The 10 Signs You Have A Compromised Website
Technical Lead, Web Watchdog
21 October 2016
“…then, one day, you load up your site in your browser, and find that it’s not there, or it redirects to a porn site, or it’s full of adverts selling for performance-enhancing drugs…”
WordPress hacks or website hacks in general always feel personal, especially when you discover your website had been compromised for quite a while. This is why it’s very important to recognise these hacks from the first signs.
Online security is probably one of the biggest concerns for any single person or business with a web presence. This is simply because “the hackers keep hacking” relentlessly (usually automated) for any number of reasons. It often revolves around monetary loss or gain, for control, just simply to disrupt, or to leak specific information. These are some of their motivations, and to them your website is the means to an end. But when you get a site hack, it will feel very personal, no matter what. At Web Watchdog, a lot of our customers say they felt insulted and threatened by hackers, especially because they invested plenty of time and effort on their site.
But what really rubs in the salt is the fact that in many cases their victims had no idea they were even a victim of a hack. They may have been only compromised for a short time, maybe for months or worst case even years. You can make the hack comparison to that of having your home, with very secure locks, doors and windows. When a break in occurs, the robber may only steal some bread and a little bit of milk every day. So since this would generally go unnoticed early on, the robberies can go on and on for quite some time. For a lot of cases, the robber will make sure not to leave any trace, and cover their tracks, but just as important not to trigger your attention so you know something is amiss.
In spite of the fact that the WordPress core is very secure, in fact it’s as secure as they come. The vast majority of WordPress websites will have any number of “extensions” with third-party plugins, themes, and widgets which may contain many vulnerabilities. So the reason for this blog post is to show you the signs to keep an eye out for a when a compromise is in place. If you are thinking “yes” this is my situation then you might need to invest in some security for your website. Be it an intelligent malware scanner and cleaner, to rooting out the instances of malware on your site, or get a website security plan in place.
Compromise Sign #1: Google may tell your visitors that “This site may be compromised”
The site could be hijacked. For example the common one used to be a fake Flash update screen or the ones that ask you to download codecs, and give you web pages that appear behind your browser. It’s warning you if you go on the site you might end up with malware.
Compromise Sign #2: Spam mail from your website
Spam – or unwanted messages to email accounts and texts to mobile phones and other mobile devices – can be intrusive and costly. So your subscribers and others are receiving spam email from your domain. But if you’re not spamming visitors, then who is? It’s a common occurrence, but it’s something that can be stopped. If your web subscribers are telling you they are getting spam from your domain email, then this should trigger an alarm that your host is compromised.
Compromise Sign #3: Your site has been hacked previously, you’ve seen the same weird activity
9 times out of 10 when you see this weird activity, then this is purely caused by a Backdoor that your previous compromise has left behind, purposely of course. Hackers are smart enough to know that you may detect their hack, you’ll try to clean it up. Deleting the malicious code can, in some cases remove the hack, if it’s a simple one. But these days they are quite complex. Hackers will have engineered the malware code in a particular way that it’ll disguise itself, and even when you think you’ve removed the hack, it’ll reinitialise, regenerate itself and the reinfection occurs.
So yeah, the main purpose of a Backdoor is to continuously have host access some time after the main hack is “removed”. Thus, Backdoors are usually not conspicuous so that they generally don’t get detected on site malware scans. Even if you have your site with the latest security patches, plugins, extensions and themes updated and also have updated the vulnerable plugin that compromised the entry point initially, that installed your Backdoor, the bad code remains, and will regenerate itself and have full access to your site and resources.
Compromise Sign #4: Slow or unresponsive Site? Getting a 500 or 503 server error?
Unquestionably one to make a written or mental note off, especially when you know the number of real users of your site has not increased, but the site is slowing to a grind and/or showing generic 500/503 errors, like this:
Internal server errors are not just specific to Wordpress, and it can happen with anything else running on your server too. Due to it’s generic nature, it doesn’t tell the developer anything. If you see this and you’re positive the site was not being worked on when it happened (development wise), then this should also get alarm bells ringing of a site hack.
