In the past 6-12 months it seems that hacked sites and similar type things have been on the rise or maybe Dave has just had the “luck” to come across more stories and instances. Some of the recent news stories you may want to catch up on include these:
- Hackers exploit websites to give them excellent SEO before deploying malware
- WordPress Easy WP SMTP Plugin Vulnerability
- Google’s John Mueller on Cleaning Up Hacked Pages
- “Gootloader” expands its payload delivery options
Types of Hacks
The guys go through some common types of site hacks (Link Injection, WordPress Plugins, Root Access and more) while Mat gives some examples of social engineering, emails and text messages that are trying to get you to login or download malware/trojans through links.
During the episode Dave gives a number of ideas and things to do to help prevent or quickly find hacks and issues. While they are all not listed here we give you some (listen or read the full transcript for all of the things mentioned):
- Audit or crawl your site on a regular basis
- Look at source code as often it bad links are hidden in the footer and navigation but not visible on a page.
- Pay attention to Google and Bing Webmaster tools
- Look at what search queries and pages are driving impressions and clicks
- Watch and look in your analytics on a regular basis
- Set up times monthly/weekly/quarterly to do these things so you don’t forget in the future.
- Audit and vet all plugins you use with ANY CMS – WordPress, Shopify, Drupal, etc.
- Look at ways to lockdown who can login, what IP addresses can login, and use various plugins, tools and best practices to just lock things down more than “out of the box”.
- Limit login attempts and don’t use usernames like admin, root, and other obvious usernames.
- Test plugins and code on a staging or internal development site.
For more ideas on how better to secure and lock down your site and data here are some of our past episodes that may help.
Matt Siltala: [00:00:00] Welcome to another exciting episode of the business of digital podcast, featuring your host, Matt and Dave roar. Hey guys, thanks for joining us on another one of these businesses, digital podcast episodes as always. We have my trusty co-host over there, Dave. How’s it going today?
Dave Rohrer: [00:00:19] Okay, it’s going, going, going all week long.
Matt Siltala: [00:00:24] Well going is better than not going and things getting normal is better than things. Not getting normal, I guess, you know? Well today guys, we’re just going to jump right into it like we do. Cause that’s our emo. And so just to give you guys a, a little bit of an idea, um, Dave wanted to chat about this topic and this is a fun one.
Well, it can be, it can be fun, but it can’t be fun. If you’re on the receiving end of it, but, uh, we’re going to chat either. No, no, no, not at all, but, uh, we’re going to talk about hacking and for those that have had issues with, uh, being [00:01:00] hacked and, and we’re just going to take all the different levels and, and hopefully give you guys some information about what to look out for, what to watch for what, uh, just, just be per beat a little bit more prepared.
And so with that said, my friend, uh, why don’t you kick us off with, uh, where you wanted to go with this?
Dave Rohrer: [00:01:18] I want to throw my computer and it’s loud running fan into the car freak. That’s what I want to
Matt Siltala: [00:01:23] do. I wanted to
Dave Rohrer: [00:01:25] do that because trying to edit this out. If you can or cannot hear it. I hope, I hope it can’t, but I was on a call with someone recently and they were like, what is that noise?
Like? There’s like, is there a big truck going? No, it’s the fan of my stupid computer.
Matt Siltala: [00:01:41] I could hear construction way back in the day, but I can’t hear anything in your background, but
Dave Rohrer: [00:01:46] maybe it’s just me, but like, it just doesn’t stop.
Matt Siltala: [00:01:49] Well, it’s annoying to know, like, I, I have some, uh, external hard drives that did some.
Dave Rohrer: [00:01:55] If someone listening works for Lenovo yoga, [00:02:00] cause I do have a transcript. So it’s going to say Lenovo yoga fan issues. They’re lovely. I love the computer, but good grief. The fan is atrocious fixture fan people. I will pay an extra 50 bucks in the next computer or the one sitting right next to it. That better not have the same problem.
Matt Siltala: [00:02:18] Maybe they can send you a hack.
Dave Rohrer: [00:02:21] That’s a hack hack, hack, hack it, keywords, stuffing it as well. Um, pushing you in. Yeah, I’ve seen all sorts of crazy site hacks and then there was the, um, I’m not, I don’t, I mean, I mispronounced it, but it’s the glute loader, um, expanding and basically it’s people using SEO to get pages, ranking that they’ve, you know, Being able to infect and like all sorts of crazy stuff.
Um, and getting you to click on links on those pages and download a PDF, which really not a PDF. Yeah. [00:03:00] Um, and all sorts of fun stuff. So yeah, like,
Matt Siltala: [00:03:03] um, getting all the people like my parents that click on that kind of stuff. Yeah. Luckily though I’ve trained them, but they’re still fall for stuff every once in a while.
