My Website Has Been Hacked What Can I Do? How to Check?
Comodo cWatch helps you clean your website and get it back on track, but even more importantly, cWatch can prevent your site from getting infected in the first place. Contact us now for a free website malware cleaning and hack repair, or get complete, cloud-based protection for your site for as low as $7.92 per month.
If you suspect your website has been hacked, it is important to act quickly. Failure to take action can put your reputation, your bottom line, and your customers at risk. Here’s how you can tell if you’ve been hacked:
The Reactive Ways To Detect Your Site Has Been Hacked
It's not practically possible for system administrators to keep monitoring their websites all the time. Even automated website monitoring tools have gaps in between checks/scans. So, the alternative is the reactive methods, ie, learning from an outside source that your website has been hacked. Here's a look at such reactive ways that can help you discover if your site has been hacked...
Google says this Site may be Hacked
Alerts from Google Chrome (or any other browser) that informs you about the hack
If a website visitor gets an alert from Google Chrome (or any other browser) that your site is insecure, in all probability your website has been hacked and infected with malware.
The following image shows the kind of warning that you get when your website has been targeted and hit by a phishing campaign
When such a message comes up, it needs to be understood that a cybercriminal has perhaps infected your website with malware and is then using the website to carry out phishing attacks. You have been targeted by a phishing attack and your website is also used to carry out phishing attacks. Your website visitors can end up being targeted.
The image given below shows an alert that lets users know that the website they are trying to visit is infected and could affect them.
Your website is taken down by your hosting provider since the site is hacked
When visitors to your website get alerts that your site has been hacked and malware-infected, they report it to your hosting provider. The hosting providers also receive other alerts through their automated security tools or from automated systems outside their company. Following this, the hosting provider will most probably take your site offline. Some hosting providers, as part of their policy, will immediately format the server or hosting account which has been infected. This is done to protect users and secure them against infection, which might happen even after the site is taken offline. The hosting provider would inform you, via email, that your website has been hacked.
Your website is flagged as 'Hacked' or 'Harmful' in Google Search Results
Sometimes, during Google searches, you (or your website users) get the kind of results that are shown in the following images
If such a result is seen in a search the results for which should include your website, it means that your website has been hacked.
Most of the time Google removes hacked websites from search listings, but in some cases, they are included with a flagged message saying - "This site may be hacked" or "This site may harm your computer".
The first message, "This site may be hacked", indicates that Google has detected something suspicious on your website. This might mean some unusual changes to existing pages, an addition of new pages with SEO spams/redirects etc.
The second message, "This site may harm your computer", shows that Google has detected malware that could cause additional damage to anyone who visits the website.
Google Hack Check
You get Google Search Console alerts about malware on your website
Anyone with a website should set up Google Search Console (which also used to be called Google Webmaster Tools); this provides alerts on any issues that Google faces while indexing the website and also gives stats regarding website visits via searches.
If you go to "Search Console Preferences" and enable email alerts, Google Search Console will regularly email you alerts about your website - this includes alerts about malware infection. Thus you'd be able to fix hacks on time, even before warnings are displayed for others. You could also check for hacking issues by visiting the "Security Issues panel" after signing in to Search Console. If there's an infection, it would show an alert as shown below -
You are alerted about a hack by your malware scanner
Trusted malware scanners, like cWatch, alert you if your website has been infected/hacked. Many website owners see this as a preferred method since this mostly has the shortest time between getting infected and the discovery of the hack. In case a hack/infection is discovered, you get an alert via email. Hence you need to keep an eye on alerts and also remember not to ignore alert messages simply because you are getting too many. You can set which kinds of alerts you should receive.
You are informed about a hack by a customer
It's obvious that your website is visited more often by your visitors than you yourself. There could be several thousands of visits from customers and if a hack happens, it would most likely be a customer who finds it out first and informs you even before you receive an alert or Google detects the infection. So, when a customer contacts you and informs you of a hack, first let the customer know that necessary action is being taken and then take your website offline for repair and to avoid further damage to anyone.
The Proactive Ways To Check Your Site Has Been Hacked Before Google Does
Detect website hacks using source code scanner
When a hack happens and a website gets infected, it won't be visible on the outside. Of the many proactive methods that you can use to check for hacks, the first one would be to use a source code scanner like cWatch. cWatch would do a thorough and systematic inspection of all your PHP and other source codes to look for malware patterns. If something is detected, you'll be alerted immediately.
Source code scanners detect hacks by looking for malware signatures/patterns that match known malware codes. But when it's a newer malware that's there, the scanners compare your source code with a known good version of the same code. Thus newer infections, for which detection signatures may not exist, would also be detected.
Check for hacks with a monitoring service that includes site/webpage changes as well
While using a monitoring service to look for website infections, it's always good to opt for one that detects if there are website/webpage changes as well. If there's a change that's more than a certain percentage, you'd be alerted. Monitoring services, can help monitor from multiple locations and thus detect hacks when a hacked website targets users in some location or at some particular time. The monitoring can be based on other parameters too, like for example traffic source.
Check for hacks by monitoring website traffic for spikes
This is important. You should be monitoring your website for traffic spikes, and if there are dramatic spikes you must use a source code scan to verify if there is an infection. This is because there will be a drastic spike in traffic for websites that have been hacked. The spike happens as the hacker would be sending out links to your website to execute spam campaigns. For monitoring website traffic for spikes, you should use not just javascript-based traffic monitoring tools like Google Analytics. You should also use tools like cWatch to detect bot traffic, which usually is not detected by Google Analytics.
Check for hacks using a remote scanner
It's always advisable to check for hacks on your website using remote scanners, which look at the "rendered" version of the site, ie, the HTML that the website produces and not the source code. So, if a criminal chooses to include malware in the HTML or chooses to include a code that would show malware only to certain users at certain times and matching some particular criteria, it's always possible that such infections would be detected by a remote scanner. Use a remote scanner as an additional tool since it helps catch a variety of unsophisticated infections.
Make it a habit to visit your website regularly
You should make it a habit to visit your website regularly and look for changes or strange texts that are injected into your pages. If you find any such thing, a scan could help you detect an infection. Also, look for PHP errors that appear mostly at the very top of your webpage and which could signal an infection.
Summing it up...
We have discussed the different methods that can be used to detect website infections. Here's a sum of some of the major points that we have discussed...
- Do Google search for your website regularly.
- Check your website many times every day.
- Depend on Google Search Console, set email alerts.
- Use a reliable malware scanner, set up email alerts.
- Rely on customers for inputs regarding website security.
- Use a source code scanner to check for infections.
- Look out for unexpected, drastic spikes in website traffic.
- Use a website monitoring service that detects webpage changes.
- Use remote scanners as well.