A few days ago, Google announced the rolling out of a set of algorithmic changes in order to “tackle hacked spam in search results”. As Google has publically stated, in 2015 there has been a 180% increase in the number of hacked sites and a 300% increase in hacked site reconsideration requests. So, in the unfortunate case where your site has been hacked or even worse when getting the “this site may be hacked” notice, here is what you need to do:
First of all you must verify that your website has been hacked.
Look for the signs below:
- Site defacement
- Your site redirects to another irrelevant website
- You get a “Hacked site” message via Search Console (previously Webmaster Tools) on the Manual Actions or Security Issues page.
After becoming certain that your website has indeed been adversely affected, you must identify the type of the attack. Here is how to do that via Search Console:
Navigate to Messages. Check whether you have received any messages from Google regarding:
a) Serving spammy pages/links/content
c) Distribute malware
Make sure that you don’t delete any of these messages.
Navigate to Security Issues.
- If your site has been affected with malware you will get a notification showing “Malware”.
- If you have been hacked to serve spam you will get a notification showing “Hacked” accompanied with the respective hack type.
- If you have received a message notification regarding “Phishing”, you will get no additional information inside the Security Issues section.
After identifying the kind of the attack, make sure to follow the steps below.
Step 1: Keep calm and plan a well-organized action.
Step 2: Inform your hosting company that your website has been hacked.
Step 3: Temporarily take your site offline.
Stop your webserver or point your website’s DNS entries to a static page on a different server that uses a 503 HTTP response code. Simply returning a 4xx or 5xx HTTP status code or using a robots.txt disallow is not enough.
While offline, check all user accounts to see if the hacker created a new user account. If you find a suspicious account, make sure to delete it.
In addition, reset the passwords for all site users and accounts (FTP, database access, system administrators, CMS).
Step 4:Go to Search Console.
It goes without saying that you should have already verified your site via Search Console.
What you must do here is to make sure that the hacker has not already verified ownership and proceeded to changes in settings. First of all, navigate to “Manage site” section and make sure no unwanted changes have been made regarding:
- Users and owners
- Crawl rate
- Remove URLs
- Change of Address.
If you identify unwanted changes, restore immediately your desired settings.
Since you have previously already identified the type of the attack, you should perform the following actions depending on the attack type. To make it simpler, we will walk you through the process for the following attack type:
Your site hosts spam
This may be accompanied with the message “This site may be hacked” in the SERPs. Here is what you need to do.
Most likely, the hacker has created new URLs inside your website, totally accessible to the visitor. The problem here is that those URLs will be indexed in Google (if not indexed already). This causes 2 major issues:
a) You will find your site ranking for unwanted keywords, depending on the content that the hacker has “planted” in your website.
b) The indexed pages belonging to your domain will grow exponentially, wasting valuable crawl resources.
This is why these pages need to be removed from Google index. Note that this process may take up to several weeks. Here is how:
First of all you need to identify those pages. You can either do a “site:” search in Google looking for pages not created by you or log in to your server and check from there. You can also take a look in your Google analytics reports and check for new pages receiving traffic.
If you want to see the content of those pages, avoid using a browser (your computer could be damaged or you will fail to see the real content since hackers usually use cloaking techniques) and instead, use the “Fetch as Google” option in Search Console.
How to remove them from Google index:
- You can simply delete those pages and set HTTP status code for those pages as 404 or 410. However this will take some time since Google must search for them lots of times before deciding to drop them out of the index. Listing all those pages inside an XML file will force Google to ask for those pages and see the 404/410. Do not forget to also remove any code creating links to those pages.
- Additionally to the previous step, you can also use a URL removal tool via Search Console. This is optional and whether you will decide to use this option or not depends on the number of hacked pages created. If this number is too big, you may want to remove them gradually and not all at once. Make sure to not use this tool for pages that used to be good and were only damaged by the hacker. To facilitate and speed up the process you can use this chrome extension allowing the webmaster to perform the URL removal task in bulk.
If your existing pages become spam-free you want to make sure that Google sees them at once. To do so, use the Fetch as Google option in Search Console and submit them to Google index. Resubmitting your XML sitemap, will also speed up the process.
Step 5:Clean your server & go live again.
Without going into much technicalities and details (which are beyond the scope of this blog post) what you have to do is to restore a clean backup of your website, install software upgrades/updates etc., correct the vulnerability, reset passwords and bring your site back online.
If you want to make sure that your pages are now indeed spam-free, use the “Fetch as Google” option. All pages should be corrected by now.
Step 6: Send a reconsideration request.
Log in to Search Console and select “Request a Review”. Google will probably ask for information to see how the site was cleaned. Process time by Google may require up to several weeks, so you have to be patient.
If the review is approved, you will no longer see your site as hacked within the Security Issues category. Browser & SERP warnings will be removed within 24 hours of the approval.
If the review has failed, you will most likely receive a “note from your reviewer” as feedback from Google on why your request has been rejected along with advice on what you have to do from now on.