A couple of weeks ago, Google released a year in review regarding the State of Website Security in 2016. The report opened with the following announcement from Google:
“First off, some unfortunate news. We’ve seen an increase in the number of hacked sites by approximately 32% in 2016 compared to 2015. We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites.”
As you can probably tell from the statement, this news is unsurprising. With millions of websites already in existence and new ones popping up every day, the internet is an endless feeding ground for hackers. Even as website security continues to advance, malware and hacking strategies also shapeshift and evolve to exploit weak spots.
This presents a number of problems for both users and webmasters. First and foremost, the potential leaking, theft, and abuse of user information puts online consumers at risk. But what’s also concerning, namely for webmasters, is that when website security is compromised it can result in hefty penalties, which can significantly set back search engine rankings. In response to this problem, this is what Google wants you to know.
Top Ways Websites Get Hacked by Spammers
While specific malware and hacking spam varies, there is some consistency in how websites are typically hacked. They are:
- Compromised Passwords: Hackers have different techniques for guessing passwords until they guess correctly, like trying common passwords or rapidly testing random combinations of letters and numbers. Google recommends creating a strong password, never reusing passwords across services, and taking advantage of two-factor authentication (2FA) to make it as difficult as possible for hackers to compromise passwords.
- Missing Security Updates: Put simply, old software has vulnerabilities that new software doesn’t, so webmasters should periodically check for and run updates on their web server software, content management system, and any plugins or add-ons your website uses.
- Insecure Themes & Plugins: While themes and plugins can enhance the functionality of a website, they’re not always maintained by their developers. If a theme or plugin is in use but isn’t actively maintained, it opens a door for hackers to add malicious code. Check to see that your themes and plugins are secure, and if you remove a plugin, make sure you remove all files completely from the server as opposed to just disabling it.
- Social Engineering: This method is about exploiting human nature to bypass sophisticated security infrastructure. Phishing is a common example of this; an attacker will send an email posing as a legitimate organization and request security information. Websites that are managed by multiple people are more susceptible to this kind of attack, so Google recommends security training to educate webmasters on basic phishing protection tips.
- Security Policy Holes: General security weak spots can put an entire website at risk. If you’re a website administrator, try to avoid: allowing users to create weak passwords; giving administrative access to users who don’t require it; not enabling HTTPS on your site; allowing file uploads from unauthenticated users, or with no type checking.
- Data Leaks: This happens when confidential data is uploaded and a misconfiguration makes it publicly available. You can avoid this by periodically checking and restricting confidential data to trusted entities through security policies.
Clean Up Guides
A lot of websites share similar issues when affected by known hacks. To help fix the problem, Google created clean up guides for sites affected by those known hacks. The hacks are:
- Gibberish Hack: The gibberish hack automatically creates many pages with nonsensical sentences filled with keywords on the target site. Hackers do this so the hacked pages show up in Google Search. Then, when people try to visit these pages, they’ll be redirected to an unrelated page, like a porn site. View the guide for fixing this here.
- Japanese Keywords Hack: The Japanese keywords hack typically creates new pages with Japanese text on the target site in randomly generated directory names. These pages are monetized using affiliate links to stores selling fake brand merchandise and then shown in Google Search. Sometimes the accounts of the hackers get added in Search Console as site owners. View the guide for fixing the Japanese Keywords Hack here.
- Cloaked Keywords Hack: The cloaked keywords and link hack automatically creates many pages with nonsensical sentences, links, and images. These pages sometimes contain basic template elements from the original site, so at first glance the pages might look like normal parts of the target site until you read the content. In this type of attack, hackers usually use cloaking techniques to hide the malicious content and make the injected page appear as part of the original site or a 404 error page. Learn how to fix this type of hack here.
Despite the damaging effects that hacking can have on a website, webmasters do have an avenue for recovery. If a website has been penalized for problems resulting from hacking, webmasters can apply for reconsideration and potentially remedy the consequences. According to Google, 84% of webmasters who apply are successful in cleaning up their sites, so there’s no reason a hacking incident has to tank your site forever.
What’s important to remember is that prevention is easier than correction. Taking the extra steps necessary to protect your website can and will ultimately save you the hassle and the headache of having to deal with a breach in security later and dip in rankings later on.
To practice adequate prevention methods, all webmasters should be registered for Google Search Console. Google found that 61% of webmasters who were hacked never received a notification from Google that their site was infected because their sites weren’t verified in Search Console. If your website is being attacked or experiencing issues from hacking and/or spamming, Search Console is the first place you’ll be notified about it. If your website isn’t registered and verified in Search Console not only will you not receive that notification, but your website will continue to suffer and be penalized.
In addition to Google Search Console, there are steps you can take to secure your content management system. The majority of websites are powered by WordPress, Joomla, Magento, or Drupal, all of which have their own security recommendations and resources specific to their system. If your website is powered by one of these, you can learn more about the best practices for securing your CMS and keep your site protected from hackers.