Dave Rohrer: [00:03:13] Well, and this was, um, you know, accomplish this, uh, attack. They maintain a network of servers, hosting, hacked, legitimate websites. We, uh, estimate roughly 400 servers and operation. Um, and this was, you know, of, uh, of, uh, of a page and, you know, a medical practice spaced in Canada and I’ll drop links to it if you haven’t heard of this, but I’ve seen.
Crazy stuff on Shopify recently. I’ve seen crazy stuff in WordPress in the last three to six months. And I don’t know why I’m seeing why I’m personally seeing more of this than I have in the past. Yeah.
Matt Siltala: [00:03:50] That’s what I was going to ask you. Have you been reading any of the articles or anything that would give us a reason as to why we’re seeing this uptick?
Dave Rohrer: [00:03:57] Well, my wife saw the [00:04:00] one hack that I was running into or that I had a client that. I kind of worked on a little bit, but not much. Um, it was a similar hack, but not quite the same. Where, and I’ve seen it in the past, like years and years ago I was doing, um, uh, I had a few hours dedicated every month to like basically, you know, the outreach link building, looking for prospects and stuff.
And so one of the clients I happened across the U S a ski team, a website that I, I forgot that I had my little thing on, of course. Cooper you want to go outside? Yeah. So interrupted by my cat. Um, no, but it was the, uh, like a USA ski team or something like that. Um, it wasn’t a really big team, but I just happened to have, um, a little plugin that could make me view, like in different browser types, you know?
And it was one of those tools that you used, if you were a web dev and you wanted to see, you know, emulate what it looks like in [00:05:00] Mozzilla emulate what it looks in, IEE emulate what it looks in all these browsers, but there was also one as Google bot. Hm. And I happen to have it on at the time and I didn’t realize it.
And at the top of the foot, like a top of the page and the bottom of the page, like they’d been hacked clearly, and they just had tons of Viagra and like pills and casino and all that kind of links on the bottom. Um, well, geez. Um, that’s five. Yeah, I’ve come across one site, one site where it was some sort of injection.
Um, not visible. And it was like, you know, 3000 pixels off the page, but it would be put in the footer and it was just links to like all sorts of Viagra stuff. I came across to another site recently where they had been able to worm their way in to create pages in the book. So hundreds of like, it was probably, I think it was like 50 to a hundred pages created [00:06:00] around, you know, Pills porn casino dating, like all, you know, all sorts of crazy stuff.
Matt Siltala: [00:06:08] Yeah. Here’s the interesting thing though, that I have the quote like this stuff’s not supposed to work or I guess it does until you’re caught and a network is cleaned up, but it’s just interesting that this is still happening because you know, it’s still working to an effect. Well,
Dave Rohrer: [00:06:22] so that’s a good segue to how do you find it?
Well, Yeah. Are you doing a technical audit every so often? Are you running a crawler? Whether it’s, you know, a site ball, the screaming frog at deep crawl, you know, some rush, a roughs, you know, any of those systems,
Matt Siltala: [00:06:45] have you found that it’s the best for finding like these kinds of hacks,
Dave Rohrer: [00:06:49] um,
Matt Siltala: [00:06:50] or just, they all do similar.
Dave Rohrer: [00:06:53] I’ve found all of them various different ways. So. One of them. I found [00:07:00] because I was looking in Google search console and looking at some top queries and some of the top queries that were getting impressions, but no clicks were some of these, you know, undesirable terms. And I was like, why would they be ranking for that?
And then I started digging in and I was like, they rank for a lot of these types of terms, why to your point of it shouldn’t be working, but it is, their site is nothing about that. Um, also come to find out that, um, some of that stuff you find when you crawl it. Um, or again, I found another site where they had Google search console.
I started looking at the pages and, you know, it’s in that report where it’s like, you know, we found this page, but we haven’t indexed it. Um, and it’s like, well, what are these pages? It’s like, Oh, let me inspect it. One of them was actually getting links to like someone was building these [00:08:00] pages figured out that they could build it on this website and then was actually starting to build spammy junk links too.
Matt Siltala: [00:08:08] Oh, my
Dave Rohrer: [00:08:08] word. Um, which, you know, it’s just all sorts of fun and I think there’s different levels of. Things you can do. And I know if Chuck listens to this one, he’s going to scream at us and tell us we left off 50 things. Well, join us and leave. We are going to leave off 50 things because we’re at like minute eight and we’re probably going to do 15 to 20 minutes.
And there’s by no means, can we cover everything in one, um, like episode, we could probably do like a whole series for six months and still not cover everything you could possibly
Matt Siltala: [00:08:45] do. Everything that he would talk about would go over most people’s heads though.
