As a business owner site security should be a priority, it is, in fact, your company “face” to the whole world. There is nothing worse than opening up Google Analytics to see that everything has plummeted.

The frightening thing is this could happen and if Joomla website owners don’t know or fail to google their own page, it can easily get lost in the shuffle.

One of the first symptoms that some Joomla website owners see that indicate they've been hacked is when they Google their own site and instead of seeing information in the search results about their product or service they instead see Japanese characters, advertising for shady products (casinos, payday lenders, imitation fashion goods, pharmaceuticals) or links to pages that shouldn't exist and contain information about another domain's spam offering.  

Occasionally, the search results even look legitimate and reflect the actual website, but when visitors browse through they're redirected to a dark corner of the Internet.

 

Example of a hacked Joomla website in Google Search Results.

What Hackers Gain from SEO Spam

This attack is of a variety commonly referred to as SEO spam or search engine poisoning. Hackers benefit from these attacks in a few different ways:

• They can use your hacked Joomla site to boost the rankings of another site by creating many links to it. This works because one of the well-known elements of Google's search ranking algorithm is the number of links to a website from other websites.
• They can manipulate the traffic numbers for a third-party website to make it look like a marketing effort is doing better than it is.
• They can use the redirects to check for vulnerabilities in your visitor's applications and initiate an attack when they are vulnerable, delivering malware to your users.
• They can damage your search engine rankings to benefit a competitor.
• They can redirect visitors to other products and services simply in an attempt to sell, as unlikely as that may seem.

Two Common Hacks on Joomla That Result in Spam Results in Google

The two most common attacks that result in search engine poisoning are:

• Altering the response back from your website for search engines
• Stealing ownership of the site using Google's search console.

Both of these attacks are executed after a hacker has compromised your Joomla site.

#1 Altering the Response of the Hacked Site

The Internet is based on a communication protocol called hypertext transfer protocol (HTTP) and every web address that you enter into your browser begins with that "HTTP". For example, you are reading this webpage on http://bluebridgedev.com/blog/entry/hackers...

As apart of this communication protocol, certain identifying information is passed with every request for a webpage. Hackers take advantage of this by checking to see who is requesting a page on your site and altering the response based off of who it is.

When the browser identifies itself as a search engine, the hacker script will return different information than what a normal visitor would see.

Google takes this information and saves it in its index, not knowing that it has been maliciously altered by a hacker. Then when someone performs a search, they see the sabotaged information and not the actual content of your website.

#2 Stealing Ownership Of A Website

It is possible for hackers to gain access to your website and completely take over “ownership” or at least ownership in the eyes of Google or Bing.

In the back end of both Google and Bing, they provide an interface for website owners to influence and manage the results for those particular search engines.

They address common issues and questions and provide some visibility into how the website is interpreted by the search engine.

Hackers take advantage of this by claiming ownership of the website and then submitting a sitemap that is filled with spam pages and links.

Once this is accomplished, your site will begin to rank for terms that have nothing to do with it and help to direct traffic to third-party websites.

This can be done this because Google bases ownership on control of the website and, once a Joomla site is compromised, hackers effectively control it and are able to convince Google that they are a verified owner.

The Damage to Your Google Rankings Caused by Being Hacked

While this sort of attack is being executed, Google may determine that your site has low-quality content and de-index pages, gradually rendering your website invisible in the search results.

Fortunately, once a website has been recovered, and a new sitemap submitted, this damage can be reversed.

Graph Showing Google De-Indexing Hacked Site Pages

However, there is some anecdotal evidence that if Google recognizes that you have been hacked, and marks it as containing possible malware, your search engine rankings may diminish even after you have recovered your Joomla site.

How to Fix This Attack

Just like other successful attacks, the way to correct search result poisoning is to complete a full recovery, remove any hacker placed files from your site, and submit a clean sitemap and a request for review to Google (if they have marked your site as being hacked.)

It's important to note that it's critical that all hacker manipulations of your site files are eliminated and any vulnerabilities patched. It's common for hacker placed files and changes to be discovered and removed only to be hacked again within a few weeks.

For more information on recovering a Joomla website that is been hacked, check out our guide How to Fix a Hacked Joomla Site and the accompanying PDF "Does Google Know You're Hacked?" (Available from that guide using the slide -in-box in the bottom right corner.)