Main points from the Google Hacking Hangout (August 2015)
This week Google ran a Live Q&A on hacking prevention and recovery hangout, which talked specifically about website security. I watched the hangout this evening, here are the main points.
Google have seen a 180% increase in hacking over the last year, and this is resulting in compromised sites losing their ranking, often quite significantly. In response to this, Google launched a “No Hack” campaign, which uses the hashtag #NoHacked on Twitter.
Most hackers are motivated by money, and most website hacks are designed for one of three main reasons: to display the hackers adverts or links on the target website, to redirect visitors to their own sites or to steal information from a website that can be used for criminal activity, such as credit card or PayPal information.
The key advice from Google is for websites to use good passwords and keep software up to date, as well as using two-factor authentication wherever possible.
Where to Start After a Site Has Been Hacked?
If a site is hacked, the first step is to view all files on the public server to see which ones have been altered. If you run a database site, such as WordPress or Drupal, most files should remain unchanged under normal circumstances. Any newly edited or created files could have been hacked.
Hackers tend to create new file names that look innocent, such as creating an image.php file in the root of the directory that carries the malicious code. Inexperienced website owners will often overlook this, thinking that it is a part of the CMS. However, advanced hacking can alter timestamps on files.
One of the top hacks that Google is seeing at the moment is “Injected URL Gibberish Hacking”, which alters the content of an .htaccess file, usually with the purpose of redirecting visitors to another website. This is often hidden when viewed via the web host control panel, so is prone to being missed when manual checks are made.
How to Protect a website from a DDOS attack
DDOS stands for distributed denial of service. It is an attack on a website that is design to “take down” the site, which is done by overloading the server so that it can no longer be accessed. No matter how powerful a server is, it is theoretically possible to overload it. Most business websites are built on shared servers which are already have tens or even hundreds of websites competing for resources. A DDOS attack on one site can take down a whole server. Short-term attacks will result in lost business, but more prolonged attacks can cause a drop if Google rank.
Sometimes a site gets a “good” DDOS, when many people try to look at a website at once. This often happens if a website is mentioned for the first time on television, or if a popular social page mentions a page. If Stephen Fry mentions a site on his Twitter page, it can quickly become overloaded.
Caching is a good way to reduce the risk of DDOS. Most sites today are built with a combination of PHP files and MySQL databases. A database will only ever be able to sustain a limited number of connections at any one time, on most servers it is set to between 100 and 200 connections. So any site that receives more than 200 simultaneous request will return a database error message.
Caching is the solution here. Caching is when static html files are created and displayed in place of dynamic pages – this greatly reduces server load. One WordPress cache plugin claims to make a website “Stephen Fry proof”!
If you have a very weak server, a content delivery network, such as Cloudflare, can be used to reduce the load on your server. Cloudflare also has extra guards against DDOS attacks.
Does using SSL Prevent Hacking?
Google recommends all site owners who collect any form of sensitive information to enable SSL. However, most hackers will seek out vulnerabilities and they can certainly be present in SSL websites. So, although Google does recommend SSL, it is not a guaranteed protection. However, in September 2014, Google said that it would start ranking SSL sites more favourably.
Some CMSes, such as WordPress, allow you to auto-update the software. It is highly recommended that this is enabled so that whenever the CMS releases a security patch, the sites is updated and made secure immediately.
When a security vulnerability is found, hackers will share the details with the hacking community and bots will be programed to seek out all sites that run the vulnerable software. If you fail to update quickly, you will greatly increase the chances of being a hacking victim.
Install a Website Firewall
There are several website firewalls that help to reduce hacking – WordPress has a few good plugins. However, these are never bullet proof.
Hacking is a growing problem. Hackers are creating more advanced tools that are capable of seeking out vulnerabilities in websites. It was recently reported that 60% of all web traffic is now in the form of bots, and of these, 25% are being run for criminal purposes – mostly hacking and DDOS.
