When we take on a new client we always check their WordPress is safe and secure. No point doing marketing on a website that is vulnerable to being hacked!
We carried out these routine checks for our new client and found that indeed the site was out of date and vulnerable to being hacked.
We got the customer's permission to delay working on SEO and other marketing tasks until the website was brought up to date and secured. Sadly the hacker's got there just before we updated the site. In fact we discovered the site had been hacked during the upgrade. A terrible set of circumstances.
The hacked turned out to be a blackhat SEO injection attack. It created hundreds of new fake pages on the WordPress site, mostly with Japanese titles and meta descriptions (the site's native language is UK English).
Google had indexed the site a couple of days before the hack was discovered, meaning Google's index for this was full of these fake, spam pages.
The final straw was the hackers had somehow locked us out of the WordPress site admin system. Nice!
First of all we spent a few hours going through the site, identifying all the hacked files and removing them. We found that the hackers had placed fake .htaccess files in the admin folders, which switched the site's permissions and locked us out of the admin folders. To get around this we simply deleted the spam .htaccess files.
Then we installed the great WordFence plugin. This free plugin enabled us to do a thorough scan of the site, comparing all the files in the WordPress site with those that are known to be "good" WordPress files. This identified a lot of fake/spam files that had been placed there by the hackers. These were all then deleted.
Finally we removed all the extra user accounts and changed the passwords to ultra-strong password. We theorised that the hackers had got in using a brute force attack on a an account with a weak password.
Now that the hacked site had been repaired, we had to repair the SEO damage. You can see from the screenshot above what a damaging effect the hack had on the site's SEO for our chosen keywords. It took just a few days for the SEO rankings to tank.
The wisdom is always to keep calm and not panic in these situations. Once the site had been cleaned we notified Google that the fake/spam URLs within the site should be removed from the index. We also requested a full reindexing of the site by Google.
Within about five days after the hack, Google had started removing some of the fake/spam content from its index. Over the last two or three weeks it had mostly disappeared and the main site pages had returned to normal.
The graph shows the visibility of the site in search before, during and after the hack.
Being hacked can have a devastating impact on a business. Very often the site owners will not even know they have been hacked until it's too late and their SEO has been destroyed.
Our client had sensibly taken up a website maintenance package with us, which includes updates and monitoring. It was this service that we were carrying out which revealed the site hack.
Once the site had been cleaned the SEO returned to normal (and even improved) within a couple of weeks. Phew!