.
Speaking of, I wanted to see a bit more about what was going on behind the scenes with this website in question.
Upon doing a site: search for the domain name in question, I was presented with the following SERP:
…I’m fairly certain that’s not the normal site content for a German shepherd breeder in Illinois, United States.
In case you didn’t trust Google’s first warning — or the site: operator — there’s a Transparency Report that will tell you in more detail about any site status:
So, we know this website was hacked and that it’s dangerous to visit the domain. But how did this happen in the first place?
What Does It Mean To Get Hacked?
You might wonder how and why websites get labeled with “this site may harm your computer” in the first place. It’s explained beautifully in the Google overview for webmasters of hacked sites. Having your website hacked means your site is “compromised,” which is a polite way of saying it’s been virtually taken over by someone other than the webmaster.
How Websites Become Compromised
In a nutshell, here’s how websites get hacked: On the outside, your website might seem “healthy,” but it’s vulnerable…
…perhaps because you added a plug-in that turned out to be insecure, you’re using out-of-date software, or maybe your WordPress login was deciphered.
A hacker exploits these weaknesses by creating a program that acts like an infection — it enters into the small vulnerability on your website and spreads like a virus.
You’re not alone — at this point yours is probably just one of MANY sites affected.
Why Hackers Attack
Once the hacker has access to your site through a vulnerable spot, s/he can do anything — like add spammy text or malware.
But why WOULD someone do that in the first place? Well, as the nice lady in the hacked sites overview video explains, it’s because hackers profit in some way:
- If your website is authoritative in a niche, a hacker may break in to add spam in the form of content and links that benefit their own site — after all, we know acquiring incoming links is hard to do naturally.
- Or they could simply be interested in financial gain — as in, your finances. They could install malware that steals your login information and passwords.
Yikes. Oh, and keep in mind — the hacker who installs malware on your website isn’t just accessing your information; s/he’s accessing the information of anyone who visits your site.
This isn’t something that only affects you, so you need to be sure to stay on top of this type of situation!
Since Google bots are continuously crawling the web — indexing new websites and re-indexing existing ones — it’s only a matter of time before they find the malware on your site and start showing the “this site may harm your computer” snippet in SERPs.
Thing is, someone searching Google for your site might know you’re hacked before you do by running into that warning — so how do you, as webmaster, keep abreast of this possible scenario?
Quickly Know If Your Site’s Been Compromised
Google uses automated tools to find hacked sites, so it’s extremely unlikely they’d identify your website as compromised if it really isn’t. But, rather than relying on someone random to email and tell you your site’s been hacked (as I did with the German shepherd breeder in question), you can set up a couple simple tools to help.
Since many hackers are trying to spam websites to benefit their own shady sites, a simple way to know first-hand if your website or blog ever gets hacked is to set up Google Alerts.
You don’t have to be technically savvy to do this, but there is a way — outlined in the article — to set up alerts for various spammy phrases (viagra, porn, drug-related pharmaceutical terms, etc.).
Those are the most common types of spam queries, but obviously not all of them. While setting up Alerts can definitely be helpful, it won’t cover the situation I ran across — wherein the site: operator search revealed a foreign language/special characters.
The safest way a webmaster can find out the health of their website — good or bad — is through Google Search Console (previously Google Webmaster Tools). See, Google alerts you on Search Console if malware has been installed on your site.
But of course you have to be
a) set up with and
b) regularly checking Google Search Console to get that information.
Once you do know your site’s hacked, there’s light at the end of the tunnel — and it isn’t a train.
Fixing Your Hacked Site
The good news is, a full recovery is possible for a compromised website. As mentioned on the hacked sites overview video, there are two methods for recovery:
- Hire an expert
- Do it yourself
Obviously the former is easier in that you merely throw money at someone else to fix the problem, but you also have to trust they know what they’re doing. With the latter, you’ll save money but you need to be somewhat technically inclined.
Hiring A Professional
Since hackers are — unfortunately for those who’ve been compromised — good at what they do, they know how to hide dangerous script deep in the code of your website. Hiring a person or service to find and clean all the bad code on your site can be expensive…
…but you have to weigh the ROI of what you pay them against what it’s worth to have a fully functioning, safe site again.
Of course the people/companies who do this will most likely charge (a lot) by the hour, or could have a backed-up schedule. This isn’t a situation to be taken lightly, though, so you need to get help quickly.
As in the case of the German shepherd breeder, even though I alerted them to the issue (or they were already aware of it), they’ve not pulled their site down. They told me they were “building a new site next month” so would take care of the issue then, but in the meantime, it’s a threat to anyone who visits it.
