Website Security Audit: 7 Ways to See the Website has been Hacked

Wordpress security
The Internet is a toxic environment. That is a fact. Toxic both for users and for websites. Terabytes of information and teaser ads come down hard on users from Internet pages.

It’s only aim is to suck you into a whirlpool of sales, for you to buy something, to subscribe, to share a link in social networks and become a figure in a column “coverage scope” of some SMM specialist.

The Internet is toxic for websites. There are always some saboteurs who are lazy to create ordinary websites to turn an honest dollar. So, they deploy viruses to websites, create mobile redirects and extraneous links. I manage a church website and I have lost count of how many times I have cleaned it from malicious scripts and links.

Not long ago I was conducting a promotion on website audit and during that time I made sure that informational security is an urgent matter. Saboteurs are watching.

That also matters website visitors (don’t visit fishy websites and follow suspicious links) and webmasters.

Further, I will provide several tips of how to investigate whether your website is compromised.

The search of signs the website has been hacked

1. Website Virus Check

The first thing you should start is to check your website on malware.
The most famous service for website virus check is SUCURI. You can also use this service to check your website blacklist status. After the check, you will see the following result:

There is also one more website security service having many good reviews — scanmyserver.com. At present, I have not used it personally.

2. Checking the Last Indexed Pages

When hackers crack a site, they create a subdomain (that happens rather seldom) or create a subdirectory where they put their site. If you monitor your site more or less carefully, the analysis of the last indexed pages will show whether you have some extraneous pages.

It’s very easy to do this. In Yandex enter the search operator – site:your-site.com and you will get the list of indexed pages. Then add a prefix &how=tm to the URL address.

In this way, I have found a malicious page on my client’s website. The same way I discovered a Vietnamese website on Ashmanov’s subdomain.

Ashmanov and his company is one of the most famous brands in the market of digital promotion. His book “Website promotion” was one of the most famous and actually one-of-a-kind book in Runet in far 2006.

The date when this page was indexed is highlighted on the pictures. In Yandex it’s easier to find out the last indexation date just by adding &how=tm to the address bar.

In Google you can do the same by adjusting the search settings. Once again, enter search query site:your-site.com and choose a period of time – search indexed pages for the last week.

Search on website

So, we see the last indexed pages on this website.

Indexation Date

This kind of search can show what was uploaded to your site recently. In case your subdomain was created long ago or your website developers have forgotten to delete the test subdomain, you can find extraneous subdomains the next way.

3. Checking for Extraneous Subdomains

Often, when hackers crack sites they create their subdomains there. In this way they promote their websites in search engines with the help of your main domain.

How do they do it?

Search in Google by your domain but exclude the main domain. In this way, in search results you will see only subdomains if there are some.

Here is an example of how to search subdomains for Amazon.com.

We create a search query for all the pages from the domain Amazon.com with the help of the operator site:amazon.com. We exclude from the search all the pages that are located on the main domain of Amazon.com with the help of -inurl:https://www.amazon.com/ operator.

This search query will look like:

site:amazon.com -inurl: https://www.amazon.com/

As a result, we will see results only for Amazon subdomains.

Search website subdomain

Subdomain search with the help of Yandex.

site:your-site.com -inurl:http://your-site.com/

If you use Yandex, you can use the operator rhost. You should make the following query.

rhost:com.your-site.*

If you have real subdomains, you can exclude them from search in the following way.

rhost:com.your-site.* ~~ inurl:best-subdomaing.your-site.com

In action this query will look like this:

rhost:ru.wikimart.* ~~ inurl:appliances.wikimart.ru

Using this query, we are looking for pages on wikimart.ru subdomains, but exclude the subdomain appliances.wikimart.ru.

4. Outbound Links Check

Very often websites are cracked silently to place outbound links there. As a rule, this kind of promotion is used by websites with forbidden topics, because there are few people ready to refer to casino or Viagra voluntarily.

There are also cases, when extraneous links are nested to a plugin or a website template. Some time ago, I was doing a security audit for a real estate website. The website template contained about one hundred outbound links to different websites. It looks like some web studio or a promoter created this crafty template. Far and by, I strongly encourage you to analyze the outbound links from your website from time to time.

