How File Injection Attacks Hurt Search Rankings & How to Overcome it

by Dr. Matthew Memmott


Editor’s note: This is a guest post from Dr. Matthew Memmott, a nuclear scientist by day and web marketer by night, whose post is on the hard lessons he learned on fixing a website after it has been hacked.

I had been complacent. I’d been hearing horror stories for nearly two years about the problems with having a website hacked. For as long as I’ve been dabbling in Internet marketing, I was warned time and again that my websites were under constant threat from some unknown villain just waiting to get into my files. Nothing had happened for 2 years, and I figured that nothing really WOULD happen, but I was wrong, and it was a costly misstep. I’m primarily writing this as a warning about what to look for, and what you can do to minimize the time that your website spends at the bottom of the rankings after being hacked.

I have been working with a WordPress site that specializes in online colleges and universities for a couple of years. Since the beginning of this year, I’d been enjoying a rank of 3 or higher on my primary keywords, and life was good. However, a little under a month ago, I noticed that my website dropped to about 30 in the Google rankings for my primary keyword. In addition, a Google search for any keyword showed the website with dramatically decreased rankings, followed by a link that read “this site may be compromised,” as seen below.

Following this link led to a series of Google pages that described how to remedy the problem, but they focused on malware or obvious hacking problems. I was shocked and terrified, and immediately went to my website. Much to my surprise, everything seemed to be in working, un-hacked order. I was baffled and decided to check out my coding via the editor in WordPress. Imagine my confusion when this coding was also intact. Curious, I downloaded a few files from the server at random, and they looked fine. Finally, I highlighted a few pages and checked the source code, but I didn’t find any problems. After all of this looking, I came to the conclusion that either the message was a mistake, or else Google was punishing me for doing something on my site. Since I had recently added thousands of pages of content, listing every school in the United States on my site, I figured the latter was true, and I stopped worrying about it. I had even mentioned to Paul (the owner of that I thought Google was foolish and petty for punishing me for not adding content “correctly.” Paul responded that Google is generally right about sites that have been compromised, and that I should very carefully search through and fix my site.

Fast forward two weeks, and my site visits had plummeted. I was down to about 10% of my previous level of visitors, and those that came didn’t spend much time on my site. Not only that, rankings for keywords continued to decay despite adding fresh content and new valuable functions for interested users. I was at my wits end as to why Google wasn’t responding, and why I couldn’t get that warning out of the Google searches. I knew it was killing business, and making marketing near impossible, but I couldn’t do a thing about it. So more weeks passed, and my traffic to the site continued to suffer.

Finally, just 3 days ago, I had a lucky break. A friend called me and asked why I was advertising Viagra on my site. What?!? She told me that she couldn’t remember which site was mine, so she had searched for the general name of my site (turns out it was the name of my site with spaces between each word). She then told me that the results showed my website main page multiple times, but with bogus titles and with lots of spammy content in the descriptions. This made no sense, so I copied her Google search with the following results:

Sure enough, my website was advertising all kinds of bogus, spammy content. As bad as this revelation was, in a way it was good, because it let me know I really HAD been hacked, and so I started working on fixing it. The problem was, there STILL was no changes to my files, either on the server, or in WordPress. I decided to use Google webmasters’ “fetch as Google” tool (for those who don’t know, this is done by clicking on the “health” sidebar option, and then “fetch as Google”). This in essence allows you to bring up the first 100kb of text as seen by the Google robot that crawls your site. What I found baffled me. Right smack dab in the middle of the coding was a series of spammy links with the same titles as were found on my Google search:

But, this was not the same code that was in my files, or even in my WordPress editor! How could this have happened??

Well, long story short, the hackers were extremely clever… they knew that if I saw changes to my coding, or even to my website, I would find the problems and fix them. So they upped the ante: they created files that were completely separate from my files. These files then created global variables that could be called into use for other files or scripts. They used additional files to insert this text into my site source files when the Google robot crawled my page.