So, maybe instead of waiting until next month, they should try to DIY…
Removing Malware Yourself
…if you trust your skills to find and remove all malware, identify your website’s vulnerability (and fix it), and seal up any other weak spots to ensure the likelihood of being hacked again is as low as it can be, go for it!
First things first. You’ll need to take a deep breath, and start the process:
- Find the problem (out-dated plugin, malicious files, etc.)
- Remove the issue (remove plugin, find and remove bad files, etc.)
- Ensure security to avoid future problems
But how to go about fulfilling each of those steps? Let’s break it down.
Find the Issue
Finding the affected area(s) of your website is a critical step in removing malware. There are a few ways to figure out where malicious code exists:
- Check Search Console for a list of URLs containing malicious code
- Use an online option, such as Sucuri, to scan your site (this part is free)
- If you use a popular CMS — WordPress, Joomla, Drupal — many plugins exist as options to scan files
- Manually check common files that hackers invade (e.g., .htaccess and .php files)
Once you’ve located the infected parts of your website, it’s time to get rid of the malicious code or spammy content.
Please, before you start deleting code or changing things on your website, make sure to back up your files first! That’s very important.
After you’ve backed up, you can use Sucuri to remove the files — while they scan your website for free, this is the part they make you pay for.
Or, if you’re comfortable digging into the code to remove malicious additions yourself, go for it. This is where your backup can come in handy — you *could* delete everything and restore from your last, safe backup (safe is the key word there). Not sure you want to tempt fate and lose your entire website?
Well, then your option is to wade into the code and remove any/all spammy content, links, and bad code one by one.
After all that, you’ll need to head back into Search Console and ask Google to review your website — to be absolutely certain all malware/spam is gone, and also so they’ll remove the “this site may harm your computer” warning in their search results.
Ensure Security Moving Forward
You’re not done once all malware or spammy content has been removed — you need to ensure your website is secure so you don’t get hacked again!
Granted, being compromised can happen to any website, but you need to take strides to make it extremely unlikely.
If you’re using a CMS, you’ll want to change your login information after you’ve cleaned the site files. Even if you don’t think hackers gained access via login credentials, it’s always smart to change passwords. Don’t use generic terms that would be easy to guess; mixing random letters and numbers seems to work well.
If you have trouble remembering passwords, you can use a service like LastPass — we use this and love it.
Update all plugins to the latest version and remove any unused or out-of-date plugins. Not updating plugins regularly or using insecure plugins can definitely lead to a website breach. Be sure you know which plugins are best for what you need.
If you think your website host had anything to do with security, then you can change hosting environments. This can be more of a peace of mind checklist item, but some hosting companies are better than others. For example, we build all of our client websites on WordPress, so we’ve switched all accounts over to managed WordPress hosting.
Once you’ve cleaned all the malicious code, and secured your website, and know that your site can safely be let loose on the web once again.
But there’s one more thing you’ll want to do to finish up the process…
Submit a Reconsideration Request
…and that’s filing a reconsideration request to Google.
Sure, you’ve removed all the bad stuff and you’re back to good — but it’s best to just tell Google:
I wish I could provide the actual “Request a review” portion in GSC and what it looks like, but alas none of the sites we’re responsible for are at risk.
Anyway, when filing your reconsideration, there’s some “‘splaining to do,” and the best I’ve found to tell you how to go about doing that is this guy’s manual for writing a request.
Suffice it to say, once you’ve received confirmation from your reconsideration request, you can you can breathe a sigh of relief and know that all’s well with the world again.
“This Site May Harm Your Computer” Isn’t the End of The World
If your website’s been hacked, don’t despair — the problem can be resolved! That said, don’t be apathetic about this situation…
…it’s a big deal for everyone involved — you and any visitors to your website — until you take action to fix the problem. After all, the entire point of hacking a website is to gain access to a website and utilize it for financial gain or black hat SEO purposes.
When a hacker gains access to your website and “only” uses it to embed spammy links and content to benefit their own sites, you lose out. But, when they install malware to steal people’s personal, private information — like login information for bank accounts — anyone visiting your site is at risk.
Here are a few more resources for learning about how to deal with your compromised web files:
- This article has great how-to steps on fixing a hacked WordPress site
- Try this checklist for finding/dealing with hacked files
- Google’s steps for dealing with an infected site is a good source
So don’t delay — keep up on the health of your website so your visitors don’t suffer. If you haven’t already, get set up with Google Search Console and check it regularly for alerts. If you’re notified that you’ve been hacked, or you see a “this site may harm your computer” result in Google, take steps immediately to remedy the situation.
And, above all, know that it literally can happen to anyone! You’re not a bad webmaster — just be sure to take care of it thoroughly and quickly.