Go to ahrefs — https://ahrefs.com/site-explorer/.
Type in your website address and watch the domains you refer to. Also pay attention to the outbound anchors.

Check it in the section Outgoing links in Ahrefs.

Check outgoing links

Alternatively, you can try the expert mode and index your site yourself, analyzing all outbound links with special software. At the same time, you will see all broken links and will be able to fix them.

One more variant to check a website is Open Site Explorer https://moz.com/researchtools/ose/. If a website is spammed it will have a high Spam Score – 5 and more.

Spam Score

For deeper analysis, we recommend to scan the website with the help of Netpeak Spider and analyze the answers your pages give. There may be a variant, when many pages give 301 answer. That can be your oversight or the result of hacking.

5. The Analysis of Outbound Traffic

Very often sites are cracked to steal the traffic. Most often, this is done with the help of malicious mobile redirects, when mobile traffic is leaking to other sites.
You can check the presence of mobile redirect with the help of this service http://secu.ru/online-services/redirect .

Sometimes, intruders embed pop up or click under to the page code to steal the traffic. You can use similarweb.com service to check your traffic. Here is an example of neilpatel.com streaming.

If a website was cracked and its traffic was redirected to another website, you would see unknown websites in the Top Destination Sited column. For example, some partner projects and pharmacological products.

Top destinations similarweb

But if you have a system of contextual or teaser ad on your website you will not be able to analyze the traffic. You will see click-throughs to promotional websites in statistic. Taken all round, this service can help you in some cases.

6. Checking htaccess File

Htaccess file is the first target for intruders. Just as you grow suspicious, go and analyze this file.

First of all, pay attention to the date of file modification. If you haven’t modified you site for long time, but the modification date tells the opposite – this is a red flag.

Open htaccess and check, whether there are some irrelevant records.
There are cases, when intruders are too clever and make many shifts to descend the code 3-4 screens lower so you will not see it at first view. There was also a case, when intruders broke down the site and I could not understand the reason. Later it turned out that they just removed a dot in the name of the file. The original name of the file is .htaccess .

7. Other Infosecurity Checks

7.1 IP Blacklists

There is a way to check whether your site is in blacklists of various security services. If your hoster was cracked and intruders used it to send spam, your IP could get in to a blacklist and you should prepare to move to other hosting. You can check it by the following address — http://whatismyipaddress.com/blacklist-check.

7.2. Bad Neighborhood Check

With the help of https://2ip.ru/domain-list-by-ip/ service you can check what websites are located on your IP-address. If there are sleazy websites with forbidden subjects, you should consider moving.

7.3 Reviews About Your Site

Any problems with your website can appear because of negative reviews. You should regularly check the query “your-site.com reviews” to stay informed about how people go with your website. Those reviews may become an enlightenment for you.

The above tips will help you to reveal whether your site is cracked. A huge separate topic is how to make it secure. However, I will add several practical suggestions of how to solve the question of website infosecurity.

Website security maintenance

1. Regular Website Backup

Any website consists of files and a database (this description is a little bit primitive but it suits here). Files are infected the most often: CMS files, plugins and templates. Backup your website regularly and in case of a hack delete the site directly from a hosting (not to infect your computer) and recover it with the backup.

Of course, you should delete the website from the hosting only in case when you have a relevant and clean backup. If your site is infected and you don’t have a good backup – you’d better find a specialist.

2. Defense for WordPress Website — Wordfence Plugin

Wordfence wordpress plugin

If you use WordPress CMS for you website I recommend you to install Wordfence plugin. This is a powerful plugin with cool features. Of course, it is not a 100% security guarantee but it is quite functional.

You can Google how to adjust it.

3. Defense for WordPress Website — Block Bad Queries

bbq plugin

With this plugin you lock different requests, through which hackers want to get access to your site.

PS:
So it goes. These actions will help you to define whether your website has some security issues and enhance it. Informed means weaponed. Using good security shields, you can work even in a venomous and radioactive environment, not to mention the Internet).

PPS:

If you are an expert or just interested in this topic, you are welcome to share in comments your knowledge and experience in the sphere of website infosecurity.

Website Security Audit: 7 Ways to See the Website has been Hacked
5 (100%) 2 votes

Leave a Reply

Your email address will not be published. Required fields are marked *