Removing the consequences of website hacking and cleaning the site from malware code. Goran - Javascript developer.


How to clean up your site and recover it after a hack

How to recognize that your website has been hacked?

hakovan sajt

So, you noticed that your website is no longer in the search(1) or you notice that the ranking of your pages drops rapidly in search (Google SERP)(2), in these two cases chances are high that your website is hacked.

If it is the first case, go to google search console and in the menu on the left check in Security and manual actions is your site flagged by by Google as a malware site, because if you are hacked, Google will too recognized because you didn't notice that it happened in time, google you placed on the google blacklist. That is certainly a more difficult case for solving and requires steps that we will talk about in the further part of this article.

In the second case, if you do not constantly check the health of your website and do not enter google search console often and your C panel hard you will notice that you are hacked, the only parameter that can indicating that you are potentially hacked is the drop of your queries(pages) in google search (SERP).

In a better version if enough often enter google search console and check the status of your pages and the health of your website you will notice strange events in the page section in the menu on the left, what you will there see in case you've been hacked but google hasn't put you on the blacklist is a rapid increase in the number of your indexed and non-indexed pages (and you didn't add anything new to yours website).

Hackers knew how to paste up to a million spams on the domain page, you can only imagine how google and its crawlers looks at such an infected site. In those cases, the recovery process is very long and requires a series of steps to facilitate google to remove spam pages.

Hacked website - What should I do?

frustriran covek

The first advice,DO NOT PANIC like the man from the picture above, daily on a global level, hackers hacks about 30 thousand websites written in various languages technologies, the most vulnerable of which are the so-called CMS sites (Wordpress, Jomla etc).

What awaits you in the further steps you need to take is quite serious work that goes on. The next steps depend a lot from the type of hack your website has experienced.

The 2 most common types of hacking websites

In order for this post to be understandable to the general public and not only programmers who understand all technical terms from the IT world, I will try here to simplify things as much as possible and to speak in understandable language so that an ordinary user of web services would understand me.

The first type of hacking that you can experience is hacking through your website or application(1). The hacker finds weak points on your website due to neglect site security and weak validation and sanitization of data and breaks into your website and writes his own malware code that will broadcast his spam pages on your domain.

Another type of hacking is when a hacker manages to get hold of you C panel password and conquer your C panel completely. This is more difficult case because the hacker has total access to your complete code, your email in the C panel and all possible settings. Consequences are slightly less in terms of server settings if you are on a so-called shared hosting, and if the server is only for your website(VPS) it allows the hacker to make any changes to the settings of your Apache or Nginx server.

Hypothetically saying he can do it on your shared hosting through .htaccess file, but from a hacker's point of view, it is far from it less sense because it is easy to notice when the website is cleaned of malware code. In this variant of hacking your website it is very important that check all emails of your C panel because hackers usually use them to send spam emails through the web.

Cleaning and recovering a website after a hack(1)

These recommendations as I titled in the subheading refer to websites who experienced an attack through a website or application (Cross Site Scripting (XSS)).

The first step you need to take in this variant of the attack is to completely clean your website of malware code. You can do that in two ways, download the backup variant of your website and that you work in a local or at a website you can clean from malware directly in C panel.

C panels are different and I will show you in the picture below where in my model of C panel you can "download" your backup website. You click Backup as in the picture and then choose Download a Home Directory Backup. Then just extract public_html and malware cleaning can be done locally.

c panel

Go through each folder carefully because you never know exactly where it is the hacker placed his malware code (usually it is php files or file).You have to be very detailed in viewing not only folders but also files because one little thing added to your pages such as double quotes on a meta tag can have a very bad effect on how google views your website.

I'll have to quote a spokesperson here of google John Mueller who on twitter in his tweet on this topic says - People think they have cleaned their website from hacking but actually they are not.That's why when cleaning the code after hacking you have to review everything, even the tiniest little thing, because hackers use all sorts of little things pranks that are very difficult to notice right away.

When you have finished cleaning the malware code, if you were on the Google blacklist, send Google a request to review the website and remove it from the blacklist.You submit a review request in the security and manual actions section of the Google Search Console.

The next very important step is to remove indexed spam pages from google searches (SERPs). Go to your google search console and in the menu on the left, select the removal section. In a new window, open new google search console and select part pages, here you will be able to see spam pages next to your regular pages and to copy them as necessary for removal.

It is important to note that part console called removal does not actually work on principle of permanent removal, but works on the principle of temporary removal at 6 months.Follow the removal of spam pages through the pages report, which is updated every 3-10 days. There you can see if the number of spam pages is decreasing.If you set the logic correctly, the number of spam pages will decrease.

