How To Protect Your Site From Getting Hacked

Filed in Blog by on August 3, 2015

 
Running WordPress?

Are you in the public domain with a strong brand presence?

It’s a measure of your success that the more you grow your business presence online, the more vulnerable you become to online attacks.

Most of the time it’s not even personal. Instead it’s someone launching a piece of software that scans through the web in search of websites that have security flaws.

And don’t think that you’re safe even if you’re running a small blog on a site that doesn’t get much traffic. Everyone’s vulnerable.

Between 2014-2015, Google reported an increase in the number of sites that they observed getting hacked by a massive 180%.

Even if you haven’t experienced a site hack yet, don’t be under the illusion that it “only happens to others”.

The large majority of site hacks occur without logical rhyme or reason. With WordPress now forming the backbone of 1 in every 5 sites on the net, it’s becoming increasingly important to keep up to date with this popular content management system.

Follow the steps below to help protect your site:

 

1. Software Updates

 
If you’re running WordPress, login to your backend (the dashboard) on a regular basis and make sure that all your themes and plugins are updated.

The easiest way to leave your site vulnerable is by running out of date software. Just like you keep your anti-virus software up to date, you need to make sure you do the same with your website.

Some hosting companies are now offering an option to auto-update your themes and plugins. Speak to them and ask if this option is available to you – it could be a massive time saver.

 

2. Manage Your Password Security

 
Yes this is common sense. Unfortunately, common sense is not always common practice. Most of us are inherently lazy when it comes to using secure passwords. Instead we opt for a combination of letters and numbers that are often too easy for a hacker to guess.

Does your password consist of your child’s name, the place that you live, or your mother’s maiden name?

If it does then you should know that a hacker can get hold of your personal info just by searching in Google and sifting through your social media profiles.

It doesn’t always require a brute force attack from hackers to guess your login details. Often it’s just a case of using the information that’s freely available about you on the net and putting 2 and 2 together.

Secure passwords should be long and use a variety of letters (upper case and lower case), numbers and symbols.

And don’t use the same password across multiple sites. If you’re struggling to remember the large number of passwords, use a service like LastPass or RoboForm.

 
Enable 2 Step Verification
 
Many sites are now offering 2 step verification to help increase security. Use this option if it’s available. The second step in the verification process usually require you to use your mobile phone after correctly entering your password in the first step.

Yes it is a pain in the rear end to use 2 step verification but it’s nothing compared to the pain and heartache of of trying to salvage a hacked account. Take advantage of this option and spend the extra minute or so of your time to set up the 2 step verification.

If you have a Google account, you can use it to login to your Gmail account. Banking websites (and the mobile apps) are also starting to use 2 step verification.

 

3. Hosting Account

 
One of the advantages of using a hosting provider is the support that comes when dealing with a hacked website.

To check if your site has been hacked, run it through the free scanner at https://sitecheck.sucuri.net

The scanner will let you know if there are any security vulnerabilities and tell you how to patch them. Once you have this information, contact your hosting company and pass this onto them.

If you’re running your own server then you should already have a competent knowledge of how to keep your website secure from attacks.

Services like CloudFlare and SiteLock (contact your hosting company as they may be able to get you a better deal for these services) provide an extra layer of protection by running your traffic through their server first and also by scanning your website on daily basis to check for malware.

 

4. Google Services

 
Take advantage of Google’s free services to identify if your website has been compromised.

 
i) The Search Console (previously Webmaster Tools).

The security issues (see http://googlewebmastercentral.blogspot.co.uk/2013/10/easier-recovery-for-hacked-sites.html) will tell you which pages that Google thinks are hacked and give you directions on how to fix these. Visit http://www.google.com/webmasters/hacked for more information.

 
ii) Google Alerts

Commonly used by companies that offer Online Reputation Management services. Google Alerts is used to track when a person or a company have been talked about on the web.

But you can also use Google Alerts for your own website tp get notified about any suspicious results.

Set up Google Alerts with search strings like “site:yoursite.com keyword”

 
– Replace ‘yoursite.com’ with your own domain name
– Replace ‘keyword’ with your suspicious hacked keyword e.g. ‘buy … online’ or ‘cheap …’

where ‘…’ could be a pharmaceutical drug, software or any other spammy word.

 
iii) Google’s Search Engine

Enter the search string ‘site:yoursite.com’ (replace yoursite with your own domain name) and hit enter.

Google will return all of the pages that it has indexed for your domain. Comb through the search results and make a note of any that look suspicious.

It’s common for pages to appear as part of a sub-domain as many website owners will take immediate action if they see their main site has been compromised.

When a hacker installs an add-on domain or a sub-domain, they commonly use software to create hundreds or thousands of additional pages which redirect a user to an online shopping site or to a page where the user is prompted to install some software.

 
iv) Un-Natural Search Queries

In Search Console, you can also check the Search Queries for your site to see for anything that looks un-natural.

For example if your site is about pets but you suddenly notice queries related to technology, this could be an indication that you have undesirable hacked content somewhere on your website.

 
v) Email Forwarding

Use the email forwarding service from the Message Center in Search Console (Webmaster Tools).

This will inform you if Google thinks that you site has been hacked but by forwarding these messages to your own email address, you’ll receive notifications instantly rather than each time you manually check in Search Console.

If you find a site that you believe has been compromised, you can report it to Google via the Spam Report tool at https://www.google.com/webmasters/tools/spamreport?pli=1

 
 

What If Google Incorrectly Identifies My Site As Hacked?

 
Search in Google for your site. If you see a line of blue text in under your title tag that says “This site may be hacked” then Google thinks that your site is compromised.

If you’re confident that your site is clean, fill out the form here:

https://docs.google.com/forms/d/11ja4RG490nWbbcHdn-g22l5kBsrRJjn3mbHzjcnHcYY/viewform

Someone at Google will manually review your site and remove the label if it is safe.

 
 

Why Cleaning Up A Hacked Site Is Important For Your SEO

 
Google will penalise a site that it believes has been hacked.

Initially you’ll see a drop in organic traffic as users click away from your website and return back to the search engine: this is a user signal to Google that your site isn’t relevant for that search query or keyword that you were previously ranking for.

Commonly, it’s the .htaccess file that is compromised. This file contains information that tells the search engines what to do after they land on your website. If it’s injected with malicious code, it can redirect the search engines to a site with hacked content.

You should also check that you don’t have additional user accounts in your FTP user area. If the FTP user area is compromised, a hacker could install scripts to create inner pages on your website and redirect users to a different location on the net.

 

Ultimately, each website owner is responsible for their own domain.

 

If you don’t pay attention to these issues, Google will eventually de-index your site, meaning that you’ll drop completely out of the search engines until such time that you clean up your site and submit a reconsideration request.

 


 
 

Did you find this information helpful? If so then share it with your friends by hitting one of the social sharing buttons below.