Have Hackers Turned Your Website into a Link-Generating Drone?

Hackers have a new shtick: gaming the search engines. And they are using small business websites and personal blogs to do it.

There is an alarming trend in which hackers take over small business websites and blogs and use them as link drones to link to third-party sites. Their goal: to get those third-party websites to the top of the search engines.

If that wasn't bad enough, the bad guys are so sneaky your site may have been compromised, but you might not even know it. And if that happens your search engine rankings could tank.

This activity is happening with greater frequency and it's happening to small businesses and entrepreneurs. It even happened to Al Gore. In November 2007 his climate blog was compromised and became the poster child of this type of hacking.

Not Just Ecommerce Sites Affected

Some people still envision hackers as high school kids playing pranks and vandalizing sites. But they long ago graduated into crime rings involving credit card theft and identify-theft. Now they're on to their latest crime spree: spamming the search engines.

If you're like me, when you heard about hacking attacks in the past you probably were mildly interested for all of 15 minutes. Then you promptly put it out of your mind, thinking one of 3 things:

"With the millions of websites out there, odds are it won't happen to our company website"

Or

"We don't run an ecommerce site so there's nothing of value for a hacker - no credit card numbers, no confidential customer data"

Or

"I write a personal blog and no hacker could possibly be interested in that!"

Well -- don't get complacent.

Since last year (2007) the number of hackings of blogs and smaller content-based websites is on the rise.

The hackers are attacking smaller sites and blogs to take advantage of laxer security (after all, who worries much about security for a blog?). This is not just random activity, but part of an organized scheme. They search through the Web for certain types of software or back-end configurations that they've learned how to crack and go after hundreds or thousands of sites at a time.

According to StopBadware.org, that organization "has seen hundreds, and sometimes thousands, of sites that have been compromised at the same time with links pointing back to a single central point of infection."

It's All About Search Engine Spam

The hackers' goal is to gain control of your site so that they can insert links from your site to "bad neighborhoods" - adult sites, ringtone sites, and pharmaceutical sites. And by pharmaceutical sites I don't mean Merck or AstraZeneca, but rather that shady offshore site claiming to sell drugs without a prescription.

When the hackers insert the links into your site they are crafty. They hide the unauthorized links from casual observation. You could go on for days, weeks or months without realizing the links are there. However, the search engine spiders can see the links and may penalize your site for promoting spam. Worse, even if you manually remove the links, they may reappear because the hackers install hidden scripts that generate the links again.

So what happens if your website gets hacked? It's not pleasant. It means extra work and probably some extra expense. I know. It happened to one of my sites this past Christmas Eve.

In my case it took a few intensive days of work and lots of help from both my Web hosting company and my contract webmaster to resolve. Among other things we had to revert to earlier backups of the site code and databases.

Afterwards I decided to make it a point to write regularly and often about this alarming trend, to raise awareness.

How to Protect Your Website or Blog

I'm no security expert and don't claim to have all the answers myself. But from a practical standpoint, here are 3 steps to take:

(1) Talk this issue over with your internal tech team or outsourced webmaster, if you have one. Ask them to do a security audit to nip vulnerabilities in the bud.

(2) If you suspect a hacking, and do not have the luxury of an in-house tech team or dedicated external provider, get technical help immediately. Start with your hosting company. Even as a reasonably tech-savvy business owner, I could never have fixed things by myself. These hackings are too devious.

(3) Read up. Either you or someone in your organization should add this topic to your business reading. Become educated about the risks, how to spot trouble, and how to avoid it. Here are some articles and sites to read or to forward to others in your organization:

StopBadware.org

How to Protect Your WordPress Site (my own experience)

SpyBye

Google Online Security Blog

BlogSecurity.net

Oh, and good luck!