Last week, in the space of 2 days, I came across two separate issues of Malware infections which, although relatively minor, had reasonably major implications with regards to the SEO of those sites. For one, this was very temporary but the other – sadly – is still in the process of recovering. The aim of this post is threefold – to show you what to look out for, how to recover, and how to protect yourself.
When Things Go Wrong
When a site is hacked you’re not usually lucky enough to get advanced warning that something has gone wrong – it generally hits you like a silent freight train moving at a hundred miles an hour. Whether it’s your site suddenly being taken offline or, like the two sites that I had to deal with, something more subtle. In my opinion the latter of those is far more dangerous because the problems can sit there and fester until a trigger of some kind alerts you. Quite often by that time it’s too late.
The first of these was Pet365.co.uk – one of my own e-commerce projects – that had no exterior signs of harm. The first we knew of the hit was when checking a product page and, for no apparent reason, seeing the dreaded ‘The Website Ahead Contains Malware!’ warning. This kicks in when any given site is picked up and blacklisted by any number of data providers, usually Google, and propagates to pretty much all browsers. The result? Your users instantly see a big red warning message that screams ‘VIRUS!!!’ and you instantly lose their trust.
This can happen very quickly, meaning that you won’t necessarily see any warnings in Webmaster Tools (although these will appear shortly afterwards), so don’t assume that just because Google hasn’t told you there’s an issue that it’s a false positive. Also, if you search for your brand name then chances are that you’ll see a ‘This site may harm your computer’ note next to your listing on the SERPs.
At this point, in essence, you’re (at least temporarily) done for.
The other site that was affected by a hack, Havoc Store, didn’t get any of this fun – it just lost all of its product and category pages (no issues with the blog as that runs separately and the homepage stayed where it was). As this happened at the weekend I didn’t notice and, due to illness, the guy that runs it didn’t either. For two days. Two. Whole. Days.
What did that mean? Lots of pages crawled and deindexed, when potential customers tried to go and buy things they just ended up on a 404 page, massive drop in traffic, and no easy way to recover quickly. Again, a complete nightmare.
The Unexpected
Before I go into details about recovering from this, there are a few very important things to note about the potential effects on your SEO:
Embedded Infographics
Until our little ‘incident’, this had never crossed my mind as being a potential issue but has resulted in a complete change of process when putting together infographics. When we were hit by the Malware warning ANY page that had embedded one of our infographics also received the same warning because they were sharing content that was hosted on a blacklisted domain.
Blogs that had recently shared a graphic had their homepage affected meaning that the issue was extremely obvious and, because the pet blogging community is so tight knit, there was a real risk of losing two years worth of work building up goodwill (and a huge amount of amazing links). Fortunately I class a lot of the people who were impacted as friends, which leads me onto the next unexpected result…
Understanding and Support
As soon as I realised what was going on I uploaded all of our graphics to an Amazon S3 instance, refreshed the embed codes, and sent out an update to anyone I could find that had been affected. The response: “Okay, no worries”. Honestly – I was amazed. People like Chris Bern and Barb deserve a big thanks here. They could, rightfully, have ripped us apart but were absolute stars.
With Havoc, the support was quite different as it was someone we were writing a guest post for who told us about the issue. Instead of removing a dead link to a category page he just emailed us letting us know that something was wrong and offering to change the link if required. Again, lots of people wouldn’t have bothered, so it just illustrates how much people who run sites actually look out for each other.
Adwords Ban
Because of the Malware, our Adwords account was suspended even though we had paused all of the ads. The surprising thing here was that it didn’t automatically get reactivated when the issue was resolved – instead, we had to submit a support request and wait for a reply from Google. The other thing to watch is that you can’t easily see that your ads aren’t running in Adwords as there’s no alert message until you get to individual keywords. You do receive an email to your Google address but, as I rarely check my gmail hadn’t see it. Needless to say, I’ve now fixed that! 😉
Speed of Recovery
Pet365 got picked up by Google at around 7pm. Around 15 minutes later I’d stopped swearing, poured myself a massive Whiskey, and sat down to work out what had gone wrong. 2 hours later the Malware was removed and I’d submitted a Webmaster Tools Malware Review Request (note that this is different to a reinclusion request and has to be done from the Malware page in Webmaster Tools). By 2am UK time we were back up and running. For me, that’s surprisingly fast.
How to Recover
To lessen the impact of a site being hit time is definitely of the essence. You really need to do whatever you can to lock your site down, get rid of the threat, make sure it isn’t going to happen again, and then reactivate everything. As a quick checklist, here’s what you need to do:
- Contact your support team and, assuming you’re running WHM or something similar, run a full Malware scan on the whole server.
- Check StopBadware.org to see if you’ve really been blacklisted.
- Don’t be proud – find someone that can help you. I recommend Sucuri because, in short, they’re amazing.
- Turn off any paid advertising as quickly as you can so that you’re not wasting money.
- If you can, return a 503 code on your whole site (PHP example at the end of this post).
Through our malware check we were fortunate enough to find a number of files that had been compromised. There was an easy pattern to follow as any file that contained the word ‘config’ had been injected with a line of PHP code that tried to insert a browser hijacking script. To be honest, we’d got lucky as it was fairly low level and easy to remove, but the fact it got there in the first place was a real worry.
Sucuri would have found this if I hadn’t but it was a busy day for them so it took 3 or 4 hours before they got to my ticket. In that time I’d found the issue, removed it, and requested that Google check we were clean. As I’m no security expert I couldn’t guarantee that this wouldn’t happen again which is where the Sucuri guys really helped as they hardened off our server, closed some gaps that were completely unrelated, and generally stopped by bottom from twitching 😉 The best thing? They now do this on an ongoing basis so if we ever get hacked again we’ll hopefully know before Google does. Not bad for less than $100 a year!
On the Havoc side of things it was a simple hack that renamed .htaccess to 1.txt. By the time John and I had sat down and worked on things for 20 minutes or so the site was back up and running… nice and simple!
Morals of the story…
Prevention is better than cure so having your sites well protected in the first place can save a huge amount of stress. As a site owner, SEO, or web designer it’s your job to protect the investment of you or your client so should be on everyone’s radar. Set up some security monitoring, check for downtime using a service like Worm.ly, ensure that you’re doing daily off box backups, only upload files using SFTP, use strong passwords that are changed regularly, and make sure that your own Desktops and Laptops are virus free. Simple as that!
How to return a 503 status code
A 503 status code tells search engines that you’re having temporary issues, or are performing maintenance, on your site. The ‘Retry After’ header basically says “Come back in 86400 seconds”.
header('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 86400');
2 Comments
I feel for you Matt.
I had some unwelcome “visitors” from a Moroccan IP address 2 years ago, they caused a similar issue. Took me down for 2 weeks, and I lost 6 weeks of customer records.
As an online store owner it is just the most horrendous moment to see you have been not only compromised, but that the whole mechanism by which we are usually found points at you and shouts “unclean!” to the world.
It takes years to build a brand and we’re rightly precious when faceless scumbags from far away randomly mess with it.
In my case by rooting through the server log files I could see they used a added on graphics uploading feature of my site to embed their evil code. Naturally that, and several other layers of security were sorted after the attack, but I’m ready for a review of that to keep ahead of the curve.
We’ll be talking on this subject soon Matt! Good honest post, glad it’s back on track for you, and I’ll lean on your experience to shore up what I’m doing now!
Something people don’t usually think about until it happens to them.
Good stuff!