The removal process can be slow because google visits some pages very rarely (once in 3 months).

removal tool

The text of the picture is in Serbian, but it is the same also in other languages. You click the button new request and continue working.

If you have luckily, the hacker has constructed spam URLs as pages that broadcast from a folder, for example so you will be able to in one move you send a request for temporary removal from search of all pages from that folder, and if you're unlucky, spam pages might have one like this configuration, example -

In this otherwise google doesn't recognize the "?" part of the URL as a folder so you will have to temporarily remove such pages one by one, which can be real hell if a hacker has pasted you thousands of spam pages that have already been indexed by Google. You will have to do this manually or write the logic in the .htaccess file so that Google can read these pages as 410 on subsequent crawls and slowly evicts them from searches (clean). In case the spam URLs do not have a folder, I recommend using a .htaccess file and rewritten rules in it.

If you have successfully cleaned all malware from your folders and files it's time to move on to what I would call the next step website recovery after hacking.

Go to your google search console and open the page section (now that's what it's called after the big update in August 2022) and you'll find it there complete report on all pages, yours as well as spam pages which google has indexed or not yet. What you should be interested in not actually your healthy pages but URL structure of spam pages injected by a hacker into your website.

Take a good look at the structure of its URLs and if there are any important ones differences in the construction of his URLs compared to your healthy ones use it to your advantage in recovering your website.

How?And what is your exact task here?Make .htaccess file in the root directory of your website and create instructions for redirections spam pages, so google can see them no like 404(not found) but like 410(gone), make a condition for redirection based on the difference between the construction of your healthy ones URLs and hacker spam URLs.

There must always be some difference in them and highlight it as your advantage.Why 410 and not 404? A 410 tells google that the page has gone and is not coming back while 404 tells google that the page was not found, which google can do interpret and that it is temporarily not found, which slows down your recovery website and removal of spam pages by Google.

Depending on number of spam pages and the duration of their cleaning by Google if you correctly put the rules in the .htaccess file. When write a rule in .htaccess, test that URL both in the browser and in google search console.In google search console when you test spam URL if you have set the redirect correctly you will get a report as in the picture below (so that Google cannot index that page).Image text is in Serbian but you know what i mean.

google search console

When you test that same URL in the browser you should get a 410 result as in the picture below if you set it correctly redirection.

410 error

As for writing rules for redirects and rewriting in .htaccess file, yours only friend will be google search and Stack Overflow site. Be very careful in using the .htaccess file because you improper use can cause harm and not benefit. >

IMPORTANT! Hackers usually use a technique called cloacking to paste thousands of pages and broadcast them to your website. They link your website from another website that they also hacked and such a link is known named toxic backlink. If such a link to your website exists, you must find it in your google search console in the links section in the menu on the left.

Open all incoming links to your website and watch carefully to find that toxic backlink. How will you recognize it? Every hacker has their own style of hacking and creating URLs and in 99% of cases it will look very similar to yours spam URLs. When you find it make a plain .txt file and copy that link and save the file. Then you have to disavow it. How?

Go to google console for disavow links HERE then select a product type, example and then send on disavoving .txt file from above. Do this only as a last resort if you can't contact the owner of the website that has also been hacked and its website has a toxic link to your website,to ask him to remove that link, as google does not recommend using this tool except when it must be done.

Cleaning and recovering a website after a hack(2)

For another type of hacking, where yours C panel is compromised everything that has already been said about the first applies kind of with the addition that you have to review your C panel email in detail as well Has a hacker hijacked your email and is sending spam emails all over the web from it? Bandwidth in your C panel increases and disk usage and you you don't know why.

If you find that a hacker taken your email in C panel if you don't use it, your best option is to delete it completely, if you use it, delete all spam mails and change your password for that email.Also, change the password of the C panel often.

Tips to secure your website against hacking

My people have a nice saying that says - Prevention is better than cure. Change your C panel password often and turn on double authentication (2FA). If you are owner of the Wordpress website, follow all updates and update regularly all plugins.

If you are a developer, write a good validation and data sanitization both on the frontend and on the backend side of yours website or application. In addition to all security measures if a hacker superb, the only question is whether we are interesting enough for him to spend weeks to our website, which probably we ordinary people are not. Ideal protection against hacking doesn't exist but we always have to do it that we can make the job of hackers as difficult as possible.

If I remember anything else that I missed I will update this one post, I hope for your understanding because this topic is really very broad.

I apologize if there are grammatical errors in the text, I am not from an English-speaking area.