Detect and avoid hacked websites

If you suspect that your website has been hacked, it is probably due to one or more of the following reasons:

• The website is no longer accessible. Nothing is visible under the domain or you get an error message with 404 or 503. A "broken" website can also have other causes and it does not necessarily have to be a hacker attack behind it.
• On the website things are displayed, which have not been entered, e.g. obscene pictures or links to dubious pages. This may not only affect the home page, but may also occur on isolated sub-pages. It is important to check the entire website including all subpages.
• If you access the website via a search engine, e.g. Google, redirects are caused. This does not happen when you access the website directly by entering the URL in the browser, but only when you click on the website in the search results in Google Search. You will then end up on dubious websites that either offer questionable content or websites that specifically want to spread viruses.
• Google and other search engines index content that is not visible on the website. The content is there on the website, but hidden and not safe for normal visitors. Only the search engine crawler sees this content and includes it in the index. The consequence is that one finds one's own website in the search results for dubious search terms.
• In the backend, there are user names that you have not created yourself. These users usually have administrator rights and have full access to the website.
• There are plugins or extensions installed that you did not install yourself. In the case of WordPress, these can be plugins that enable file uploads. With the help of these plugins, files with file extensions such as .php or .js are subsequently uploaded, which are then called and executed via the browser. Invoking and executing these files can cause significant damage to the server.
• The navigation in the website links to dubious external pages. It may also be that not only the navigation is affected, but also links in the cookie banner or simple links in the content or footer.
• There are files with cryptic names and cryptic contents on the web server.
• The website has already been detected as hacked by Google and blacklisted.
• Google Search Console shows security issues.

There are countless different hacks that target different things. The most commonly used hacks are the following:

Phishing

Phishing is an attempt to obtain customer data and steal their identity. They are after e-mail addresses and passwords, as well as credit card and bank data. The data is read and stolen in the hope that it can be reused elsewhere and used to make money, or the data is sold on the darknet.

Infiltrating content - SEO spam / content hack / Google hack (cloaked keywords)

Keywords and links are placed on the website so that the own website is placed in the search engines for dubious keywords. The content is placed on the website in such a way that it is not or only barely visible. Either it is invisible or very far down, so that you have to scroll very far down to see the content at all. This content is picked up by the search engines and thus a ranking is achieved for the keywords in the Google search. It can also happen that not only content on existing pages is infiltrated, but also complete pages are infiltrated, which are then indexed by Google. This hack is often only noticed by chance.

Redirects

It redirects website visitors to spam pages.
There are several ways to do this:

• The redirection to the spam page takes place directly when the page is opened
• The redirection to the spam page occurs only when clicking on a search result in Google search
• The redirection takes place when clicking on a navigation point
• The redirection takes place when clicking into the cookie banner

It may happen that the redirects are not always applied, but only on the first X calls to a website. Behind this, IP addresses are logged and after a certain number, redirects for the IP are no longer executed. This makes it more difficult to find the hacks and conveys to the people behind the screen that maybe it was just a temporary malfunction or maybe you clicked somewhere wrong.

Mailer

A mail interface of e.g. WordPress is exploited and countless spam emails are sent via the own mail server. Usually, the mail is sent until it is blocked by the hoster or the daily limit of emails is reached.

More information about the various hacks can also be found in Google's spam policy.

To be spared from hacker attacks, you can take precautions to avoid opening security gaps in the first place. Preventive work is the only way to protect yourself from successful attacks. Hackers will still attack, but they will not be able to open the door if it is well barricaded from the inside.

Here are the most important tips:

1. Do not use a user named "admin" or "office" for the backend
2. Use strong passwords and different passwords if possible
3. Create regular backups
4. Keep your website updated
5. Block too many login attempts
6. Protect your information in the CMS
7. Delete unused data
8. Protect the page with SSL
9. Disable the file editor in WordPress
10. Use the Google Search Console to monitor keywords
11. Regularly look at your own website and check it for anomalies
12. Google yourself and your company at regular intervals and click on the search results

1. Use secure usernames

The usernames "admin" or "office" are most frequently used in hacker attacks. In server logs, you can see very well how often there are login attempts with these or other usernames.

One problem in WordPress is that the WordPress API is basically open to everyone if it is not explicitly blocked. Most sites don't need the API at all (at least not in the frontend), which is why we think it's an unnecessary security hole to have it enabled by default. Nonetheless, you can do cool stuff via the API. SYSSY also uses the API.

One problem with the API data is that you can read all users and their usernames as well as email addresses. The API query via the URL /wp-json/wp/v2/users returns a list of all users. The API can be called by appending the desired API endpoint to the URL, e.g. www.meinedomain.at/wp-json/wp/v2/users.

Once you have the users, you can easily try all usernames with any password until you are successfully logged in.

You can protect yourself from this by installing a plugin that locks the API, such as Disable WP REST API. This plugin offers the possibility to lock the entire API, but to reactivate individual API endpoints that are needed via the settings. If you have installed the SYSSY plugin, there is a separate item for SYSSY that can be unlocked again.

You can also lock individual endpoints of the WordPress API via PHP code, e.g. exactly this endpoint for reading the users. Add the following code snippet into the functions.php of your theme and test the endpoint:

//disable user rest api
add_filter( 'rest_endpoints', function( $endpoints ){
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
});

Instead of a user list, an error message will appear.

If you do not use your own theme, I recommend the use of a plugin.

2. Use strong passwords and protect them

Make sure that you use strong and unique passwords for backend, FTP, database and login to the hoster. Also, do not use the same credentials as on Facebook or Instagram. Also the password for the email account should be a secure one and should not be shared with anyone.

The password for your CMS user should only be used for this website and should be secure:

• No words from the dictionary or names of cities or countries, e.g. "Linz" would be a very bad password. Also "Linz1234" is not good.
• Min. 8 characters
• Combination of letters and numbers
• Min. 1 special character
• A password does not have to be cryptic, but can also consist of a phrase that is easy to remember, e.g. MyDADhasaredcar34! or MyCatisnamedMINKIandisseven34!

Do not send passwords via email and use a password manager to manage your passwords if possible.

If you have ever been knowingly hacked via Facebook or another platform, do not use this password anywhere. The passwords end up in a database and are used for exactly such purposes.

At https://haveibeenpwned.com/ you can check if your email address has already been hacked in an account. If yes, then do not use the password that you have ever used in that account.

As soon as a security update is released, it should be applied immediately.

For the WordPress core, this almost always works automatically, unless you have disabled this feature. For the plugins there is also the possibility of automatic updates, but I am critical of this function and would not necessarily trust it. It is important to test the site after updates, especially with big plugins like Elementor or WooCommerce, problems can often occur and you may have to adjust things in the theme to make everything work smoothly.

Some hosters also provide automatic updates for security releases for TYPO3. A comparison with the hosters is worthwhile here in any case.

In the case of hacker attacks, it does not matter whether it is the large website of a corporation, the small website of an individual company or a private blog. The hackers don't care. It is simply scanned globally and whoever is unlucky is chosen as a target.