How a Hacked Website Led To a Wrongful Google Penalty

Imagine coming in to work on a Monday morning, firing up your Google Analytics reports, and seeing a massive drop in traffic on your main website. You dig a bit deeper, and an imminent feeling of dread takes hold of you: organic traffic to your site has nearly died since this morning.

Organic Search drop

After a bit more digging, you find out it’s Google that has ceased sending organic traffic to your site. You check the site’s rankings, and your fear turns in to panic: all rankings have gone. A ‘site:’ command confirms your worst-case scenario:

SIte de-indexed from Google

The entire site has been de-indexed from Google search. This is probably every SEO’s worst nightmare. It’s hard to think of anything more catastrophic happening to a website from a SEO perspective.

Timeline of Events

In this case, it was a site that I am closely involved with. So of course I started digging and investigating the moment I was notified, and we managed to construct the following chain of events:

Thursday 7 January, 8PM:

The site is hacked – an unauthorised agent manages to log in to the site, and installs a range of malware code on the site. This code is intended to plaster the site with ads for mobile visitors only – desktop users don’t see anything strange, but mobile users are confronted by intrusive ads.

Thursday 7 January, 11 PM:

The hack is detected by the site’s owner, who immediately acts and works to undo the damage. The malware code is removed, extra security is added to the site, and by 11pm the site is cleaned up and malware-free – at least, as far as the owner can determine.

Monday 11 January, 6/7 AM:

The penalty is applied to the site, and organic traffic to the site plummets. Only non-Google search engines still send traffic to the site.

Hourly view of organic traffic

The site owner detect the penalty towards the middle of the day and start investigating the issue. Initial suspicions that the site has suffered from the confusing Google core algo update over the weekend are quickly disproven – it’s much more serious than a ranking downgrade.

No root cause can be found, so further help is enlisted from expert SEOs. In the course of the day, the site owner – entirely unsure of why the site has been de-indexed – submits a reconsideration request. Despite the lack of any message in Google Search Console, the owner presumes (correctly, it turns out) that the previous week’s hack has somehow resulted in some sort of penalisation. Of course, as Google says in every reconsideration request, “It can take several weeks for your site to be reviewed.”

Tuesday 12 January, 10 AM:

I’m made aware of the issue and start digging as well. The lack of a message in GSC concerns me greatly. I try to crowdsource a possible solution on Twitter. I get many worthwhile suggestions, and the consensus is that the site has indeed suffered from a manual penalty.

Tuesday 12 January, 11 AM:

More than a full day after the penalty has been applied, we finally receive a penalty notification email and message in Google Search Console:

Google sneaky redirects email notification

Cloaking Manual Penalty message in Google Search Console

We’re a little baffled and keep digging – is there still some residual cloaking code active on the site that was missed? I crawl the site with Screaming Frog, configuring the crawler to use a Googlebot-Mobile user-agent. I also use Search Console to do a ‘Fetch as Google’ on a random page as Googlebot for desktop and smartphones. Neither avenue leads to anything suspicious – as far as I can tell, the site is clean.

Tuesday 12 January, 12:30 PM:

Google’s John Mueller takes note of my Twitter storm, and I connect with him. I DM him the website and he promises to have a look.

Wednesday 13 January, 11:55 AM:

John Mueller responds via DM, acknowledging that Google saw a case of mobile cloaking on the site – which is exactly what the hack did. He also admits that “Differentiating between a one-off hack and something shady that a site owner does on their own is tricky, and the reactions would generally be very different.” One would hope so.

Thursday 14 January, 3/4 AM:

The penalty is revoked and organic traffic starts coming back in to the site. The Manual Action message in Search Console also disappears. We do not get any further message though, and there is no response to the reconsideration request.

Google penalty is revoked

More Questions Than Answers

What basically happened here was that a site was hacked and malware injected in various pages. The hack was detected and the damage undone within 4 hours.

Google obviously must have crawled the site in this 4-hour window, and a flag was raised for the site to be manually reviewed. This happened four days after the hack, and a penalty was applied that de-indexed the entire site.

Now this is a very worrying chain of events. Remember, the hack was already fixed when the manual review took place. The cloaking code had been removed. The site was, at the moment of the review, not in breach of any Google webmaster guidelines.

But a penalty was still applied. The site was still de-indexed. Fortunately, with the help of John Mueller, it took only 3 days to reverse the penalty. Yet it still meant a loss of thousands of visits to the site.

