In our job, we get a new odd and exciting problem to fix nearly every day, and that’s what keeps us motivated! Today was no different, as a new client told us that his Joomla website was hacked, but only for Google! So we asked him that how can such thing be possible, he told us that the Google’s index of his website shows obscene content that is not present anywhere on his Joomla content – however, clicking on any link on Google takes the visitor to a clean version of his website. So we visited our client’s website and we checked the HTML and everything was clean! Then we entered site:ourclientjoomlawebsite.com on Google’s search and here’s what we got:
As you can see in the above image, Google indeed has indexed different (obscene) content. We did a thorough examination of the main files on our client’s website (the index.php, the .htaccess file, and the template files) and we couldn’t find any problem – all the files were 100% clean, and so we initially thought that the website was hacked before, and then it was fixed, and Google indexed the hacked website and still hasn’t refreshed its index.
But then it struck us – what if Googlebot (Google’s bot that is responsible for indexing websites) was seeing a different content than normal users? So we used a tool to check what Googlebot sees (there are tools that allow you to see what GoogleBot sees – just search for “check what googlebot sees” on Google) and it was indeed seeing a hacked version of the website.
Here’s what we did in order to locate the problem:
- Added a PHP die function in the beginning of the index.php
- Checked what Googlebot was seeing
- If Googlebot was not seeing a hacked website, we moved the die to the subsequent line
- If Googlebot was seeing the hacked website, then we checked what was the immediate line before die function doing and we moved the die to the corresponding file, and then we did the exact same process as above, until we were able to locate the exact line of the problem.
After doing the above, we discovered that the application.php located under includes directory was hacked to include one file that contains a malicious code (we will not include the malicious code here). We have removed that file include directive and everything was fixed.
But how and why did this happen?
The way the hack was made implied that the hacker knew of the exact file structure of the server, well above the website level, which meant that whoever did this was an employee of the company. As for why, we believe that the employee wanted his employer’s website to get penalized (essentially destroying his employer’s online presence) since Google severely penalizes websites that use cloaking. (cloaking means showing different content for the search engine)
If you have a similar problem on your Joomla website then it is imperative that you act immediately and proactively – or risk your website being penalized (or worse – banned) by Google and other search engines. Oh, and if you need help then all you need to do is to contact us – we’re very helpful, we’re very friendly, and we are very experienced in Joomla – and our fees are reasonable!
[…] that keeps being rewritten every 30 minutes or so (and redirecting to malicious websites), to the googlebot Joomla hack that displays different (obscene) content for Google’s indexing bot (which means that the […]
[…] because the website admin did not notice, which is usually the case especially when it’s a Googlebot hack), then Google will label the website as malware in its search engine results (which means that the […]
[…] Malicious lines in the .htaccess file often resulting in Google seeing the website as spammy. […]
[…] look OK for normal, human visitors, but they show their nasty nature to Google (this is called the Google hack), so you will need to check how your 404 pages look from Google’s eyes (you can fetch a page […]
[…] someone (and not some people), because 90% of those hacked websites have the exact same hack: the Google hack! (Or so we like to call […]