This page provides information about identifying and removing website badware. It does not cover every situation, only the most common cases we see at StopBadware. Some cases may require further help from a security professional. For additional information and assistance, try posting in Google's hacked sites forum.
Before you clean up your site, we recommend you:
- Take your site offline. Doing this will help you protect your visitors.
- Use a reputable antivirus product to scan your PC. Antivirus software won't detect infections on your website, but if your PC is infected, it can compromise your website. Make sure your PC is clean before you make any changes to your site.
- Make sure you are running the latest version of your website software. Whether it's WordPress, Joomla, osCommerce, or something else, be sure you have the latest version. Update if your software is outdated.
- Change all passwords. That means your FTP/SFTP password, admin panel, and anything else you use to log in or alter your website.
Common types of badware behavior
The three most common types of badware behavior StopBadware sees on compromised websites are malicious scripts, .htaccess redirects, and hidden iframes. NOTE: If your site is displaying a "may be hacked" warning, you'll have to use Google's process to remove the warning. Sites labeled "may be hacked" are different than sites labeled "may harm your computer" or "attack site." RedLeg has a good overview of "may be hacked" results here.
Malicious scripts are often used to redirect website visitors to a different site, or to load badware from another source. See how this script misspells "analytics"? Some malicious scripts use names that look like they're coming from legitimate sites.
These scripts will often be injected by an attacker into the content of your web pages, or sometimes into other files on your server, such as images or PDFs. Sometimes, instead of injecting the entire script into your web pages, the attacker will only inject a pointer to a .js or other file that the attacker saves in a directory on your web server.
Many malicious scripts (like the one below) use obfuscation to make them more difficult for antivirus scanners to detect.
The Apache web server, which is used by many hosting providers, uses a hidden server file called .htaccess to configure certain access settings for directories on the website. Attackers will sometimes modify an existing .htaccess file on your web server or upload new .htaccess files to your web server containing instructions to redirect users to badware websites.
An iframe is a section of a web page that loads content from another page or site. Attackers will often inject malicious iframes into a web page or other file on your server. Often, these iframes will be configured so they don't show up on the web page when someone visits the page, but the malicious content they are loading will still load, hidden from the visitor's view.
How do I find badware on my site?
If Google is blacklisting your site for suspicious activity, you can use Google Webmaster Tools to find more information about what Google detected. If you do not have a Webmaster Tools account, you can create one for free. The "Fetch as Google" tool in Webmaster Tools helps you look at parts of your site the way Google's detection systems see them.
You can also look at Google's Safe Browsing diagnostic page for your site. To see your site's Google diagnostic page, replace "example.com" in the following URL with your site's domain: http://google.com/safebrowsing/diagnostic?site=http://example.com
Other ways to look for badware:
- Ask for help on Google's malware and hacked sites forum. The volunteer experts and professionals who answer questions on the forum may be able to offer you specific advice about your site.
- Use free and/or paid website scanning services. StopBadware does not currently recommend or endorse such services, but our community can point you to their preferred scanning tools. Several scanners and other tools are listed on our Additional Resources page.
- Use a file viewing tool to help you look for suspicious content. One of StopBadware's longtime community members has a free file viewer that helps site owners identify suspicious redirects, malicious scripts, and spam injections.
- Hire a professional. If you are not confident in your ability to find and remove website malware on your own, hiring a professional website malware removal company to help you may be your best option to resolve the problem quickly. Several representatives of such companies regularly answer questions on our community forum; you can also use a search engine to find a relevant company.
- See our Additional Resources page for a list of additional articles and sources on cleaning up hacked sites.
How do I remove badware?
If you have a clean backup of your site's contents, you may be able to restore the site by re-uploading all of the site's files—including your website software (WordPress, Drupal, other). When doing this, make sure that you are using the latest version of your site's software. Be aware that you may be overwriting files that have changed since your last backup. Some hosting providers are able to assist owners of hacked sites in cleaning up or restoring their sites; to see if your host can help you, contact your hosting provider's support department.
If you do not have a clean backup of your site, manual removal of the bad code may be your best option. Once you have located the code that is causing the badware behavior, removing it can be as simple as deleting the offending code from all files in which it appears. You should be sure to check hidden files for instances of bad code, too. In some cases, the bad content may be stored in one or more database records, in which case restoring a recent backup of the database or manually editing the relevant records may be necessary.
If you've found and removed the badware on your site, your next step is to request a review from the company blacklisting your site.
Not sure if you're blacklisted? Search for your site in our Clearinghouse to see if any of our data providers are currently listing it for badware.