Depending on why the hackers have infiltrated your site, they will have made some changes to it. These changes are the reason Google has labelled the site as potentially hacked.
Identifying what has actually changed on the site can be the most direct path to understanding why they hacked you in the first place.
Below are some examples of the most common changes that a hacker may have made on your site, some basic ideas for how you can detect the changes, as well as some basic removal techniques.
- Setting up doorway pages
- Setting up a phishing system
- Using Cloaked Pages
- Adding Spam Links
Setting Up Doorway Pages on Your Hacked Site
Doorway pages or parasite hosting is used by hackers to steal the authority of your domain and improve their site’s website rankings.
They create landing pages on your site that are optimised for their keywords, frequently in the realm of viagra or other similar drugs.
Due to the power of your website’s domain name, when these pages are optimised they will shoot to the top of the SERP rankings. Once clicked, they then use a piece of referring code to direct the unsuspecting user to their site.
They also benefit from the appearance of a seemingly respectable website selling their product.
When looking at the Google search results, the giveaway for sites that have a been hacked and have parasitic pages on their domain is the incongruity between the keywords and what the rest of the site is about.
This example clearly shows that the domain name isn’t about the sale of prescription drugs, yet this subpage (as seen below) is about viagra.
Clicking any of the menu links along the top of the page takes you to a completely different site that sells viagra.
The rest of this site is about the sale of meat products and clearly isn’t a website that would be selling viagra or the like.
An attack such as this requires a comprehensive audit of your site and the deletion of nefarious landing pages.
It can be a time consuming and laborious undertaking and is often best left to a professional.
If you have an uninfected backup of your site, it can often be simpler to simply delete the entire thing and upload it again.
If you wanted to try and find the offending pages yourself, the first place to start would be the back end of your content management system, which should give you a list of all active and draft pages.
For a faster and more systematic scan, you can check all pages on your website by using a tool called screaming frog.
This tool will allow you to automatically check every page that your website is currently displaying, as well as key metrics that can help you quickly check if there are pages present that should not be.
This tool can allow you to do a very quick scan and see what pages are currently present that should not be, as well as seeing what they are all titled.
Once you can see if there are any pages present that shouldn’t be, you can delete them.
Note: the guys who created Screaming Frog (being the legends that they are) have made a basic license free, but this comes with a 500 page limitation. If you need more than 500 pages scanned, you will need to purchase a license.
If you haven’t found any pages that shouldn’t be present, then there are still other changes that the hackers may have made. Further down this page you will see other examples of potential changes that have been made.
Hackers Setting Up a Phishing System on Your Site
Phishing is a form of social engineering, it is the process in which a cybercriminal uses a deceptive email, text message or web page designed to look the same as a trustworthy source.
Generally the false page or email that they display is the login form for various services, such as email, social media, banks, online stores and so on.
The goal is to trick someone into giving them their personal information, log in credentials and so on.
Phishing sites use the appearance of a trustworthy website to trick visitors into submitting their sensitive information.
A phishing site uses a range of tactics to convince the user that the site is genuine.
They can even use the genuine website in conjunction with the fake one to add legitimacy to the deception.
One of the most common tactics for adding a phishing system to a site is using subdomains. They create pages that appear to be the same as your site, however have an extra address element in the URL.
For example, your domain is example.com. The hacker will create a subdomain by adding an extra piece of information, such as phishing.example.com.
This could be as simple as adding a word that appears related to your industry, like repairs.mechanic.com.
It leverages the legitimacy of your actual site to create another path for the user to head down where they will be asked for their information.
This is dangerous because the trustworthiness of your site will give the user confidence that they are providing their information to a site they trust. This in turn will leave them vulnerable to theft and could adversely impact your brand and website in the future.
Often, a Phishing system will be an additional page installation, so you can check for it the same way that you have searched for spammy landing pages being added to your site.
You can also generally rely upon the Google Search Console to warn you which URL’s on your site are suspected of phishing. If you don’t have a Google Search Console security message.
When hackers use cloaking methods on your site
Cloaking is a way of presenting the human user with different information than is seen by the search engine crawlers.
This is a black hat SEO method that can lead to severe penalties and make it almost impossible for your site to rank honestly in the future.
Sending the Spam to Search Engines
It involves presenting one version of the page to the human user that doesn’t include the spam elements and looks as the site would be expected to.
The second version of the page that is seen by the search engine bots is usually heavily spammed with bad backlinks, stuffed with keywords, and often includes text that is invisible to the human eye.
Again, as with other hacking techniques, it is designed to leverage the quality of your site for the good of a hacker’s financial gains.
Feeding the incorrect information to the search engine allows it to rank for keywords that it desires, that have nothing to do with your website.
Sending the spam to the users
The other side of the coin is when they will keep your site sending the same information to search engines, maintaining your authority and trust in the Google ranking systems; yet presenting users with something completely different.
In this scenario, your website could be ranking for ‘cute kittens in San Diego’ and drawing in traffic that is expecting to arrive at a page about adopting a new pet.
