2.15.5. Site was copied by malicious actors

In today's world, a common problem for popular services is the cloning of their sites by malicious actors. Most often, such cloning is aimed at phishing or intercepting orders. A cloned site is a very big problem for a service, as potential customers leave, and their data can be stolen and used by third parties.

There are several ways to clone a site:

• Copying HTML markup and all related site files. This is usually done by a specific bot parser that goes through all pages and copies their content in a ready-made HTML format. Such bots are fairly easy to track.
• Copying HTML layout with all files downloaded from the existing site. This is a fairly common method of copying a site, as it is easier to implement and does not require copying and placing multiple files. Only the HTML versions of the pages are needed, and all other files and resources will be downloaded from the donor site.
• Obtaining files from the donor site. This is often the most labor-intensive method of cloning, but such a site will be indistinguishable from the donor site, and it is extremely difficult to combat such copies.

If it has been discovered that the site has been copied in its entirety, the following recommendations should be followed:

1. Restrict access to the site for IP addresses of the server where the clone site is hosted. This can help in cases where the site is simply being automatically copied by bots. To do this:
   1. Obtain the IP address of the clone site server by executing one of the following sample requests to it:
      • In the Windows command prompt:

        nslookup example.com

      • In the Linux or macOS terminal:

        host example.com

      • In any terminal, run the command:

        ping example.com

        
        Replace example.com with the required domain.

   2. Block access from the received IP in access restrictions or in the .htaccess file.
2. Set up HotLink protection on the site. This protection will help prevent the site's files from being downloaded to a clone site.
3. In site settings, disable the option "Add Access-Control-Allow-Origin: * header for static files":
4. Change all passwords on sites and in the hosting admin panel, enable two-step authentication, and also change passwords for FTP users and database users.
5. After performing initial steps to eliminate the possibility of cloning, you need to analyze web server logs for requests to all pages from one or more IP addresses within a short period of time. You should also check the data available in the analytics section, where you may find a suspicious number of requests from a single IP address or a large number of 404 responses, which may appear when using a parser bot to copy a site.
6. You should check all FTP logs, account authorization logs, authorization logs in the site's admin panel, if available, and other accessible data.
7. Since the site files could have been accessed through vulnerabilities in the CMS or plugins, you should update all plugins to the latest version and check for new versions of the CMS core. Additionally, it is worth using plugins that can help protect the site from hacking.
8. Contact search engines to report the theft of site data and its cloning. This method is not always effective, but it is still possible.
9. After completing all the necessary steps on the hosting platform, you should contact the hosting provider where the clone site is located and the police for further investigation.