Prolonged Hack On krispykreme.co.uk
I have recently been reading through a few SEO websites when i noticed a blog post reporting on a Hack on the krispy kreme website. The blog was written on the 8th July, that was 11 days ago, remarkably, the hack still seems to be in place.
For such a large organisation i would expect something like this to have been dealt with quite swiftly, It’s a brand site and i expect it gets a lot of traffic so google updating its cache wont be the problem so i thought i would take a look.
If you do a site command in google you can see the problem straight away.
The titles and descriptions have been changed in the listings and as you can see they are now promoting a Canadian Pharmacy which obviously isn’t doughnuts!
If however you go to the website and view the source code you will be able to see that the title and description are different to what Google is seeing.
If you want to see what google is seeing then you need to look at the website as Google. There are many plug-ins for Firefox that will allow you to do this. The best i found is User Agent Switcher, set it to browse as Google Bot and you will see the problem.
This has happened because the hack is detecting whether the user is google or not, if the user is google then it displays the hacked content. If the user is anyone else then it displays the normal page. Essentially, this is cloaking.
What do they need to do?
Well it’s not easy without access but i would hazard a guess that they have a compromised htaccess file on their server or they have had some php injected into the website which is doing this, it seems to only be affecting the inner pages, maybe this is part of the hack so it lies undetected longer.
Having a search around it seems this is a very common hack with wordpress.
Why Have I Blogged this?
Well its simple really, its easy to explain what can happen when a site is hacked, its easy to tell people how to see it for themselves but without a real life example it is nothing more than theory.
Hopefully this can be used to show people a hack and how to detect it. Also krispy kreme may read this and fix their site!
****UPDATE****
Its been a few days since i wrote this blog post, checking back today, it goes from bad to worse, The homepage of the website has now no longer cached in Google, it now looks like Google is starting to penalise the website.
Their social media people should really check their twitter stream and listen to what people are telling them!
****UPDATE**** 28th July
It now seems to be safe to buy doughnuts again! the hack has been removed, hopefully it wont happen again, if it does, lets hope they fix it faster next time.
[...] If the hacker has been a little more clever, then they may be cloaking, in Firefox, use the user agent switcher plugin to view the page as googlebot, you may find your presented with a different looking website. Do a site command and look at the title and descriptions of your page, if they are wrong and promote a different website then this is a good signal. A good example of this can be seen on my blog post about the Krispy Kreme Hack [...]