I’m late posting today because we had an adventure with a client’s site. This is a site that we built, and fortunately we continue to manage the site owner’s online presence, because a few days ago someone got into the site and maliciously… well, uploaded a bunch of files.
The files were pages of information about famous historical personages, and I don’t know what benefit the abuser expected to get from these pages. I don’t keep up with this stuff. I feel confident, though, that the object was not to help passersby with their schoolwork.
I’ve since discovered other people in the same industry who seem to have had the same thing done to their sites. I began emailing them, and then I realized that my emails sounded like weird threatening spam: “Sir, I’ve noticed that your website seems to have been hacked…” At least I ended with “Please have your webmaster check this for you” instead of suggesting that they send me money.
In any case, I decided to write this instead. So you might want to have a look at your website and see whether you are the innocent victim of this exploitation. (If you want to know what industry seems to be targeted, you can email me and I’ll tell you.)
In our client’s case, there was a folder labeled “Callan” stuck into the site. The site owners use a cpanel dashboard with their local hosting company, and this is the most likely source of the problem — or the way the miscreant got in, at least.
It was probably done automatically by a computer program, not by the site owner’s secretary, so don’t let it become a human resources issue if this happens to you. There are programs that seek out weak passwords and insert malicious code into the openings they find in the site’s security. If no one is taking care of the website — and you’re busy, so your website might be in that category — then the problem can stay at the innocent site for quite a long time.
How can you know if your site has been compromised?
Google Webmaster Tools will alert you to suspicious behavior at your site. Set them up. You need to have access to the root or code of your site to do this; if you don’t know what that means, contact your webmaster and ask for help. If you do have access, then you can do it yourself:
- Sign into your Google account (set one up if you don’t have one)
- Open Webmaster Tools.
- Type the URL of the site (its web address) into the box and agree to verify that you are the site owner.
- You have several options for verifying your ownership. Mostly, you’ll need to upload a file or paste a line of code into the site.
- Click the “verify” button. Once Google verifies that you have access to the site by seeing that you added the code, you’ll be sent to the Webmaster Tools page for your website.
Webmaster Tools has a diagnostics option for checking to be sure your site isn’t infected with anything. It will also alert you if it notices any suspicious activity.
You can also see a notice saying, “This site may be compromised” at the Google search engine results page if the problem has already been caught by Google. You might also notice strange things going on in the site’s analytics — in this case, visits to pages that didn’t belong on the site.
What should you do if your site has been compromised?
Remove all the stuff that was introduced. If you can’t do this immediately, take your site down until you can so it doesn’t do any harm online and restore it from a clean backup. Run the diagnostics at Webmaster Tools to make sure that everything is as it should be.
Change your passwords and think carefully about who should have access before you give out the new password. Hint: the slip of paper taped on the wall by your store computer with all the passwords on it? Take that down.
Let your web host know what happened. If one site on the server has been attacked, then it’s possible that the rest of the sites hosted on that server also are.
Then resubmit your website to Google. In our client’s case, the site is completely aboveboard. There has never been any gray hat or black hat activity on its behalf, it has no ads or affiliate links, and we’re confident that there won’t be any problem. If you run a site that makes money by getting traffic — a site supported by Adwords or affiliate links, for example — then Google may require you to “show good faith” before reinstating your site.
If you have a history of black hat behavior, you may be out of luck. This, in case you didn’t notice it yourself, is a really good reason not to develop a history of black hat behavior.