Hacked! Using Google Search Console to Detect a Compromised WordPress Website
When Adster got rolling back in late 2008, we decided to roll out our website and content management system (CMS) on CakePHP’s MVC framework. One of the primary reasons for building this custom platform was that my experience with industry ‘staple’ WordPress had been lackluster to that that point.
Ultimately, I had experienced enough hacks, cracks, exploits, and other WordPress issues for a lifetime. Never again!
Dave eats his Words(press).
Fast forward to 2015. A shiny new website built by our friends over at Elements Digital on non other than – you guessed it – WordPress.
I doubt it’s necessary to go too deep on why WordPress is the ideal content management system choice for 95% of businesses out there; by now you all know why. WordPress has really evolved as a content management system and it would be really hard to suggest much else these days.
Then, a few weeks ago, the unthinkable happened: The Adster site was hacked!
And, as much as I would have liked to grandstand in some epic ‘See, I TOLD you so!’ fashion and blame this entire mess on some massive, gaping wordpress vulnerability, it came down to good old human error.
The culprit?
Easy to crack passwords.
Not unique to WordPress
Of course, a username of ‘dave’ and a password of ‘dave123’ (it doesn’t work anymore so don’t even THINK about it) is going to get one in more trouble than just WordPress. Alas, in my attempts to just login and start writing 301’s, I made this rookie mistake and the entirely of the Adster site took the brunt of it.
Not your everyday hack
The cool thing about this particular WordPress website hack was that it didn’t show up in the usual places. Often times, a hack will take your website offline, change you home page, leave the toilet seat up, etc. These are things one tends to notice pretty quickly.
In this case, we’re talking about a spam or backlink injection, and even better, the hackers added thousands of pages of content to our website to present them on.
Ya, but why?
So, why would hackers go to all this trouble to add thousands of pages of content to our website? Well, Adster (like most of you fine citizens of the internet) spends a fair bit of time and energy on making sure that our website and brand are viewed by Google as an authority on our subject matter, and thus if we say we’re an expert on ‘professional research paper writing’…Google may be inclined to believe us.
The proof is in the puddin’. Above, you can see that using the Adster site’s authority, the spammer was able to rank a page on our website for their desired term.
Sneaky.
One level deeper
But they didn’t just stop there. The hackers actually used OTHER hacked websites and pages to link to OUR hacked pages in attempts to give them some SEO boost. Below is another compromised website that links to a hacked page on our website:
There would up being hundreds of compromised websites and thousands of pages that linked to us in a manner similar to the above. This is a very complex hack operating at a variety of levels, and as such was difficult to ultimately pin down.
Getting to the point and using Search Console to find the hack
The good news is, Google’s Search Console (previously Webmaster Tools) is a prime place to catch issues like this. From the Google Webmasters home page: ‘Get data, tools and diagnostics for a healthy, Google-friendly site’. Splendid, right?
Provided you know what to look for.
We found that this hack was best detected in 3 different areas with Search Console.
#1 – Jump in indexed pages
One of the easiest ways to detect a hack of this sort is the observation of a large spike in indexed pages. In Search Console, navigate to ‘Google index’, then ‘Index Status’:
For the majority of this year, Google has had around 275-300 pages or so ‘indexed’ for Adster. Above, however, the massive spike up to near 1500 pages in October is a pretty clear indication something unnatural is afoot.
(tip: another really cool non-Search Console way test this in a similar fashion is to type site:Yourdomain.ca into Google as a search command).
#2 – ‘How Your Content is Linked’ report:
Start off by navigating to the ‘Search Traffic’ tab then open this up and hit ‘Links to your site’. From here, scroll down a bit till you see ‘How you data is linked’ (which is effectively telling us how Google understands our anchor text) then click ‘More’.
When we look at this report (above), we find that the first several dozen variations of our anchor look pretty clean and predictable. However, on the right hand column, we can see a whole pile of unnatural anchor text patterns that imply something is not right.
We’re now getting an even more complex picture now of how deep this hack went.
#3 – Links to Your Site – Latest Links:
This report is one of my personal favorites in Search Console, and in my experience often goes unnoticed. Here, you will need to navigate to ‘Search Traffic’, then hit ‘Links to your site’, then hit the ‘Download latest links’ tab.
While we were actually able to spot the unnatural links in the ‘Who links the most’ area of ‘Links to Your Site’, by going a level further we can actually download a spreadsheet or Google doc of which links Google is discovering, and when:
‘
In our downloaded sheet, we are able to clearly see where the malicious links are actually coming from, and when Google detected them.
This ‘date’ element is significant, and the review of the ‘recent links’ report is actually part of Adster’s monthly SEO process, as it not only helps us pick off trouble brewing, but actually assists us in validating link building efforts for clients, and picking up other links and mentions that may be further capitalized on.
Bringing it all together
By using these 3 detection methods together, we were able to get a complete sense of what was going on – whereas only one would have only told part of the story.
For example, had we only seen unnatural links pointing to our website, we may have been inclined to simply Disavow them. It was the combination of the indexed pages, the anchor patterns, and these third party links and where they pointed that ultimately helped us come up with our solution.
How to fix a hacked wordpress site
Unfortunately, how to come back from a hacked WordPress site is beyond the scope of this post. What I can say, is that it involved some database work, a few sweat soaked t-shirts, and a very capable fellow by the name of Sunny.
Moral of the story? An ounce of prevention, yadda yadda.
To that end, check out this great piece on making your WordPress site more radical by WPMUDEV.
Tip ‘o the iceberg
Of course, these are just a handful of ways Search Console can be used to pick off technical issues brewing. Got any pro tips to share of your own? Other tools you use? Feel free to share in the comments below!