Skip to content Skip to navigation

Recovering the SEO of a Hacked Site

Author Benjamin Denis
|
Posted on
Recovering the SEO of a Hacked Site

Being hacked means someone you didn’t invite has access to your WordPress admin, hosting account or domain name. Being hacked becomes a problem if this person then steals your site, steals information, vandalizes your site, installs malware, or creates pages and links. Site owners are often not aware that hackers are using their site. Getting an email from Google to inform them of this problem may be the first thing they know about it.

Other ways that you may spot that your site has been hacked is if you see unusual changes on your site or if you discover pages that you did not create when searching for your site with the “site:” operator in Google. You may also have problems logging into your WordPress admin or hosting provider.

Using the site: operator in Google to find hacked pages
Using the site: operator in Google to find hacked pages

In a common hack, called the Pharma Hack, malware is installed on a WordPress site that generates a large number of pages promoting Viagra or similar products. Often the main site looks fine, but Google finds hundreds of pages on your website linking or redirecting to dubious websites. Searching Google with the site: operator can help you discover this problem before Google.

What being hacked could mean for your SEO

If you have received an email from Google or seen a warning in Google search results about your site being hacked, then you do have an SEO emergency on your hands. Once Google has detected a security issue on your site, it will add a warning to search results that will prevent most people clicking on links to your site. You may not lose in ranking immediately, but you will lose traffic. A security problem that is left unresolved will eventually lead to the site being removed from Google.

Because Google is very concerned about not sending users to sites that have been infected with malicious code, it is very good at detecting malware when it regularly crawls the web. Google’s anti-spam systems are also efficient at detecting cases where third parties have spammed a site. If Google detects problems like this on your site, you should get a Security alert from Google, and you will be able to get details on issues in the Security Issues report in Google Search Console.

Security issues report from <a href="https://www.youtube.com/watch?v=oPsOZI8x5VM">Search Console training video</a>
Security issues report from Search Console training video

Some forms of hacking may lead to you getting a Manual action rather than a security alert. Handling security issues or manual actions is very similar, but we suggest you read our chapter dedicated to Dealing with a Manual Action from Google if this is the case for you.

A hacker can also degrade your site and your SEO without Google noticing it. They could add lots of pages and links to your site. They could change HTML and remove code that was useful for SEO or set up “cloaking” (where Google sees different content from users) or redirections to other sites. If you spot this type of problem on your site, it is still a menace to your SEO and may impact ranking. It needs to be dealt with as an emergency.

Fixing a hacked site

We cannot go into the full details of how to fix all types of hacked site. If you are confronted with this problem, you will need to decide if you think you can fix your hacked site yourself of whether you need to get professional help. Your hosting provider may offer a solution. Kinsta, for example, offers a free malware removal service for its customers. To see how to fix a Pharma Hack, for example, see Malcare’s article Fix Pharma Hack on WordPress and SEO.

If Google Search Console is showing issues in the Security issues report, then you can click on each issue to get more information on the type of issues involved and examples of pages with the problem. The Security Issues report help page may also be helpful.

Generally, Google advises the following approach to treating each issue:

  1. Confirm the issue by reproducing it yourself.
  2. Decide if it is something you can fix by yourself or whether you need outside help.
  3. Fix the error on all pages where it could exist (not just on the example pages).
  4. Request a review using the REQUEST REVIEW button on the Security issues report.

Google also provides resources on web.dev for fixing security issues called “Help, I think I’ve been hacked” and WordPress provides the FAQ “My site was hacked”.

The document from WordPress recommends plugins to scan sites for security problems.

There are also external site crawlers that may be useful if you don’t have access to WordPress. VirusTotal and Sitecheck for example.

Screenshot from the Sucuri WP plugin showing core WordPress files were modified
Screenshot from the Sucuri WP plugin showing core WordPress files were modified

Advice from WordPress and the use of security plugins may help protect your site from future attacks. One of the only good sides of having to deal with a hacked site is that you usually come out of it with more robust protection against hacking. Our own personal advice is

  • Ensure that you have strong – and different – passwords for WordPress admin, hosting platforms, FTP, MySQL and email accounts.
  • Regularly update WordPress as well as themes and plugins. Make sure that plugins that you use are maintained and regularly updated.
  • Never use nulled WordPress themes and plugins.

Removing security warnings from your site

If Google has blocked access to your site with security warnings, you can submit a review request using Google Search Console when you have corrected all the issues on all the pages.

Make sure to leave a detailed description of what issues you discovered and what you did to correct them. You can expect security warnings to be lifted after one or two days if the problem was linked to malicious software, but it may take up for 2 weeks for a manual review of other problems.

Handling the aftermath of a hack

While you are in Google Search Console to request a review, you should also check that there are no unwanted users. Go to Settings in the menu and click on Users and permissions to review who has access to Google Search Console.

You should also delete and resubmit your sitemap to Google.

Even though you have removed pages from your hacked site, these pages will continue to show as indexed in Google Search Console. Over time they will be shown as Non indexed with a Not found (404) error and they will eventually disappear. Do not, under any circumstances, redirect these pages back to your website!

If a security problem is detected and fixed quickly, it should not have a long term affect on ranking. If ranking degraded before you fixed the problem, you may have to wait for a few months to get back to the positions you deserve in Google’s search results.

By Benjamin Denis

CEO of SEOPress. 15 years of experience with WordPress. Founder of WP Admin UI & WP Cloudy plugins. Co-organizer of WordCamp Biarritz 2023 & WP BootCamp. WordPress Core Contributor.