This raises a whole range of questions about Google’s manual penalty process:

1. Is a ‘manual penalty’ actually manual?

The Google Search Quality engineer that reviewed the site should have spotted that the cloaking code was no longer present on the site. So one of two things happened: the engineer did not actually review the site but simply rubber-stamped a cloaking report, or the engineer did look at the site but still applied the penalty for reasons unknown. A third option is that the ‘manual’ penalty is not manual at all, but an automated response disguised as a manual process.

2. Is there any sort of quality assurance in Google’s penalty process?

If a manual penalty is applied to a website, is there any form of quality check to determine the penalty is for legitimate reasons? Or is it simply left to the discretion of a single engineer, who may or may not be doing any proper due dilligence?

3. Why is there a delay between the penalty being applied and the site being notified?

For mission critical websites, any Google penalty will be detected within a few hours of it being applied. Yet the Search Console message arrived more than a full day after the penalty was applied. For many site owners, a one-day delay won’t be that big a deal, but in high-volume fast-moving industries this is a huge gap and leaves the site owners confused, uncertain, and prone to making wrong decisions. Why can’t the GSC message be sent the instant the penalty is applied?

4. Does Google have a safeguard in place to differentiate between hacked websites and actual cloaking attempts?

Aside from the unforgiveable error of a penalty being applied for something the site had already removed, the more serious question is how Google differentiates between a website’s attempt to deceive Googlebot vs a website suffering from a malicious hack.

It is obvious this is not a foolproof process. In this case, Google got it horribly wrong, and penalised a website where instead it should have sent a security warning. Which it hasn’t:

Security Issues report in Google Search Console

Theoretically, thousands of hacked websites could have been penalised, leaving site owners in the dark about what has actually happened. If Google knows it’s hard to make the distinction between hacked sites and cloaking attempts – as John Mueller admits – then why do they still hand out these penalties? Wouldn’t it be infinitely more preferable to err on the side of caution and send a Security Issue warning message instead?

5. Is there any accountability for wrongfully applied penalties?

In this case it seems blatantly obvious the penalty should not have been applied. The penalty was the result of a flag for cloaked content, which only existed on the site for a 4-hour window four days previous. The site was not in violation of any webmaster guideline when the penalty was applied.

For mission-critical websites, a penalty such as this can be truly catastrophic. The potential loss of revenue could be disastrous, with serious ramifications for the business. People could lose their jobs over things like this.

Yet there doesn’t seem to be any way to hold Google to account for these sort of errors. There is no method of appeal – aside from the lengthy reconsideration request process – and no way to recover any lost damages outside of attempting a legal case. But with Google’s immense litigative power, any SME’s efforts to sue the search giant is going to be prohibitively costly and likely to end in disappointment.

Immeasurable Damage

In this particular case the site had a massive benefit: the involvement of expert SEOs that know what to look for and can call on help from other sources. Even with John Mueller’s aid, the site did not recover from the penalty for three days.

Total destruction

Imagine this happening to a small business website with limited access to expert SEO advice. It could take weeks – months even – for the root cause to be identified, and weeks more for the penalty to be reviewed and removed. The damage would be almost immeasurable.

Yet none of it is really the site owner’s fault. The site was compromised by a malicious hacker, and even when that hack was detected and fixed, the site was still subsequently penalised. There is no way to recoup any of the damages from Google – nor from the hacker, for that matter – without serious effort and resources, which small businesses simply don’t have.

One wonders, how many websites have been wrongly penalised by Google? How many businesses have suffered from wrongfully applied Google penalties? How many jobs have been affected? How many people have undergone tremendous stress and anguish over something entirely outside of their control? How much damage has been done to people – financially as well as personally – as a result of unwarranted Google penalties?

And does Google know about the flaws in its process? Does Google take any form of responsibility for the harm it causes? Do they even care?

