Google usually displays this message when a website has been hacked or compromised. Meaning that someone has intentionally modified its content to add: SPAM, content from others sites, to steal information or to install Malware.
Through this video, Google explains what it means that a website has been hacked or compromised: https://www.youtube.com/watch?v=mbJvL61DOZg
In this tutorial, you will learn how to use the Google Search Console Tool in order to:
- Identify and Delete Malware’s content in your site.
- Set the ownership of the site through Google Search Console.
- Get the Search Traffic and links of the site.
- Review of the site’s links.
- Block malicious links previously found.
- Request a site review.
- Be the owner or manager of the site.
- A google account to access the Google Search Console: https://www.google.com/webmasters/tools/home
- CPanel access and site files.
Have experience on:
- PHP language
To preserve the site’s identity in which I gained the experience on removing malware’s content I’ll use the helloselene.com site as an example.
Step 1: Identify and Delete Malware’s content in your site
Nowadays the most common Malware attacks are:
- Code injection through scripts placed in the server’s files.
- Redirection to other websites ( when the .htaccess file has been modified).
- Iframes injection, usually inserted into the index.php file to show content (mostly inappropriate ) from another site.
Let’s start by opening the .htaccess file from the root directory of our site.
The RewriteRule sentence tells us that any search engine as google|yahoo|msn|aol|bing is redirected to a doorway script. This file could be placed or not within our site’s files. Also our site not only could be redirected to a file but also to another site, for example:
RewriteRule ^(.*)$http://www.addedbytes.com/$1 [L]
“L” tells Apache not to process any more rules if this one is used.
The script’s name is different in each site and it’s created from the union of “real” words. It offers different content for the search engines as well as the human visitors. Any request to this script will return a 404 error (this is the way in which it keeps hidden from us).
Once we have identified the malicious scripts ( mainly hosted in the public folder or the hosting’s temporary folder). We’re going to amend the .htaccess file as follow:
First, we enable the rewrite module to add a condition that will remove the index.php sentence from the website URL.
Then we indicate that any requested file from our site will be shown except for index.php, CSS, JS, images, robots.txt or docs files.
RewriteCond $1 !^(index.php|css|js|img|robots.txt|docs)
RewriteRule ^(.*)$ /index.php?$1 [L]
You can use as many conditions and rules as you need but for the purposes of this tutorial, we are setting just this one.
Important: If you are transferring the .htaccess file to the server using FTP, be sure it is transferred using the ASCII mode, rather than BINARY.
Let’s take a look at the index.php file
As we can see in the image above there is an injected iframe Which hosts an Inappropriate site. Remove it and look for the same line of code in the rest of the site’s files to ensure that hasn’t been injected in any other file.
Step 2: Set the ownership of the site through Google Search Console
Go to Google Search Console’s home page and enter the site’s URL:
Google will ask us to prove the ownership to do so we have these options:
Google provide us an HTML file that we upload to the root folder of our site.
Important: To stay verified, don’t remove the HTML file, even after verification succeeds.
HTML Tag: Add a meta tag to your site’s home page.
Domain name provider: Sign in to your DNS provider account and add to the domain’s configuration the token provided by Google.
Google Analytics: Use your Google Analytics account to prove the ownership.
Google Tag Manager: Use your Google Tag Manager account to prove the ownership.
Step 3: Get the Search Traffic and links of the site
Now that we’ve proved the ownership, we can access the Google Search Console’s dashboard by clicking on the site’s URL. In the left side menu look for Search Traffic > Links to your site.
1.- Total links.
2.- Who links the most: Click on the more button. Now that we’ve proved the ownership, we can access the Google Search Console’s dashboard by clicking on the site’s URL. In the left side menu look for Search Traffic > Links to your site. to see the full lists.
- This table: All the domains with links to the pages of our site.
- More sample links: All the links within our site.
- Latest links: All the links on our site including its creation date.
3.- All the pages of our site that have been indexed from others sites: the full list of these pages as well as the sample links and last added.
4.- How your data is linked: Refers to the anchor text of your site.
We can download the lists above as CVS or as a Google’s docs.
Step 4: Review of the site’s links
We’ve got the full list of links and domains. Let’s review them to identify the malicious ones.
Total links: According to the site’s links, does this amount match? in this example, it doesn’t.
Who links the most: I don’t recognize the sites that are listed in here. In fact, if I try to browse to one of them I get a 404 error.
I’m using the mxtoolbox tool to verify if one of the listed sites is included on the Google’s blacklist taking the stylshack.com site as an example.
When the inspection has completed we’ll know if is listed or not. And there you have it, it’s listed!
Anchor Texts: As the result of the indexed links most of the anchor’s texts contains sexual and obscene phrases.
Step 5: Block malicious links previously found
To do so we can do it from the Cpanel or we can take advantage of our .htaccess file
The hosting provider of this site it’s Hostgator but I’m pretty sure that your hosting provider will have a similar option within the Security section:
IP Address Deny Manager
We enter the IP or domain’s name to block it.
To get the IP of a site we can use ipinfo.info checker tool:
Add the follow sentence after the RewriteRule:
deny from IP site’s address here
deny from 188.8.131.52 #stylshack.com
We’re denying the access to the stylshack.com site. You can block as many sites as you need.
Step 6: Request a site review
Once we’ve deleted the malicious content and links, next step it’s to request a site review. Go back to the Google Search Console’s home page and look for Security Issues on the left side menu and click on it.
A modal will show up in which we’re going to specify for the Google’s team the actions that we’ve taken to delete the malware. Google will let us know when the review has finished in the messages section. In my experience, this will take a couple days.
In order to prevent future vulnerabilities:
- Change all the site’s passwords: FTP, CPanel, Email, etc.
- Ensure that the software or plugins are being continuously updated.
- Don’t share your access credentials.
- If you would like to know more about the Google’s toolkit visit the link bellow:
Did you like the tutorial? I would like to know your opinion , please let me know in the comments section.