So in essence, these spammy links and content were invisible to a human visiting the site while surfing the internet, and even to me as a WordPress administrator. However, they were triggered to show up as part of the website source files text whenever Google crawled the page. Devious, right? I’m convinced that the whole point was to wreck the site without my knowing and destroy my marketing capability!

The good news in all of this is that the hard part of recovering from this hacking attack was finding out what happened. The solution once this was discovered was relatively straightforward: simply eliminate the injected files from your server directory, thus eliminating the spam-inserting code.

This is harder than it sounds, however, because it can take a while to search every single file on your server, particularly if your website is large. An additional challenge, and one that I ran into, is that you may not be aware of what files are new, or what coding has been added. This was part of my problem; since web marketing is a side hobby rather than a profession or way of life for me, I didn’t know enough about the files and file structure on my server to recognize new files. Luckily, I did find some surprisingly simple pathways that shortened my recovery time and kept me from paying lots of money for someone else to fix the site. I have put together some tips and advice for how to overcome a case of file-injection hacking for your website!

1. Install a plugin that monitors changes to your files. I didn’t have one of these, but it would have helped me find out if someone had hacked my website. Basically, this won’t help you to avoid being hacked, but it will let you know when files change, and if you didn’t change them, or didn’t expect the change, you know that you should be concerned about the file that was changed.

2. Believe Google. It was easy for me to vilify Google and to think they were messed up in their warning, but in the end they were exactly right. I had been compromised, and I didn’t do anything about it until my marketing efforts had really suffered. If you see this warning, diligently search for the cause, and don’t be so quick to assume it’s a mistake.

3. Look for files on the server that were added or altered recently. If you have a WordPress file monitor plugin, this is much easier. If you don’t have one (as was the case with my situation) but you have an idea of when the hacking occurred, you can try to find files that were changed in that timeframe. I had a general idea of when Google’s warning showed up. I listed the files and folders according to date and searched through the ones that were altered in that timeframe. This could include plugin files, so be sure to look through those as well.

4. Backup your files!! This was actually the most important step for me. I had been backing up my files once a month (not frequently enough, it appears) to my computer from the server via sftp. I had searched through all of my system files, but there were still lingering bits of code that I couldn’t find readily. Luckily for me, I had a file backup from May. I moved the old file structure for my website to a “Hacked” folder and copied the backup from my computer to a fresh, clean folder. This worked like a charm, but meant I had to reinstall some plugins and redo some of the changes I had made in June.

5. Backup your database. All your content is actually stored separately from your WordPress file structure. They are saved in a database, and this database can either become corrupted, or hacked directly. Thus, it’s a good reason to backup your sql database so that in case it is needed, it can replace your hacked database. Backing up regularly helps reduce the pain involved in duplicating the content you’ve already written.

6. Re-submit your site to Google. Be sure to “fetch as Google” your site pages once you think you are clean, just to make sure no hacked coding shows up. Once it’s clean, then click on the button that is on the “fetch as Google” page that allows you to re-submit your site for Google indexing. Because this experience happened to me so recently, my site hasn’t yet shown up as “uncontaminated” in Google’s search, but I’m hoping that I will see this happen soon.

Above all else, make sure you do these things in a very timely manner. The longer you wait, the longer your site will drop in rankings and page visits. No one wants to visit a site “that has been compromised” because all kinds of unsavory visions of illicit behavior and virus ridden pages come to mind. Most importantly, just like insurance, the prevention tools I’ve described above cost some time to implement, but the confidence in knowing you can quickly and effectively handle a hacking file injection attack are well worth the work!

Matthew Memmott is a nuclear scientist who designs advanced nuclear reactors for his profession. He obtained a M.S. and Ph.D. in Nuclear Science and Engineering from MIT. He is a hobby WordPress coder and webpage developer, and he dabbles in learning php and html. He does internet marketing for online colleges and universities in his spare time through a few websites that he has created. He is passionate about teaching and helping others learn, and tries to encourage self education whenever possible.

Related Posts: