Hacked and Completely Unaware

I just got back from a trip to sunny Southern California where I was staying just a few blocks away from the magic of Disneyland at an Air BnB.

That’s where I met Doug Kroll, a chiropractor from Hawaii and naturally, because I am a huge SEO nerd, we started talking about websites. He told me about his property management site and how it needed some work, so I started poking around looking at his site.

A lot more under the surface (Finding Nemo ride at Disneyland)

Like the Finding Nemo ride I would take my daughter on the next day, there was a LOT more under the surface.

The Power Of the Site: Query

Since the first few steps that I always take on my site audits is to see what Google knows about a site I ran a site:http://url query. (Just type site: and then your full url) This lets me see fairly quickly if all the pages are properly getting indexed.

Doug’s Lexington rental property site had just 7 total pages. So when Google showed me this, my heart leapt into my throat.

Site:mcgregorrentals.com

Site:mcgregorrentals.com

 

While those first few pages look fine, there’s just 7 URLs. Is there some weird tag issue going on here? I click to page 4.

Those are some nasty URLs

Those are some nasty URLs

Uh oh. Mission control, we have a problem.

Where URLs were redirecting

Where URLs were redirecting

It’s Offical: The Site Has Been Hacked

I did a couple Google searches around the domains being referenced and redirected. I found several articles about WordPress script inject and htaccess redirect hacks. Bingo. That just about fits the bill.

Digging Deeper

Once I told Doug about the problem, I had him update all his credentials and run an antivirus scan on his laptop. Then my second step was to login to Google Webmaster Tools, once Doug gave me access as a user.

Here's the index climbing higher and higher from bogus pages.

Here’s the index climbing higher and higher from bogus pages.

It looks like around 10/24 the hack occured based on the increasing amountof those bad URLs were being indexed from that date onward.

The Good News: Search Traffic was not yet impacted

The Good News: Search Traffic was not yet impacted

However, it looks like Google has not yet sent any messages, added a malware warning or penalized the site’s indexation, ranking, or traffic for their brand.

Well...It does look like Google does see the content though

Well…It does look like Google does see the content though

Well, Google definitely is seeing the spam content keywords, so that’s not good. Isn’t it interesting that this level of spam injected into a site is not causing a penalty, at least not an obvious one yet?

Let’s Clean This Up!

Since the injection involved the HTACCESS file, and the site was so small I suggested to Doug that we just scrap the whole site instead of try to dig out all of the bad files. With his consent, I called up the hosting company and killed it with fire and started a brand new WordPress site on a fresh server.

That’s about where I am in the process. I got permission from Doug to post about the hack, and thought I’d put out an open line for suggestions since the next step is dealing with the aftermath. Here’s my first thougts on next steps:

  • Already had client update his email UN/PW, Hosting UN/PW and run a malware check and antivirus scan on his laptop.
  • Add a 410 for the /script/ urls.
  • Mark those now 500 Errors in Google Webmaster tools as fixed.
  • Add in an extra WordPress security plugin – (Thinking about Securi).

What do you think? Have you dealt with a hacked site of your own or for a client recently? What would you do next?

6 Comments

Doc Sheldon

Hi, Jeremy-

Not really enough information to make any site-specific recommendations. In general, I think trashing the site and starting fresh is probably the path I’d have chosen, too, since his traffic is pretty sparse.

That said, I think that first and foremost, you should be focusing on his under-the-hood security… make sure your WP install is secure by changing the name of the admin folders and usernames, use complex passwords, research the potential vulnerabilities of all intended plugins, ensure file permissions are as tight as possible and write a tight htaccess file.

Jeremy Rivera

Yea, there were thre questionable plugins, one for a slider, and they seemed…not quite right to me. I’m making some notes for a follow-up post that will more directly address WordPress security so I’ll be sure to include some of those ideas 😉

Conrad O'Connell

My WordPress security checklist:

* Install iThemes Security Pro
* Setup Google Alerts for site:domain.com on spammy keywords (usually gambling & medicine)
* Change “admin” user
* Update plugins, themes and WordPress core at least monthly
* Delete unused or needless plugins

This has lead me to pretty secure sites — haven’t had any issues using these practices.

Jeremy Rivera

Good thinking on the Google alert for the site:domain.com – Wouldn’t of thought of that!

It’s getting a little difficult to navigate the plugin world, there’s some definite bad-apples there.

Brian

I prefer the BulletProof Security plugin to lock down the .htaccess file. Since you’re starting new, I would also put the site on CloudFlare and consider taking the entire site to SSL using either their free Flexible SSL or better yet a Full SSL. So much easier to do this from scratch vs an existing site with lots of mixed content. This should help improve the site’s image with Google.

Comments are closed.