Recently I got a heads up from my friend Earl Grey that one of the sites I control is marked as infected with malware in Google. I got on the case and within a couple days the issue has been sorted out successfully. The case, however, has inspired me to post about sites getting infected and what to do about it as many site owners are facing this problem at some point.
If your site gets infected a notice appears in Google next to it in any SERPs where your site is present:
For some fiercely competitive industries, infecting other sites with malware is an everyday practice.
But even if your site does not belong to one of these industries, it does not mean you are immune to malware injections. For the record: malware injection and site hacking is NOT black hat SEO, this is just destructive actions of certain individuals that can actually be qualified as criminal offense in many jurisdictions.
How do sites get infected? This happens due to vulnerabilities either on your host’s side or your actual site / CMS you’re using. A widespread example of the latter would be outdated installations of WordPress with unfixed security flaws.
According to Stop Badware (a site we will get back to shortly in this post), the three most common types of badware affecting sites are:
- Malicious scripts
- .htaccess redirects
- Hidden iframes
How you can diagnose malware on your site: if you did not see the notifications in Google, many browsers including Firefox display a warning when you are trying to access an infected site.
Also, if you have a Google Webmaster Tools account connected to your site, there may be a warning there.
I am not a fan of Google Analytics for a number of various reasons, but I do advise every site owner to keep track of their sites via Google Webmaster Tools. If you don’t have that, you can check your site in a number of resources like WOT (more on this later). Finally, if you see a traffic drop without visible loss of rankings, one of the possible reasons could be drop of CTR from the SERPs due to a malware warning – instead of going to your site directly, the visitors get from the SERPs to a page like this:
(the URL of this page would be something like http://www.google.com/interstitial?url=http://www.yoursite.com – remember this one as you can use it later to verify that the warning has been removed).
Once you have confirmed your guess, you need to remove the malicious code off your site. The “Details” link in the GWT warning message will take you to a page listing the actual malicious code, so now your task is just to find it on your site and remove it. Using your FTP client, access your host and list the files in the order of the last change – if your site was hacked/altered recently the modified files are likely to be the ones with a recent change date. You know when you last made any changes to anything on your site yourself, so likely for most site owners this will be a good indicator. If that doesn’t work, or there is a number of files recently modified on your host, download a backup copy of your whole site to your computer and search for the code in question. On a Mac, you can easily search for anything inside any file (just choose the “Contents” option when searching in your Finder). On a PC, I’ve been told that Google Desktop search can do the same but cannot really confirm it so try it yourself. Finally, if you have any site development tools like Dreamweaver or any other framework where you can open a site as a project, most of the frameworks will let you search for a code snippet within a project.
After you have removed the malicious code, make sure to fix whatever security hole let the malware get into your site (an SEO security audit may be a good step to take to identify all your possible vulnerabilities). It’s also a good idea to change all your passwords (your hosting account, your CMS, your database – everything you can think of). When done with this step, you can submit your site for a review via Google Webmaster Tools to have the malware notification for your site removed from the SERPs.
Earlier, I have mentioned StopBadware.org. It gets its information from a number of sources:
StopBadware is important because it is responsible for the information available to the browsers. Until its data updates, your visitors will still be seeing a warning in their browser. Google is one of the sources and it’s the fastest one as all the updates there happen automatically. As for others:
– Web Of Trust is based on users’ ratings and is generally not a very reliable source of information (its data can be spoofed, and it’s only as accurate as popular a site is with its members)
– SiteAdvisor is a service by McAfee and it’s generally slower than Google as well
– same about other sources.
So, while Google updates your data, you don’t have to wait and can ask StopBadware for a review as well, directly. Same thing works for those who do not have a GWT account for their sites.
Once the site is reviewed both by Google and StopBadware, the warnings in Google SERPs will disappear, the Google warning page will return a 403 error, and there will no longer be any warnings in the browsers for users accessing the site.
Has your site been infected? Have you had any different experience removing the malware or had problems getting the warning in Google/browsers removed? – please share your story in the comments!