If somebody asks me, what is information security or infosec, I would answer the following. The information security is when you don’t store confidential information at easily accessible places, either it’s your computer or the Internet.
There is a good saying: “The chain strength is determined by the strength on its weakest link”.
There is two simple security rules for the website:
- Don’t store a confidential information on the hosting.
- Analyze the pages, that Google index on your website.
And now let’s speak in more detail about these two rules.
You should know, that Google indexes sites more deeply than you think. Google can index your “doc”, “excel” and “txt” files that you have left on your website.
For example, you have put your website login information or your account information into a text file. Then you’ve hosted this file on your website to share it with your associate with a link.
But after Google indexes your website, these files will become publicly available, and there are some intruders, that use special operators to search for confidential information.
Here is the example of a suchlike query. Search in Google:
In the search results you will find the links to website sections with photos.
Go to the website and you will see the list of sections with photos.
You should understand, that there is a so called botnet in the Internet (a network of cracked computers controlled by hackers) that makes thousands of different search queries to sniff out some private information such as:
- personal account details for payments;
- personal accounts: emails, skype, social network accounts to send spam or swindle out money;
- any other private information that can be used for a hacker own benefit.
To sum it up, let’s review the simple infosec rule – don’t store confidential or personal files on your website.Now, let’s talk about how to investigate what Google has already indexed on your website and how to make a quick security audit for your site.
The analysis of indexed pages to prevent Infosec issues
The second rule of informational security is derived out of the previous one – check regularly what website pages are indexed.
There are several simple hints of how to check correctly the website indexation.
1. Look at the tail of search results
It’s important to go to the very end of the search results, because you will find the most relevant pages of the site on the top, e.g.: home page, posts page or a blog.
As a rule, there are some pages from the hidden sections of the website at the end of the search results. There can be some confidential or technical pages from your site.
2. Analyze the last indexed pages
Don’t forget to specify in the search field that the query should be performed on your website. This can be done with the help of “site:your-domain.com” operator.
Here is the example of the last indexed posts.
Once I was doing the full website audit analyzing the pages that were indexed recently. During the analysis I’ve found the foreign landing page through which some medicines were sold.
Using the advantage of high website ranking hackers wanted to promote their landing.
When the website is cracked you won’t see it by the outer look of the site or on the control panel because this very page has been loaded directly to the site and situated outside your site design. You can find such pages only by analyzing the index of your site.
They also recommend to check regularly the information in Google Search Console. Abrupt changes in the site indexing may indicate some technical glitch or site hacking.
3. Use search operators to look for the specific file types.
If your case is a typical one and your site is working on WordPress CMS you should type the following search query to analyze the files uploaded to the “uploads” directory. Put your website domain name instead of “your-domain.com”.
If you are using some other CMS, you should use the name of the directory where the uploaded files are kept instead of “/wp-content/”.
To investigate what text files are located on your website you should make the following query:
site:your-domain.com ext:csv | ext:xlsx | ext:xls | ext:doc | ext:docx | ext:txt
With the help of this query I found some text site in Darren Rowse’s blog.
Don’t be lazy to check what files Google has found on your website. I hope nothing confidential.
Share in comments about what suspicious files you happen to find on your website.