Nothing drives away visitors from your website more than a Google statement stating, “This website may harm your computer”. Every day, thousands of websites are being compromised by cybercriminals. Hopefully, this may never happen to your website, but if it does, Google has dedicated an entire section of its webmaster tools website on “Hacked Sites”. This guide can help you know whether your website has been hacked and also offers articles, videos and step by step guides to help you recover.
Here’s a round-up of the step-by step Google guide to recover from compromising hacks.
1. Build a Team
Turn to your hoster if you believe that your website has been compromised. Your hoster can make sure that his other customers weren’t affected. Your hoster can greatly help recovering your site. In addition to the help derived from your hoster and Google’s “Help for hacked sites series”, you can participate in online forums and discussions and know what the experts and experience people have to say.
Google Webmaster Central’s discussion forum has a special subforum for Malware and hacked sites. Most responses come from highly engaged members and the community’s Top Contributors. Consider seeking assistance from an expert and trusted security expert.
2. Quarantine your Site
Take your website offline so that the webserver no more serves harmful content to your visitors. By taking your site offline, you can undertake administrative tasks with less interference from the hacker. You hoster here has a major role to play.
Some points to remember when you take your site offline;
4xx or 5xx HTTP status code isn’t enough to protect your users.
The 503 status code is a useful signal that your site is down temporarily.
Using a robots.txt disallow is also insufficient because it only blocks search engine crawlers.
Perform thorough user account management and detect hacker’s account, delete shady users and change all passwords related to your account.
3. Use Search Console
Verify the ownership of your website by using Search Console and check that the hacker haven’t already verified ownership in Search Console and made unwanted settings. Once, you have done that, determine the nature of compromise. The “Security Issues” in Search Console can help you detect whether your site was compromised in any of the following ways,
With spammy content
For phishing purposes
To distribute malware
4. Assess the Damage
This step pertains to sites hacked to host spam, often with the warning “This site may be hacked” and Malware, often with the warning “This site may harm your computer”. If your site has been hacked to host spam, you will have to compile a list of all the damaged files on your website to prep up for the clean and maintain step. If your site has been hacked to distribute malware, then you’d have to;
Avoid using a browser to view pages on your site.
Create a document to record findings from assessment and use it in the clean and maintain step.
Investigate the specific malware infection types/ categories on your site by using “Security Issues” on Search Console.
Log in to your site’s file system for more in-depth investigation. ( Note that the hacker may have modified existing pages or database records, created entirely new spammy pages, written functions to display spam on clean pages, or left “backdoors” that will allow the hacker re-entry to your site or that will continue performing malicious tasks if not deleted.)
5. Identifying the Vulnerability
There are multiple ways through which your site may have been compromised. Hence it is recommended that even after you have found one vulnerability, keep an eye for more. The most common vulnerabilities include;
Virus infected administrator’s computer – The hacker may have installed spyware to record site admin’s keystroke on an administrator’s virus infected computer.
Weak or reused passwords – Check for suspicious activities like multiple log in attempts or an administrator making unwanted commands in the server log.
Out of date software – Conduct research to check whether all installed software are up to date and with security advisory. The out dated software can be the cause of vulnerability.
Permissive coding practices – Hackers can abuse open redirects by adding their spammy or malware page to the site’s open redirect.
6. Clean and Maintain your Site
Under this step you’d have to;
Move support and additional resource like confidential member information elsewhere.
Remove new URLs created by the hacker.
Creation of new, clean pages that you want to appear in search results.
Cleaning up your server on the basis of info collected in Assess the Damage and Identifying Vulnerabilities steps.
Installation of the latest and secure software versions.
Restoration of good content and eliminating hacker’s content.
Fixing the root cause vulnerability.
Changing all passwords.
Setting up a proper maintenance plan to prevent future vulnerabilities.
7. Request a Review
Request a review from Google to have your site unflagged as dangerous. But before requesting a review, you must ensure that;
You have verified ownership of your site.
Cleaned from hacker’s vandalism.
Recovered the vulnerability.
Made sure that your pages are clean and secure.
Brought your clean site back online.