Compromise Sign #5: Desktop Antivirus flagging your site as compromised
Yes this does happen. Most good AV’s these days will detect and protect malware locally from their machine, and also from hosts. If a user visits your infected domain, it’ll probably trigger a notification stating just that. Keep an eye out for this:
Compromise Sign #6: Pharmaceutical / Drugs search results display when your site loads – “Pharma hack”!
When you see “Pharma hacks” think “bad SEO”. These are very common these days with website infections. They are categorised under “SEO spam”. This is a particular nasty hack, where the compromise exploits vulnerable site code to distribute drugs / pharmaceutical content to search engines and site visitors. Indications of a pharma hack are sneakily embedded URLs on pages or modified listings in search results. These pharma hacks are solely to try increase traffic to illegal pharmaceutical businesses. Sometimes the embedded links are not visible to a site visitor, but only to engines crawling the site. They may not even be visible when viewing the page source, this is because the hack infects the site’s database.
Compromise Sign #7: Redirected to other sites!
OK, you load you business website to make sure all is in order. The site temporarily loads, but then redirects to some bizarre site selling all sorts of dodgy products or porn. You think ‘what the hell’, did I just click on a dodgy advert somewhere? Nope, your site is hacked. Yet again, this is another major flag you should know about. Searches from within your website can bring the user to a blank page, some unknown domain name, or back to the search engine containing the phara hack in #6. From experience, in 90% of these cases, redirects are made by simply hacking the .htaccess file in the root of your site. OK, so you view the .htaccess file, and you spot the culprit. You delete the line, and your all happy with yourself that your found the hack. Then 30 minutes later you just check that all is ok on your website, and boom, you’re back to square one. Recall Compromise Sign #3 – Backdoors! Yes, it’ll regenerate itself and the reinfection occurs, yet again.
Compromise Sign #8: Your site is disabled
You start your work at 8 or 9am, you check your email and notice your hosting provider contacting you saying they’ve disabled your domain. You’re like WHAT ?!? … If you’re on a shared hosting plan, like most small business websites usually are, this could happen as a result of your website using up too much of the box resources due to the malware scripts, or simply because they detected a security issue (malware code or an SQL injection) and it’s hogging the server.
Compromise Sign #9: Search Engines Blacklist your site
Surely the the most obvious signs that your site has been compromised is that your site is marked hacked by the search engines. Your site is displayed in the search results and you see “This site may be hacked” message. The message will display directly underneath the results that your pages are ranking for in these results. As might be expected, this will discourage traffic from going to your site and thus will have a substantial damaging impact on your domains traffic. Other messages that can show within search results:
- “This site may be compromised”
- “Visiting this site may harm your computer”
- “This site may harm your computer”
Honestly, there’s nothing worse than having your website blocked by Google. We’ve had clients contact us about it, and you can literally feel the fear in their voices. It’s really concerning for them. So it’s best to try keep an eye out for the compromised signs, and get your site cleaned up before it is detected by Google. So many businesses rely on Google search traffic to gain new customers, get new subscriptions, new app downloads, sell products and services. Getting blocked by Google and other search engines is a major issue for online business owners.
Compromise Sign #10: Your emails start to bounce
This sure is a nasty one and it something you want to try avoid when your site is compromised. This is how it flows:
- Bots or hackers find that weak entry point and compromise your WordPress site.
- They attempt to install scripts that’ll hurl out emails by the bucket load from your IP address.
- Users see this and simply report it as SPAM.
- SPAM lists like SORBS, Spamhaus, BARRACUDA and RATS Dyna, to name a few, will see these reports and chuck your IP onto their lists. Most of the time, you’ll not even know your on the blacklists (unless your have Web Watchdog security plan that’ll monitor your website for blacklists continuously!). You might not even know your site was compromised, you’ll probably just notice people not replying to your emails.
Want new articles before they get published?
Subscribe to our Awesome Newsletter.