The question in the title was one I was asked recently during a radio show interview (more on that a bit later), and I admit it took me off guard slightly, as most folks don’t ever think to ask it. It’s definitively not one of the more common ones on my list. The reason is that most people view the question as counterintuitive, ie, of course you know your site’s hacked because the content is different from what you put up there. Or, perhaps when you go to your site, you find yourself redirected to a different one. And indeed, sometimes it is truly the case that the hack is so easily detectable. The truth, however, is that often you simply don’t know that your site’s been hacked, and that is generally the way the criminals want it. As you’ll see later in this article, it’s often to the cyber thugs’ advantage to keep the compromise hidden from the site owner for as long as possible. However, here are some things that can lead you to suspect that perhaps a check for a site compromise is in order.
- Things aren’t working as they should. Often I get called, not because a site owner thinks their website has been compromised, but simply because things aren’t working as they used to, and nothing the owner does to fix it seems to make any difference. Things may seem to randomly disappear, they can’t edit or delete posts, they can’t log in, third party software is not functioning properly, etc. Now–before concluding that all these things represent a compromise, please understand they likely actually do not. There are many other and far less sinister causes for such behaviors. However, sometimes, the cause is a site compromise. If you notice, therefore, that things aren’t working on your site quite like they used to, and your efforts to fix things seem to end up being for naught, it’s best to get it checked.
- SERP’s (search engine result pages) for your site yield content unrelated to your domain. One particularly useful Google query consists of:
site:domainname, ie, site:brighter-vision.com
If unwanted content has been injected into the site, then it’ll likely come up in the search results, and you’ll likely be penalized in Google rankings as well.
Sometimes, as mentioned previously, you or one of your visitors might actually see content on the site that is otherwise unrelated to it, ie, content for sexual dysfunction or diabetes medications on a site pertaining to cooking, for example, but generally the criminals would rather inject content into SERP’s only, as it allows the compromise to go undetected for a far longer period of time. This practice of making spammy content visible only to search engines while hiding it from human visitors is called “cloaking”.
- If you keep track of your page rankings, you may notice a decrease. Again, this may not be representative of a site compromise, but rather the Google algorithm du jour. Nonetheless, it’s best to check Google Search Console to see if they’re flagging anything. You can learn more about signing up for Google Search Console here
As noted in the above article, there are two (2) tabs to look at specifically. The first is the ‘Security’ tab, and the second is the ‘Search Traffic > Manual Actions’ tab.
If Google finds a security issue, then it’s likely that you’ll see the ominous warning “This site may harm your computer” when using Google to search about your site. The ‘Manual Actions’ subtab under the ‘Search Traffic’ tab is more for spammy content as opposed to outright malware that could be downloaded to the computer, though having said thus, the “this site may harm your computer” warning is not always accurate. Still, it’s ill advised to visit any site for which Google is generating warnings, as the bad actors can change actions performed by a compromised site at any time. Certainly if you see any warnings similar to the above, you should check things out immediately.
- Your hosting provider is penalizing you for resource overutilization. Again, this may well be due to something other than a site compromise, as you could be getting a lot of traffic, running a rogue third-party script, etc. However, if you’re being penalized for excessive file or email storage, for example, and you don’t use your domain for email or use it very little, and/or your site is just a small installation based on a site builder or content management system with minimal user-generated content, then there’s definitively a reason to believe that a site compromise might be present. Of course, the “rogue script” referred to above could also actually represent a compromise.
- While viewing your files, you see some that obviously shouldn’t be there. Recently I was looking at files on a server to troubleshoot an entirely different problem when I came across numerous filenames containing Asian characters. Since this was a server owned entirely by English-speaking individuals, this was clearly indicative that a compromise had taken place. Also, if you see script files, ie, those having a .php extension, for example, where only user files such as pictures and documents are supposed to go, then, again, the possibility of a compromise exists, and further checking is therefore warranted.
- You notice sudden unexplained and excessive spikes or downturns in your site’s traffic. I’m not talking here about the usual upticks or down trends in visitor traffic that occur routinely. I’m talking really discernible highs or lows that can’t be explained by the usual factors such as day of the week, time of day, etc. Thus, if you have a site dedicated to your local baseball team, and you suddenly notice you’re getting excessive traffic spikes at 2:00 a.m. your time, when most of your site’s visitors would normally be asleep, this could be an indication that something is amiss and therefore warrants further examination.
- Your or a visitor’s malware scanner flags the site. I’ve seen times where scanners have flagged sites inaccurately, but this is something that should be taken very seriously. If you suspect that the warning is inaccurate, then, as with scanning your devices in chapter 2, do a second, or even a third scan if the results of the second scan don’t concur with the first.
- Your host notifies you of malware on your site. Here’s a case where you’d better pay attention. Either be prepared to convince them unequivocally that your site absolutely does not contain anything malicious or be prepared for your site to be taken down. Most hosts will not do this sort of thing capriciously, ie, they want your business, but it’s not unheard of that automatic malware scanners or firewalls are flagging something they shouldn’t. I’d have to say that in my experience, I’ve never seen the hosting provider be incorrect about this, but I wouldn’t be surprised if at times it were otherwise. Having thus said, if you’re one of my hosting clients, it’s likely best not to argue with me about it :).
In conclusion, I’d suggest that if things are happening on your site that just seem wrong or don’t make sense, it’d be best to get things checked out. It may not be a site compromise at all, and if that’s the case, that’s wonderful! In the process, you may have found and fixed things that needed to be tended to, which is equally great. If something doesn’t seem right, it probably isn’t. Find it, fix it, and get your piece of mind back.
Finally, below are a couple resources which you might find helpful when checking your site for a compromise. Please understand that positive findings warrant further investigations, but negative ones do not necessarily prove that no site compromise exists.