Dave Rohrer: [00:08:51] Probably even some of it mine he’d be like, you need to do this.
And you know, we’ve just changed the changed the, uh, the, uh, uh, allow or not the [00:09:00] allowances. Change the, uh,
uh, certain files and, you know, delete certain files. I’m like, no, one’s going to do that. He’s going to yell at us now.
Matt Siltala: [00:09:12] I
Dave Rohrer: [00:09:12] know. Well, my wife would probably, can you hear me? How I say CCH Martin she’ll yell at me. Um, it’s been a long day.
Matt Siltala: [00:09:21] So you were, so you were saying something earlier about you, you seeing like it with WordPress two level.
What have you been seeing? Is it, I remember back in the day, you know, when you downloaded a free theme and we’d get tons of links injected in the footer or whatever, or just, you know, things like that, but what kind of stuff are you seeing? Are you seeing any more of that and what are you seeing?
Dave Rohrer: [00:09:41] I mean, I, not that I know somebody that has linked that apps, that I still do that, um, cause I do, um, yeah, it’s like, what do you want to rank for, um, the.
It’s a mix of things. So like so interesting. Some of it’s like forced search and I just [00:10:00] saw someone, um, in one Facebook group just today. And I’ve seen people for like the last four months talk about this, like that that’s, um, fake traffic spam that we saw like 10 years ago in Google analytics. And then we saw it five years ago where I’m, I’ve been seeing it again, like the last three to six months.
And I’ve seen it in some clients that don’t have. If you go into Google analytics, you can check a little box for, you know, filter out, spammy something, it doesn’t catch everything. Um, but clearly it hasn’t been catching whatever the people were doing recently, but you can block those sites. You can go in and do stuff, but if you’re not paying attention and that’s like the biggest thing, I think.
Like the biggest way to not get hacked or not have it remain there is to be vigilant. And to when you’re downloading a plugin, perhaps don’t do it on the live site, do it on a staging site or a local hosted site, [00:11:00] or a third point party. This isn’t my main site. Let’s just, you know, throw this on there and see what it does.
Yeah. Um, do some research on this stuff. Don’t leave it up after it’s been sitting there, you know, there’s been stories and I think we talked about it a year or two ago and off to look it up, but which is Matt realized I had just said a year or two ago, we talked about it. It’s a little crazy. Um, but yeah, there’s, um, people that go and buy old plugins that are not.
Being kept up anymore, but have hundreds and tens of thousands of installs and they take it over and then they update it once just to see what percentage of uptake there is for the, you know, whatever new feature fixes they say there are, and, you know, imagine 10,000 people. And within a month they’ve got 2000 people and within two months, you know, they’ve got 6,000 people and maybe not, everyone’s actively updating it.
All right. I’ve got about 5,000 targets now. So [00:12:00] if I do another update and I inject some of my not so good stuff, 5,000 people within a month, they’re going to have this on their site. Perfect.
Matt Siltala: [00:12:08] So what we’re telling everybody is make sure you’re updating these plugins, make sure that everything is okay.
Make sure you’re
Dave Rohrer: [00:12:15] vetting and make sure you’re updating them or get
Matt Siltala: [00:12:18] rid of them. But yeah, exactly. But even more important because we don’t want to be the cause of your site barking braking. Um, Make sure that you at least backup your site first, make sure you have some kind of a backup before you do any updates or you remove anything.
So I know most of the time you’ll be fine, but every once in a while, an update or moving up a plug-in has made things wonky on sites. So anyway, just have to throw that in
Dave Rohrer: [00:12:48] there too. No. Yeah. And it’s it’s I don’t know. Um, but there’s other things you can do to like, A word fence, you know, log-in [00:13:00] limit the logins.
Um, you can have it, so that only people from certain, like, even to the VPN level, like you have to be VPN in to be able to log in. Like, so if you limit who can log in from a certain IP address and you lock that down to your office or your VP at your company’s VPN, then no one can, you know, really try to really.
Hack their way in. Um, I probably had my wife on, I know she’s got crazy stuff set up where, um, she never uses admin. Like that is not a login. And if you try to use admin, it blocks you for like a month. Like it just bans her IP address for a month, but you can do that in Wordfence and you can do that in other security tools as well.
Um, there’s like a brute and, um, a login tool that I use on one of my sites where I’ve had a bunch of people trying to do it more often than not. And I was like, if you try three times unsuccessfully, you’re just banned for a month. So that gives [00:14:00] me a little bit of leeway. Yeah. Which one I’m logging into?