Lessons Learned

There are quite a few lessons SEOs can learn from this episode:

  • Security is mission critical: If you perform SEO audits and you don’t analyse a website for security flaws, you’re missing a trick. While the site had some level of basic security measures in place, such as non-standard user names and secure passwords, this was insufficient to protect the site from a hacker. After the hack the site owner immediately implemented additional security measures, and time will tell if these are sufficient to protect the site. As we all know, a determined hacker can get in to any system, no matter how well-protected.
  • Google takes quick notice: The malware code was only live on the site for a few hours. Yet that small window of time was enough for Googleto spot it and flag it. Assume that any new code on the site is seen by Google almost immediately – even if they do not yet act on it.
  • Google does not recognise intent: The hack resulted in code being injected on the site that Google identified as an attempt at cloaking. Google did not recognise it as a hack, instead flagging it as attempted webspam, and acted accordingly. Suffice to say that, obviously, Google is not omniscient – it cannot determine whether a site has been hacked or is intentionally trying to deceive.
  • Penalties might be applied retro-actively: Even when you’ve acted quickly and cleaned up the site, there’s still a chance Google will apply a penalty – legitimately or otherwise – to your site. In this case, the gap was 4 days, though Tim Grice from Branded3 tweeted that he sees partial penalties applied months after the fact:

  • Penalty Notices can be delayed: From the moment the penalty was applied to when we were notified in Google Search Console, 28 hours had passed. I expect such delays are more common than we think. When you see a site’s traffic fluctuate, and you suspect a Google penalty but there is no message in GSC, don’t be surprised if one appears later.
  • Manual Penalties are flawed: This is a very clear case where Google should not have applied a manual penalty when it did. It shows that Google’s process is deeply flawed and lacks basic safeguards against human error and potential abuse.
  • Erroneous Manual Penalties are not easily lifted: Even in this instance of a wrongful manual penalty, it took Google several days to act on the new information we supplied and revoke the penalty, and that was with the added benefit of direct communication with John Mueller. By all appearances, Google does not acknowledge a wrongful penalty – it penalises quickly, but corrects slowly.

How Can You Prevent This?

A small part of me hopes Google will learn from this episode and perhaps put measures in place to prevent further wrongful penalties. But that’s a very slim hope indeed.

It is very difficult to protect your website from suffering a similar fate. These things are almost enturely out of your control. As this case study shows, even when you do not engage in any black hat SEO practices, your site is still at risk.

At the very least you need to make sure your website is as secure as it can be. Don’t compromise on security – get the right systems and safeguards in place to prevent your site from being hacked in the first place.

Yet even the best security measures can be bypassed. You should have a clear process in place for when your site is breached, so you can act quickly to undo the damage. Know who to contact, what to do, how to roll back to previous site versions, etc. A basic security plan is essential.

Always assume Google sees the effects of the hack. If your site is compromised and malware code injected, Google is very likely to see it. Don’t assume that a quick fix means the hack went unnoticed.

Expect a delayed response from Google, so keep an eye on your traffic and on Search Console messages. It can take days (or weeks? Months even?) for Google to act on a flagged crawl.

It pays to have inside contacts, so stay friendly with expert SEOs that have some measure of influence in the industry. If they can persuade a Googler to have a look at your particular case, it might help speed up the reconsideration process. Keep in mind though that Googlers like John Mueller are swamped with questions all the time, and they’re only human, so even with the best of intentions they can’t instantly jump to your aid.

Most of all, never put all your eggs in one basket, and have a back-up plan. In this case, Google traffic evaporated and caused the site significant traffic loss. Yet we were able to make up for that – to an extent – with additional social media efforts. When your site suffers from such a dramatic traffic drop, you need to be ready to fire on other channels to make up the loss. Paid search, paid social, email marketing – whatever it is, have a backup plan ready to go for when one of your site’s cornerstone traffic channels suddenly dries up.

Conclusion

A security breach on your website can lead to a severe Google penalty, even when the breach is quickly fixed. Google’s manual penalty process is deeply flawed and can lead to innocent websites being de-indexed from Google search. There is no accountability and very limited potential for appeal. Be prepared for a worst-case scenario like the one described above, and have plans in place to keep your site ticking over until the Google gods can be bothered to review and, hopefully, revoke your penalty.

About Barry Adams

Barry Adams is one of the chief editors of State of Digital and is an award-winning SEO consultant based in Belfast, delivering specialised SEO services to clients across Europe.

  • rob

    I think some of this may be a legacy of a type of bunker mentality. Over the years, I’ve seen manual penalties applied left right and centre; some being notified and some not.

    It’s as if the googler in the webspam team took some kind of perverse glee in seeing the site owner grapple with a problem, simply because the view was taken that the site owner had been a very naughty boy. There is NO transparency, there is virtually little comeback either.

