How I fixed a website hacked with Japanese pages
How I fixed a PHP Website Hack (I like to call it Dehacking)
This article is based on a very specific website hack (I will be blocking out the name of the website to protect the privacy of the owners)
How I found out the website was hacked
When I came across this hack, I was not looking for a hack. I was doing some research for a marketing plan for the website. So, I did a Google search for the brand name, to see what was coming up in Google for the business generally.
As you can see from the graphic above, there’s something not right going on … This website is an English-language website, so it makes no sense for there to be any Japanese characters on this website.
Find all pages that Google indexes on your website
Type site:example.com into the search box in Google
Note that there are no spaces before or after the colon
Note that http:// is not included
NOte that www. is not included
With this method, you will find all of the pages that Google indexes on your website.
This should make sense. So, if there are ten pages on your website, this search should return ten results. So, in the case of the website I was working on, I knew there were roughly only ten pages. However, when I did the site:example.com search like above, I saw this:
5,160 results is about five thousand more than I expected. Something is wrong.
When I scroll down, to see all of the pages, on the domain, I saw this …
… loads more Japanese pages on this non-Japanese website.
Find out What Caused the hack
The reason why I am writing this article, is because this particular hack occured on a PHP, non-CMS custom-built website. Typically, it is much more unlikely for a custom-built website to be hacked, but it can happen, and the good news is that it’s usually easier to locate the issue and fix than on a CMS.
- First I checked the .htaccess file. This is a file that lives on the in the ‘root’ directory of your website. It looked fine. Nothing suspicious there.
- I checked the PHP files. PHP files end in .php. I found a file called events.php. This was suspicious to me, as this website doesn’t have any ‘events’. By checking the files and folers in the most recent backup, I could see that this was an addition – but the website owner knew nothing of it. Also, the file was added on a date when no changes were done to the website – this is highly suspicious. I deleted this file. This then removed all of the Japanese files from the website (the files now returned 404 errors. 404 means the webpage was not found.
What to do after my website has been hacked
After your website has been hacked, change all the passwords. This means;
- FTP passwords
- Admin login passwords (if applicable)
- Database passwords (if applicable)
- Host Admin passwords
Oh, and back-up your website (if it’s a WordPress website find out how here), just in case something funky happens again in the future.
After your website has been hacked, monitor closely for the next two weeks to be sure that you really fixed the issue.
After Hacking: Login to Google Search Console
This is why you should set up with Google Search Console (previously known as Google Webmasters) from the first day you launch your website, on the same day that you set up with Google Analytics. Login to your Google Search Console and check are any dodgy sites linking to yours.
Sometimes, Google Search Console will actually alert you to the fact that your website was hacked (in this particular case, it didn’t).
Check that there are no dodgy websites linking to yours (and if there are, disavow them), by going to Search Traffic > Links to Your Site:
In this case, dealing with this Japanese hack, suspicious sites would be Japanese websites (Obviously, assuming that you don’t do business in Japan, or otherwise expect genuine links), especially ones that have linked to your website since the hack. In my case, I didn’t find any suspicious sites linking.