Um, I think it’s once maybe, um, once or twice, you know, because normally they’ll try one at password and I think I have it the same thing. It’s like, if you try, if you try to admin or, you know, Route or something. It just bands you automatically because I don’t use that. Like, that’s not a username I use, you
Matt Siltala: [00:14:21] know, it just, it just sucks that these business owners have to deal with this kind of stuff, because I mean, with everything else they got going on, like, I’ll just give you a couple examples of some texts,
Dave Rohrer: [00:14:30] better password than, you know, one, two, three, four, five, two.
Yeah. Don’t use admin. Don’t use one, two, three, four, five. Don’t use business name one.
Matt Siltala: [00:14:42] But, uh, but you’re going to, these are gonna drive you nuts though. I’ve, I’ve had, uh, you know, a couple of the people that I help with, some things, uh, email me about, or texts me about these too. Number one, they got a thing on Venmo [00:15:00] saying that they were accidentally paid and that if they could refund them, but it shows up in the Venmo.
And then you, you refund them, but they don’t, it wasn’t really them paying you, but then you were funded out of your actual real money. So there was one of them that they almost fell for it. So don’t fall for anything like that, guys. Um, do some due diligence. If anyone accidentally gives you any money in Venmo.
And then the other one is that’s been going around rapidly. And I don’t know if you’ve been seeing this either day, but, um, FedEx or ups or someone sending a tracking number saying. Um, or like an update to your shipping click on this link and unless you’ve ordered something and you know, that you’ve signed up or it looks like something you’ve gotten before nine times out of 10, if not 10 out of 10, you get those kinds of links, just randomly.
They’re going to be some kind of link to hack you. So just be aware of that
Dave Rohrer: [00:15:56] FedEx or ups one recently.
Matt Siltala: [00:15:58] Now you’ve seen that one. Yep. [00:16:00] Yep. Just don’t fall for it. Like if you know that
Dave Rohrer: [00:16:03] I’ve seen it for chase too, or, you know, other banks that I don’t, you know, whatever bank it is, bank of America and chase PayPal all the time.
And those are, those are garbage account. I actually do have, I’m just going to close this, delete this, and I will actually go and log into my account in my own browser to see what is going on. Well, and that’s
Matt Siltala: [00:16:23] what I was going to say. If all else fails, if you. I think that you might have legitimately been given a tracking number.
So it’s very easy to go back to your emails. They send them to you copy and paste that tracking number they gave you into the fedex.com website. Like it’s very easy to protect yourself folks. Yeah. So those are my last, I don’t know if you have any last minute tips for everyone.
Dave Rohrer: [00:16:47] I think just on the website side of things, um, do your due diligence when you’re looking at, at plugins.
Monitor your own website, monitor your Google search console, monitor your [00:17:00] Bing webmaster, monitor the errors, monitor the queries that are driving traffic. Look at your Google analytics and for the love and all of that styling and keep track of
Matt Siltala: [00:17:12] it. And for the level of all the totally Dave, don’t keep falling for your computer’s been compromised links.
Yeah. Sorry. I said, that’s the one that my parents always fall forward, but luckily now they
Dave Rohrer: [00:17:25] know. Um, but yeah, just pay attention to that stuff. Look at what pages are on your site, you know, crawl around your own site. Look at your Google search console. Look at your analytics. Look for stuff that doesn’t seem to belong there.
If there’s content and pages on there that maybe, you know, shouldn’t be there. There’s probably something wrong. So
Matt Siltala: [00:17:49] just to
Dave Rohrer: [00:17:49] do an audit every so often crawl your own habit, have a certain tool, whatever tool your preferences, don’t matter, have it crawl your site and see if it finds anything weird? Like I found perfect.
They [00:18:00] were in the site
Matt Siltala: [00:18:00] map. That’s crazy.
Dave Rohrer: [00:18:04] Whatever that, that one hack was legitimately got in the back end somewhere and was creating pages. Geez, that’s horrible. So,
Matt Siltala: [00:18:12] yeah. All right guys. Well, do a little bit of due diligence. Um, Just a Cooper
Dave Rohrer: [00:18:18] even talking and saying, doing it. I’m always cat yoga.
Matt Siltala: [00:18:22] right, well guys, thanks for joining us. And of course, if you have any questions, if you’ve come across anything wonky or weird or whatever you have questions about, if you’d like us to do another one of these, or if you have other questions, you know, reach out to us, let us know. Maybe we’ll get someone like Chuck Reynolds on, or, um, you know, and we can expand on this and go into it even more.
But, uh, for now, hopefully this gives you guys a little bit of an idea of what to look at and just things that we’ve seen recently. So for Dave roar with Northside metrics, I met socially without a launch media. And, uh, we do appreciate you guys taking the time to join us. One final reminder. We are on iTunes.
And so make sure [00:19:00] you run over to iTunes. If you like these episodes and give us a five star rating, it does help believe it or not. So thanks guys. We’ll talk to you later. Bye. Thanks.