    If this were a judicial process the judge would set out there reasoning and tell the defendant exactly what they were doing and why. But hey, with Google you don’t even get a trial – there’s no opportunity to present your case – it’s flagged, reviewed and acted upon. One might be forgiven for thinking that in reality they don’t really care and fall back to the position that ultimately, you have no right to this traffic, you can’t really complain and you have no right to customer service for something you’ve not paid google a brass cent for.

    Of course I’d counter that this is in fact bollocks, as they do have a responsibility, they should be held to account regardless. Without the web, they’d be nothing. Without the millions of websites building great content, they’d have no platform to surround with ads. They’d never have grown in the absence of support of webmasters and siteowners so should therefore recognise that fact and inject such realities in to their traffic quality measures. Granted, they’d aver that where a site is hacked and is injecting malaware then they have a responsibility to act fast. However, they should also act with equal haste when it comes to either reversing their errors or returning a domain to good grace – why? because it’s the right thing to do, and they have the resource to do so.

    There’s no such as a free lunch and the same applies to all parties; this includes Google which dines out all too frequently on the backs of hard working webmasters and site owners.

    • Aye, too many people think Google has the right to do whatever it wants in its search results, everyone else be damned. This is an astonishingly short-sighted perspective that totally ignores the fact Google built its empire on the back of all of us – the website we build, the content we create and publish, etc.

      Without the web, there would not be any Google. But Google and its supporters believe they don’t owe the web anything, that they can punish websites with impunity and destroy businesses without any repercussions.

      It’s a morally bankrupt position to take.

  • Phenomenal post, Barry – thanks for writing it all up. I remember when it was all going on and seeing you, Bas, etc. all investigating. It was really interesting to see industry peers working on it in real time and seeing how you guys were assessing the situation, etc.

    I’ve thought of a potential 4th option to #1 (“Is a ‘manual penalty’ actually manual?”), depending on Google’s internal manual review process: perhaps the engineer is shown a cached version to review, despite the fact that time had passed and the hack had been cleaned up. Instead of checking the live version for the up-to-date situation, the engineer might’ve lazily only checked the cached version (from when the hack was still live), seen the hack in the code and given the review based on that, overlooking/ignoring the change of situation that had taken place since. If this is the case, then it’s still not forgivable – there’s still no excuse for not checking the live site, and this would in fact show a flaw in Google’s manual review process (well… another flaw, beyond all those that you’ve already pointed out, haha…)!

    • Thanks Steve, it was definitely an interesting wee project to work on. It’s been a while since I was involved with a real-time penalty case, I usually get brought in after the fact. So it was intruiging to see how the penalty was applied and then how it developed from there as we learnt more about it and acted on the new information.

  • Website security is still not focused on by most businesses unfortunately. Cases like this are inevitable when security is given a low priority. We’re currently dealing with at least 1 new business coming to us per month with a hacked website which is insane. The majority of security breaches are preventable, when the budgets/resources/decision makers allow.

    Interesting story above, good to gather data around the topic for SEO too.

    • Aye security is understimated, the impact on a business when it goes wrong can be truly catastrophic. Definitely something businesses need to pay a lot more attention to. But businesses tend to look at the short-term immediate gain.

      The problem with investing in online security is that, if it works, you never notice. You only notice when it goes wrong, at which point it’s too late.

  • Mark Haslam

    A good bit of PPC might plug the gap for a while Barry! 😉

    • Hah, yes that would suit you just fine. 😀 But seriously, I do think businesses need a backup plan that, yes, includes PPC, for when organic traffic goes tits-up.

      • Mark Haslam

        I do think there is a very genuine and worthy point there. All too often do people see SEO and PPC as one or the other but this is one of the scenarios, of which there are many, where then need eachother!

  • I am sure this will prove tremendously useful for me some point in the near future. Thanks so much for sharing this experience. Makes you wonder, how long would the recovery take without John Mueller’s help?

    • Aye that’s my concern too – I had almost immediate access to John (for which I’m very grateful, he genuinely tries to be helpful). Most SMEs won’t have that luxury, so it could be quite a long time before any action is taken…

  • Google even has a specific form for this: Report Incorrect Phishing Warning:
    https://www.google.com/safebrowsing/report_error/?&url=

    Based on recent work for a client it can take a lot of efford, you need to do everything “right”. Just getting your website offline is not good enough!

  • i have the same problem. i hope that google employee from twitter will help me. 🙁