However, when the user arrives at your website, they are presented with whatever the hacker wants them to see. Often this is porn, pharmaceuticals and so on.
This method is particularly difficult for a search engine to detect, as it is specifically keeping the version seen by the crawlers separate to that which is served to the users.
In the kitten scenario, you may not actually receive any warnings at all, until someone calls you and complains about the fact you served their family pornography rather than kittens.
Checking if cloaking is being used
In order to check and validate that the same version of the page is being served to humans and bots alike, you can use the Google Search Console.
You can visibly inspect the page and see what is being served, and then use the Search Console to “fetch as google and render” in which case they will show you the version of the web page that they are being fed next to the version that a user would see.
Here is an example of me using search console to fetch and render the front page of my agency’s website.
Dismantling a cloaked page can be a rather advanced undertaking, and may be best off left for the professionals.
When Hackers Add Links To Your Website To Try and Rank Their Site Better
As I described in the section about covertly and overtly using your website to further advertise and market theirs, this process is completed in an attempt to make Google favor the hacker’s website better in the search results.
This is the type of hack that I was on the receiving end of early in my career.
The hackers placed a huge amount of links to their own website, right inside my company’s website.
The principle behind this, is that when one website links to another, it is essentially vouching for it and this indicates to Google that the linked to website is quality and should appear higher in the SERP.
Where are they most likely to place the spam links?
When my site was compromised, the spam links were placed within the header and footer of the website.
To be more specific, they were inserted into header.php and footer.php within our wordpress editing tool.
The reason a hacker would choose the header and footer, is the fact that these two areas of the website are visible on every page.
Every page on the site displays the same header and the same footer for the entire website.
They placed approximately 60 links, which was then multiplied by approximately 350 pages, giving them roughly 21,000 links back to their own website.
In the black hat world, link building is typically about quantity, and rarely about quality. In which case, whoever hacked my site must have been pretty chuffed with the 21,000 links they “built” that day.
What will the links look like once discovered?
The links themselves will often be in a tiny font, and have the same color as the back ground on which they have been placed.
This is done specifically to make them less detectable when someone looks at the webpage.
When you discover them, you will be able to see that they are almost guaranteed to be using anchor text heavy key word terms.
The anchor text is the words used for the link, for example if I was to link to http://en.wikipedia.org I could do it just like that, or I could write it like this: the oracle of all human wisdom combined.
Either way, the link is going to the same place.
In the first scenario:
The search engine can see that it is a link for something in English (the en gives this away) called Wikipedia that is run by an organization (.org).
In the second scenario:
The search engine gets all of the same information that it did from the first example, plus learns that another word or phrase that essentially means the same thing as Wikipedia is “the oracle of all human wisdom combined”.
It also tells the search engine that this is essentially what that website is, and what can be expected on the other end.
Your spammers will have made the anchor text of the links the same as whatever keywords they are trying to rank their website for.
In my situation it was “NFL Jerseys” “Cheap NFL Jerseys” “Discount NFL Jerseys” and so on.
The idea being that when an end user jumps onto google.com and types in “cheap NFL jerseys” the search engine has the impression that these keywords relate to the website that the spammer was trying to rank.
If this doesn’t make sense, don’t worry; it really doesn’t matter that much to you right now.
How to Find The Hidden Links
If you know that the links are most likely going to be found in your header.php or footer.php files, you may be tempted to look there.
This is probably going to take you a lot of time, and it also may not be where they have put them (if there are spam links to be found in the first place).
I used a program called Ahrefs to alert me to the existence of the external links.
However, I could have just as easily used the free program discussed earlier, the Screaming Frog SEO Spider.
Within the Screaming Frog dashboard, you can select “external” to show you a list of outgoing links from the site.
These methods will allow you to check what pages the links are coming out of, but they may not help you find exactly where they are on the page.
Finding The Hidden Links Exact Location On The page
I used (and would strongly recommend) a free Google Chrome Extension called “Link Miner” by Point Blank SEO
This extension allows you to quickly scan any webpage, and it will highlight any links that are present.
You get a little icon in your chrome panel. It will always update and let you know instantly by looking at it just how many links are on any given page.
When you click it, every link will be highlighted, details are placed next to the links, and then you can download every link into a csv file.
I used it to highlight and discover the spam links hidden in the header section and footer section of the site I was working on.
This is how I realized the links were written in white on a white back ground:
This is what the site header looked like once I hit it with the linkminer extension.
Why was it beneficial to see them?
Whilst I could have searched for them in the php files for every page showing them as being an external link, this would have taken a long time.
Once they were highlighted, I could see what the anchor text was, and then when I went into the php editor to remove them, I was able to hit ctrl+F and search by the anchor text term.
Once you find the links, you can remove them.
If it was just links causing the “this site may be hacked” warning, then you can resubmit to google and attempt to have it removed.
Beware however, if you don’t close whatever door the hackers came in, then they will just replace the links.