Want to prevent a suprise email that your site is unsafe, attacked or defaced? Most website or blog owners that seek help with cleaning and restoring a hacked site have discovered their site is hacked because either customers sent an alarm email, or their browser is alerting them when they visit their own site, or their hosting provider took their site offline. This is often disastrous because it means that your site has been infected long enough for the hackers to do damage and that it took too long for you to notice, worse is when the search engine Google has to flag your site in that red page. A hack my cause hosting provider to shut off the site or caused Google to detect that the site is hosting malware, SEO spam or a phishing attack.
So it is always good to detect and prevent before anyone else does, it not only protects your reputation but also means that you care about your website which is the front desk of your business or profile. Don’t be reactive, always be proactive.
6 Proactive Ways To Detect and anticipate A Website Hack Before Google or Your Customers Notice
1. Visit your Site Regularly
If you notice any changes or any strange text injected into your pages, you should immediately perform a scan on your site to check for an infection. PHP errors are also a common sign that you may be infected and these often appear at the very top of your page, often above the content.
As a routine, simply visit a few pages on your own site as a sanity check at least once a day.
2. Use a Monitoring Service That Includes Site Changes
We use a monitoring service on our websites that alerts us to down-time. It includes a service that tells us if a page has changed more than a certain percentage. Many of our pages don’t change at all or may only have a minor change like a date or copyright year. We monitor these pages and are alerted if more than a very small percentage of the page changes.
WebsitePulse provides a service that includes content monitoring as does Pingdom. In general these are paid services, but they can be an effective way to get alerted if you have been hacked within minutes.
Most good services include the ability to monitor from multiple locations. We recommend you enable this because a hacked site does not always serve malware. It frequently targets only certain users based on location, time of day, traffic source or other parameters. Monitoring multiple pages from multiple locations can improve detection.
3. Monitor Site Traffic and Watch For Spikes
If your site traffic spikes dramatically you should immediately perform a source code scan and verify that you have not been hacked. Hacked sites frequently see a dramatic spike in traffic.
One cause of a traffic spike may be that your site is being included in a spamvertizing campaign. A hacker will send out spam and include a link to your site which either hosts malware or redirects traffic to another malicious site. Hackers do this to avoid spam detection. Your site is a “clean” domain and is not known to host malware when it is first infected. By including a link to your site instead of their own known malware hosting site, hackers avoid spam detection. This results in a dramatic spike in your site traffic.
4. Use a Source Code Scanner
Infections are often well hidden and not visible to outside visitors. You can use a source code malware scanner like Wordfence to detect if your site is hacked. The scanner will systematically inspect all of your PHP and other source code for malware patterns and alert you to the presence of any malware.
Source code scanners use several mechanisms to detect a hack. The primary method of detection is looking for known malware signatures or patterns that match malware code. Newer infections are not detected using this method, so another method that more sophisticated scanners use is to compare your source code with a known good version of the same code. For example, Wordfence will compare your WordPress core, theme and plugin source code against a known good version of the same files and alert you to any changes. This method catches newer infections where a detection signature may not yet exist. Doing a manual scan with a source code scanner is a highly effective way to detect and remove a hack.
5. Use a Remote Scanner
Remote scanners look at the “rendered” version of your website. That means they look at the HTML that your site produces instead of the site source code. This may detect a hack if the hacker has chosen to include malware in the HTML they are serving, to the current site visitor and on the page that is being viewed.
Hackers will frequently include code that only displays malware to certain visitors at certain times and matching certain criteria. For this reason it is possible that a remote scanner will miss an infection because the malware is simply not active at that time or the infected code is not displaying the malware to the scanner when the scanner checks the site. However, remote malware scanners can catch a variety of unsophisticated infections and it is worth using them as an additional tool.
Here are a few file viewing tools and remote scanners that may help you detect an infection:
- VirusTotal has a URL scanning feature that checks your site response against a huge number of virus databases and will let you know if you triggered any of them.
- SpamHaus maintains various lists. You can use this page to check your site hostname and IP address against the various SpamHaus lists. If your site does appear, it has been flagged for being included in spam emails or for hosting malware. Both indicate your site has been hacked.
- You can use this link to check the status of your site on the Google Safe Browsing list. Simply replace ‘wpchase.com’ at the end of the URL with your site’s own hostname. Don’t forget the ‘www.’ if your site is prefixed with that. The page will tell you if your site is flagged by google for phishing or hosting malware. It will also tell you your site history and what happened when Google last scanned your site.
- urlquery.net does a very useful analysis of your site response including checking if your site response triggered the Snort and Suricata intrusion detection systems, showing files captured, blacklists your site is on, and breaking down the response into HTTP transactions and what they were.
- aw-snap.info includes a file viewing tool that highlights script tags, iframes and other detectable code injections and lets you view your HTTP headers which can help you see malicious code and server side redirects in your site response. It will also allow you to switch between different types of user agents and search bots which will often uncover hidden injections that only display for certain user agents and or search bots.
This article gives you several tools to proactively monitor your site for a hack and we have also discussed ways you may reactively discover that you have been hacked. We encourage you to also use the ‘reactive’ section as part of your toolkit. For example, regularly sign into Google’s Search Console to check your site status, look at your own site in the search results to ensure that everything is in order and visit your own site frequently in Google Chrome where you will notice browser warnings.
Maintaining a healthy and hack-free website does not need to be hard work, but developing a healthy routine of checks will help you catch problems early and fix them before any damage occurs.