web defacement title graphic

How to Identify Malicious Code and Stop Web Defacement

In April of 2018, security researcher Kevin Beaumont discovered an interesting case of web defacement on the NHS Insights website.

He’d expected to find data related to patient surveys about their experiences with the National Health Service. Instead, he found a very different kind of message:

A review of the page’s cache suggested that this eerie music and imposing image had been in place for at least the previous five days. The NHS, for its part, was quick to act once its attention was focused on the problem.

But this type of website defacement affects governments, services, businesses and individuals more often than people realize.

According to Michal Abram, IT Manager at Zety, “Website defacement is a major threat that makes businesses invest every ounce of their energy in an effort to avoid it.”

Today, we’ll investigate web defacement and hacktivism. What is it? Who does it, and what are their methods? Then we’ll show you some practical ways you can use Uptime.com to prevent this type of attack from harming your website.

Table of Contents
  1. What is Website Defacement?
  2. Why Web Defacement Monitoring?
  3. Uptime.com Checks for Site Security
  4. Identifying Malicious Code and Strings with HTTPS Checks
  5. 3 Ways to Face Web Defacement
  6. Final Thoughts

What is Website Defacement?

Website defacement attacks are typically aimed at altering the visual appearance of your website. They visually alter a site’s appearance, usually exploiting vulnerabilities like an outdated security patch to gain entry to sensitive parts of your site.

There’s good and bad news to a web defacement attack, so let’s begin with the worst of it.

Website defacement is not the typical breach, but can be part of a larger attack. In web defacement attacks, the typical outcome is a lot like digital vandalism.

However, if someone had access to your site and was able to change the homepage, who knows what else they may have altered or stolen?

Web Hacktivism

Hacktivists have been evolving over time, says Trend Micro.

“Our research showed that hacktivist web defacement is typically caused by a political event or active conflict.”

So who are these hacktivists?

They vary from incident to incident. Some hacktivists are highly organized. Others prefer to align themselves with homogenous groups like Anonymous.

Hackers are often close in geography to the target. The movement can grow to international proportions, at which point attacks and attempts to breach may become more commonplace.

Why Web Defacement Monitoring?

It’s easier to inject malicious code into a website with outdated plugins and infrastructure.

A common way hackers can gain entry to websites is through old plugins. WordPress is especially guilty of this, so any company that uses WordPress must remain vigilant of its plugins and deployment.

Custom coded sites also have vulnerabilities, especially if they are built on pre-existing code libraries. Can you really trust that every piece of code your engineers have repurposed from the web has every potential exploit patched before your team deploys? How willing are you to gamble on this question?

This is the dilemma you face everyday if you’re not practicing proper web defacement monitoring.

Here are some ways Uptime.com can help you monitor your site for web defacement.

Uptime.com Checks for Site Security

Alerts related to your site infrastructure are good first signs that something may be wrong.

Not every alert means that you’ve been hacked, but they can be useful. For instance, a DNS server check will review the integrity of the DNS server and changes to your DNS records. Changes to your DNS records can range from harmless name adjustments to a full-on hijacking.

The first checks we will cover for web defacement monitoring are aimed at site infrastructure.

Aside from DNS records, there are other major indicators that something is wrong with your site. If you’ve been blacklisted from search, for example, you could be unwittingly hosting malicious content. WordPress sites that are poorly maintained frequently find themselves the victims of malware or virus attacks, which inject malicious ads and downloadables that assault the end user.

The following checks will help effectively guard against these attacks:

All of these checks run as part of the Uptime.com Domain Health Check. The Domain Health Check is one of the first places we recommend users start their Uptime.com trial. It is also a useful tool any time you need to add a new URL or website to your account. The included checks on this tool are designed to provide a picture of domain health, but many can be used to alert you of possible breaches in your infrastructure.

After running a Domain Health Check, you also have the option to configure these checks in a single click.


Have you used the free version of the Domain Health tool to check the health of your site?.

Identifying Malicious Code and Strings with HTTPS Checks

Defacement’s typical outcome is to alter the visual appearance of your site. Thankfully, those changes impact your code, your headlines, your body text, and many other variables our checks can monitor.

The most basic form of defacement monitoring Uptime.com can perform begins with an HTTPS check using the optional String to Expect parameter. String to Expect confirms text or regular expression is on the page, then the check issues an alert based on the options chosen in String Comparison.

For example, a String Comparison set to Fail if Regular Expression Matches would fail if it recognizes the word “gambling” or “refinance” or any other term you define. This includes H1 tags and other body content. You can see an example of this at work below:

detecting web defacement with string to expect

Alternatively, you can create a check that will fail if the String to Expect is not present. Use this HTTPS check to define a string of text, such as your headline, that is prominent and rarely changes. If hackers deface your website, they may change the Body of your HTML entirely or just plaster an image over your home page. If Uptime.com can’t see the string it expects, you will receive an error.

Three Ways to Face Web Defacement

Uptime.com is a good solution if your goal is to make sure a specific URL is not defaced, or if you manage a foundation, business, or small site where the target is prominent and easy to find.

Our services will notify you when:

  • DNS settings change or are in danger of expiration
  • WHOIS settings change or are in danger of expiration
  • SSL certificates change or are about to expire
  • Your site is on a blacklist, has a virus, or contains malware
  • When certain strings are or are not present

In addition to configuring your Uptime.com account to help you catch web defacement, here are some tips that can help you detect and prevent such attempts at defacement.

Ready to start web defacement monitoring with Uptime.com? Check it out free for 21-days, no credit card required.

Basic Security Training

Don’t take security training for granted.

Phishing attacks are getting more sophisticated thanks to email spoofing. It’s becoming easier for hackers to impersonate your colleagues, and not everyone is vigilant enough to check the address and credentials of the person making a request for information.

Circulating some updated training on the topic of basic corporate and personal internet security is a good start.

Helpful Resources:

  1. Google Guide on Avoiding Phishing Emails.
  2. Department of Homeland Security page on Website Security

Accounting for Everyday Changes

Another challenge in web defacement monitoring is distinguishing between a change your team intended, and one a hacker injected.

To get around this issue, we recommend using multiple checks that are designed as failsafes. The idea being that a failure will tell you whether the check is something you need to worry about.

We recommend configuring multiple HTTPS checks when using Uptime.com and String to Expect to monitor for web defacement.

We also recommend setting a tracking pixel, or monitoring for Analytics or something else on the page that isn’t likely to change. Other examples include a login button, or a headline for a particular sale item (I.e. Deal of the Day).With a failsafe in place, web defacement that targets the URL you’re monitoring would issue the first alert when the web defacement check goes down. Your team would also receive an additional alert from the failsafe check. Using Notes, the administrator who created the check can direct the team on how to proceed.

web defacement monitoring notes screenshot

Final Thoughts

We hope this post has given you some interesting use cases to consider.

We believe with the right combination of training and protocol, your team can tackle web defacement monitoring head first. Let’s work together to create a better, cleaner web.

Minute-by-minute Uptime checks.
Start your 14-day free trial with no credit card required at Uptime.com.

Get Started

Don't forget to share this post!

Richard Bashara is Uptime.com's lead content marketer, working on technical documentation, blog management, content editing and writing. His focus is on building engagement and community among Uptime.com users. Richard brings almost a decade of experience in technology, blogging, and project management to help Uptime.com remain the industry leading monitoring solution for both SMBs and enterprise brands. He resides in California, enjoys collecting and restoring arcade machines, and photography.

Catch up on the rest of your uptime monitoring news