Why websites get hacked and how it affects SEO

We will send the material to you by email:

    Время чтения: 7 мин.

    On the Internet, I am known as a practicing SEO specialist from Russia. And when it comes to site security, everyone habitually starts thinking about completely different terms like “IT-SEC” or “IB”, and some even associate with antivirus companies. But if you are from that very category of people, then I will expand your horizons, because site security directly affects SEO results.

    Suppose that your site has become infected with a virus and has become unavailable to users, then the search engine will remove you from the TOP after a short time. But more often it happens like this: if your site has become infected with a virus, then the search engine marks it as a potentially dangerous web resource that can harm the user and, accordingly, decreases in the search results (or even throws it out of the SERP). That is, infection of the site with viruses directly affects the results of SEO; this is important to understand.

    Когда пытаешься перейти на зараженный сайт

    When you try to go to an infected site

    Why does a search engine mark a site as potentially dangerous or fraudulent?

    Over the past few years of personal observation, I have noticed that attackers infect (most often commercial) sites in order to steal sensitive personal data: passport scans, product serial numbers, payment and banking information of users.

    But there is still such a thing that an attacker hacks a site only in order to use the server’s power for his own selfish purposes. For example:

    • spam mailing;
    • building a doorway grid;
    • bot-no network;
    • creation of a laying site for traffic transfer;

    At the same time, the site itself is of no value to them. Therefore, this should dispel the myth: “If my site has not been promoted, has no backlinks and is generally poorly designed and unknown to anyone, then it is not of interest for hacking.

    The third option is far from rare – hacking “fat” high-trust sites in order to sell or place your own links.

    How our sites are broken and hacked

    The vast majority of people think that their sites are being hacked by hackers. This is partly true, but the hacker himself takes a very indirect part. Almost always, websites are hacked automatically or semi-automatically using exploit kits. Let’s deal with the terminology.

    Цена за Exploit Pack может доходить до 25 000$

    Exploit Pack can cost up to $25,000

    An exploit is a vulnerability on a website that can be exploited. By exploiting a vulnerability, a hacker gains access to a website or server, or all at once.

    An Exploit Pack is a collection of vulnerabilities known to a hacker in one heap.

    Exploit Kit is a software module that allows you to automatically sort through and apply exploits to the victim’s website in sequence from the knowledge base (from the existing exploit pack).

    Обычно Exploit Kit продается в связке с Exploit Pack'ом

    Usually the Exploit Kit is sold in conjunction with the Exploit Pack.

    Using this set of tools, a hacker searches for vulnerable sites all over the Internet, and as a rule, the number of hacked sites reaches from several hundred to several tens of thousands. Exploit packs are mainly created by hacker groups with their subsequent resale on the black market. In my practice, I have never seen information security companies buy them for their pentest laboratory work (penetration audit).

    What are the types of attacks:

    XSS – cross-site scripting, exploits insecure forms and dynamic scripts on the site.

    SQL-inject – SQL code injections for the purpose of database exploitation.

    PHP – including – injection through an unprotected PHP script of your own PHP code.

    CSRF – domain cache poisoning.

    These are the main types of attacks supported by exploit packs.

    In addition, there are many other attacks: DDoS, phishing, social engineering. But these attacks are more complex and require real body movements from hackers. To carry out such attacks, the attacker must have a real motivation to do harm. You should be afraid if you are a commercial bank, a large aggregator or an online store, a game server, etc.

    How do you know if a site has been hacked?

    But if you are still not a bank, then how do you know that your site has been hacked? Sometimes it’s noticeable right away:

    1. Your site has stopped working (often gives a 500 error);
    2. Your site has become extremely slow;
    3. Site deface (Deface – changing the main index page of your site to a hacker page);
    4. Part of the functionality of the site has stopped working;
    5. The site often crashes into a 502 error;
    6. You are not allowed into the admin area.

    Sometimes it happens that there are no visible symptoms, but if you go to your site via FTP or look through a file manager (cPanel, Plesk, ISPmanager, DirectAdmin), you may find unfamiliar files that were not there before. As a rule, they contain encrypted instructions, part of the code in general can be obfuscated and encrypted in the same way.

    It is useless to engage in SEO website promotion while it is infected with malicious scripts.

    Пример реализованного дефэйса на сайте

    An example of an implemented deface on the site

    You can try to make a pathetic attempt to manually or automatically delete all these files with questionable content, but after a short time they will appear again. At the same time, it should be noted that the “native” files of your CMS can also be infected, someone else’s code is organically embedded in them, and without knowledge of PHP it can be difficult to figure out what is what.

    This situation is familiar to many, even experienced webmasters are confused. It’s good if your hosting plan includes the function of anti-virus scanning and cleaning of all malware, but many hosts still do not have this and this is a real problem.

    Anti-virus cleaning is good, but it is important to understand how the hack occurred. That is, you need to identify the vulnerability. To do this, we need to open all our logs with logs and conduct a thorough analysis and identify at what point something unusual happened. Based on this, you need to put a “patch” on the site so that such incidents do not happen again.

    If you are using a non-self-written CMS, then in most cases timely updating of all used plugins, deleting unused ones, updating the CMS core, and optimizing the database will do. If you have a self-written CMS, then the phrase “Contact your developer” will fit more than ever.

    Sites on which CMS are most often hacked

    Until now, a myth lives densely in people’s heads that most often hack sites created on free CMS such as:

    • Joomla
    • WordPress;
    • MODx
    • opencart
    • etc.

    In fact, this is a big misconception. Paid CMS are also actively hacked, some more, some less. It all depends on the support team of this CMS, on its efficiency in finding and fixing vulnerabilities. For free CMS, this is mostly done by the community.

    CMS manufacturers (especially Bitrix) like to say that their CMS is the most secure, but in fact there is no perfect protection and absolutely everything breaks if you really want to. Yes, you can protect yourself from bots working in conjunction with an exploit pack, but if people (hackers) decide to purposefully hack you, this will most likely happen.


    Most likely you are not a bank or a large corporation doing business with the whole world, and few people are interested in you. With a probability of 99%, your uninteresting sites will be broken by bots and a real hacker does not care about you. You can protect yourself from bots by timely updating the CMS core and plugins, if you have a VPS / VDS, then we rely on your system administrator, otherwise all other issues can be resolved with hosting technical support.

    If you have a lot of competitors wishing you “death”, there is a chance that they will lay out a tidy sum of money for a hacker to carry out targeted attacks (eg DDoS) on your site. In this case, you should initially take care of your security at the stage of choosing a hosting. Sooner or later, competitors will realize that their idea is simply not profitable.

    Автор статьи: Роман Бондарь

    Article author: Roman Bondar

    Article author: Roman Bondar

    I have been doing SEO for websites since 2011. Co-owner of the marketing company IMarketing (Kazakhstan). Author of many articles on effective link building and non-standard crowd marketing. Website Information Security Practitioner.

    5/5 - (2 votes)