Lock Down Your CMS
Many websites are managed from a single or limited range of IP addresses. It is advisable to block all other IP addresses from accessing the admin files to prevent access. Even if there is a backdoor in a rogue piece of software, somebody from outside your IP range will not be able to access the website. For example, for WordPress websites you can added a line of code in an .htaccess within the wp-admin directory as follows:
<Files ~ "\.(php)$"> order deny,allow deny from all # whitelist work IP allow from 12.345.67.89 </Files>
This will mean that only IP 12.345.67.89 will be about to access the admin files, It will not prevent injection into a database or DDOS, but it can greatly reduce risk of a hack. Learn more here.
Use Only Trusted Software Sources
Many people create plugins and share plugins and a vast majority are doing so for ethical business reasons. However, some people create plugins that are built with “back doors” or other malicious code, designed to give the plugin developer access to a website.
It is strongly recommended that you only ever use plugins from highly trusted sources. If you run WordPress, only download plugins direct from WordPress.org or via plugin installation in the WordPress admin area.
A common problem that Google sees is when a plugin is no longer supported by the original developer, and somebody else takes over and advertises the plugin through their own websites, or other third party sites.
Recovering from a Hacked Site
Recovering from a hacked site can be a complex process. Ideally, you will have a backup of your site that pre-dates the hack. But, rolling back the server will not provide protection, you will still need to update your website and server to make it secure against being hacked again.
If you do not have a backup available, the only option is to manually fix a site. This can be done by going through every file and searching for malicious code. You will generally require a skilled web developer to carry out this role. If your site is built on a popular content management system, such as WordPress, you can usually overwrite all CMS files. However, hackers often insert new files that will not be replaced with a re-install, and any changes to .htaccess will also not be made.
A hacked database is much more difficult to fix, especially on a large website that is updated many times a day. Any site using databases must maintain regular backups, test their backups and ensure all software is fully up to date at all times. It is also important that backups are stored separately from the main server, because if the server is hacked, you still lose your website.
How To Clear Google Warning After Site Cleaned?
One problem raised in the hangout was persistent warnings in Google of a hacked site, after the site is repaired. Google often shows these messages weeks after a site has been fully repaired and secured.
It is possible to speed the process up by using the reconsideration request option in the Google search console. This will result in a manual review and if there are still issues, Google will provide some more guidance.
Google often see cases where a website thinks that they have cleaned up a hacked site, when in reality, they have not. Many hackers use cloaking, which means that a site will appear differently to Google than to users. Using the Fetch and Google option in Search Console allows you to see how a site appears to Google, and this should help you to identify hacked pages.
Google reminds webmasters to always check all pages, especially the homepage. Often a hack may create new pages, which is often how we are alerted to the problem, but also add links to the homepage.
Hackers are becoming more sophisticated at hiding their actions from Google. As far as a hacker is concerned, the ideal situation is when neither Google nor the website owner notices that there is a problem. This is why we so often see the insertion of new pages in hacked sites – regular users of the site are unaware that they are there.
Dealing With Link Spam
Hackers often create links to the new pages they create on a website. This is done to get the pages indexed in Google quickly. Google’s John Mu advised that after you remove the pages that the hacker created, the problem should be solved. However, to err on the side of caution, it may be wise to disavow newly created inbound links. Any new links to the home page will have to be disavowed.
You can find inbound links in the Google Search Console, or use a third party tool such as Majestic (nothing to do with the British wine merchants!). You should also use the URL removal tool in Search Console to speed up the process of cleaning your Google listings.
Even if you take every measure suggested, you may still get hacked. No website is safe today, although it is rare for a small business website to be attacked unless there is vulnerability.
Make sure your website is updated on a regular basis – speak to your web host to confirm that they take backups (good hosts will keep a daily, weekly and monthly backup).
You should also download regular backups from your web server and save them to a local machine or removable storage.
And stay updated!
You can watch the Hangout here, while it is still available: