Recently, when looking at business listings in Google for tree trimming services, I found something surprising.
When I clicked on the website button from the Google My Business listing, it didn’t bring up a tree service website. Instead, it redirected to an online pharmacy.
This isn’t an isolated incident. I’ve also seen it on local listings from other industries.
What Causes This?
The problem isn’t the Google Business listing itself.
The website itself has been hacked. But the website owner may not realize that.
The hack doesn’t show itself when you visit the website directly – it stays hidden. Yet, when you visit by clicking through from Google, the hack takes effect and redirects to the pharmacy site.
Other Side Effects
Not only does the hack affect what happens when people click through from your listing, but it also saturates the Google search results for your business with pharmacy-related results.
In this case, it transformed the tree trimming website into a pharmacy website. Nearly every page on the site had been converted to a pharmacy page in the search results.
You can imagine how damaging this could be to the local business if it’s not detected and fixed quickly.
I used the “site:” search operator and ran a search in Google to see what pages would show up for this business. (Replace “domain.com” with your website domain, to try this for your own site).
Here are the results I saw. I’ll point out a few things in this listing.
- The subject line (title tag) has been hacked.
- The displayed link still looks valid.
- The description has been hacked.
The top result looks like a normal search result for the business. But when you click on it, it redirects you to the online pharmacy. Basically, all or nearly all of the search results for this website have been hijacked.
How Can I Prevent This?
Prevention is definitely the best cure.
This website was built in WordPress. WordPress is an excellent platform on which to build websites. It works well, is very flexible and is very popular. But this also makes it a big target for automated hacking attempts.
I monitor quite a few websites for my customers through my website care services, and I install software to monitor for hack attempts. On most sites with any amount of online presence, there are many hack attempts daily. Many of these are what are known as “brute force login” attempts – basically an attempt to log in as administrator repeatedly with different passwords. Usually, these come from many different places, both within and outside of this country. These aren’t the only way hackers gain access to a website. They also search for and test for known vulnerabilities, then exploit those.
An important thing to realize is that, for the most part, these aren’t individuals trying to hack into a specific website. Hackers are running automated software to try to gain access to a number of sites so they can use them for their purposes. You want to make sure you’re website isn’t an easy target for them.
Securing your website is a large topic, and I’ll touch on just a few of the basics here.
Protect Against Brute Force Logins
Once you install and configure one of these plugins, make sure that all your existing passwords are strong.
Check through your list of users. Remove user accounts that you no longer need.
Better Yet, Use A Firewall
A firewall does more than just protect against brute force password attempts. It also checks for attempts to break into a site with known vulnerabilities. A few of the well-known names in the firewall industry are: Wordfence and Sucuri. I’ve used both and had good results with them.
Sucuri has a paid subscription-based firewall service that offers excellent protection. It sits between your website and the public and filters all access to your site. They also have a plugin that you can install on your site to scan it for vulnerabilities and report them to you.
Wordfence offers a free or paid plugin that installs on your website and scans for vulnerabilities. It also filters incoming access, but its ability to protect your site is not as strong, in my opinion, because it exists as part of your website rather than on a separate server.
Keep Your Website Software Updated
Aside from brute force login attempts, one of the main ways your site can be compromised is through outdated software. That includes WordPress, themes, plugins, and PHP (the programming language that WordPress is built on).
Wordfence and other security plugins can be configured to notify you of outdated software, and there are other plugins that do this also.
There are also plugins that will check for necessary updates and automatically update your site. While these can work, I recommend that you have a person do the updates instead of automating them. Then have him check the site afterward to make sure it’s still working properly.
Why? Because updates sometimes break the website unexpectedly. It doesn’t happen often, but when it does, it takes time to unravel. Take backups before updating, so you can restore from the backup if there are problems with an update.
Make sure that if you install Wordfence or other site protection software you configure it to send the problem notification emails to the correct address. It would be a terrible feeling to find out your website is compromised only to then realize that your security software tried to notify you, but you weren’t receiving the emails.
Harden Your Website Installation
The idea behind this is that you can make some changes to your website to make it harder to hack into, or at least less obvious how to hack into it. This involves things like changing database table names and obscuring obvious “fingerprints” that would make it obvious what software and software versions you are using. There are a number of plugins that will help you with hardening your website.
Use a Secure Hosting Platform
If one website is compromised on, say, a virtual web server, then a hacker might be able to gain access to other websites on that same server and compromise them as well. Or if that server is not being kept up to date, that could provide another route. Do your research and choose a host that’s known for being secure. Expect to pay a higher rate monthly than you would for rock-bottom hosting.
Website Care Packages
If you need help with monitoring and securing your site, we offer that as part of our website maintenance packages. For a monthly fee, we keep your website software updated, install and manage security software, and work with you to keep your website more secure. We also monitor your Google listings and just generally keep an eye on things. Contact us for more information and a more complete list of what’s included.
What Should I Do If My Site Has Been Hacked
If you have the technical skills, you can clean up the site yourself. Be forewarned, it’s a lot of work. Even if you have the necessary skills, it may be more cost-effective to contract with someone else that you can trust.
Sucuri provides a hack cleanup service as part of their firewall plan. If your website has been hacked, I would advise signing up with them, anyway, to get use of their firewall, and their cleanup service is included as part of the package.
However, if you’ve been hacked, you can’t just pass off the responsibility fully to them, you have to stay involved or have someone technical who will. I have found that it may take several iterations of letting Sucuri know what’s wrong about your website, them cleaning it up as they see fit, then contacting them again several more times to clear up remaining problems. They are good at what they do, but they don’t know your website like you do and may not catch everything the first go around.
In addition to getting the hack cleaned up on your website, you’ll also need to clean up the Google organic search listings. This is tedious and has to be done one page (one URL) at a time, submitting a request to Google to reindex or deindex each affected page.
This is just a brief overview of the cleanup process. There are many more resources online that go into more detail. If you need someone to clean up after a website hack, you’re welcome to contact me. There are also other companies available online that specialize in this service.
Cleaning up after a hack is tedious and time-consuming. The best approach is to prevent it in the first place.
It’s good to look at your website regularly. I think most business owners do that.
But it’s also important to also regularly look at your Google listings (Google My Business and organic search) and click through to your website, since these may show different results than just visiting your site directly.
Here are a few steps you can do right away:
- Search for your business in Google (e.g., tree service athens tx).
- Check the Google My Business listing and click through to your website to make sure you get what you expect.
- Check the organic search results and click through to your website on those also.
- If everything looks good, then take the steps mentioned above to make sure your website is sufficiently secure.