How a Hacked Website Led To a Wrongful Google Penalty
Imagine coming in to work on a Monday morning, firing up your Google Analytics reports, and seeing a massive drop in traffic on your main website. You dig a bit deeper, and an imminent feeling of dread takes hold of you: organic traffic to your site has nearly died since this morning.
After a bit more digging, you find out it’s Google that has ceased sending organic traffic to your site. You check the site’s rankings, and your fear turns in to panic: all rankings have gone. A ‘site:’ command confirms your worst-case scenario:
The entire site has been de-indexed from Google search. This is probably every SEO’s worst nightmare. It’s hard to think of anything more catastrophic happening to a website from a SEO perspective.
Timeline of Events
In this case, it was a site that I am closely involved with. So of course I started digging and investigating the moment I was notified, and we managed to construct the following chain of events:
Thursday 7 January, 8PM:
The site is hacked – an unauthorised agent manages to log in to the site, and installs a range of malware code on the site. This code is intended to plaster the site with ads for mobile visitors only – desktop users don’t see anything strange, but mobile users are confronted by intrusive ads.
Thursday 7 January, 11 PM:
The hack is detected by the site’s owner, who immediately acts and works to undo the damage. The malware code is removed, extra security is added to the site, and by 11pm the site is cleaned up and malware-free – at least, as far as the owner can determine.
Monday 11 January, 6/7 AM:
The penalty is applied to the site, and organic traffic to the site plummets. Only non-Google search engines still send traffic to the site.
The site owner detect the penalty towards the middle of the day and start investigating the issue. Initial suspicions that the site has suffered from the confusing Google core algo update over the weekend are quickly disproven – it’s much more serious than a ranking downgrade.
No root cause can be found, so further help is enlisted from expert SEOs. In the course of the day, the site owner – entirely unsure of why the site has been de-indexed – submits a reconsideration request. Despite the lack of any message in Google Search Console, the owner presumes (correctly, it turns out) that the previous week’s hack has somehow resulted in some sort of penalisation. Of course, as Google says in every reconsideration request, “It can take several weeks for your site to be reviewed.”
Tuesday 12 January, 10 AM:
I’m made aware of the issue and start digging as well. The lack of a message in GSC concerns me greatly. I try to crowdsource a possible solution on Twitter. I get many worthwhile suggestions, and the consensus is that the site has indeed suffered from a manual penalty.
Tuesday 12 January, 11 AM:
More than a full day after the penalty has been applied, we finally receive a penalty notification email and message in Google Search Console:
We’re a little baffled and keep digging – is there still some residual cloaking code active on the site that was missed? I crawl the site with Screaming Frog, configuring the crawler to use a Googlebot-Mobile user-agent. I also use Search Console to do a ‘Fetch as Google’ on a random page as Googlebot for desktop and smartphones. Neither avenue leads to anything suspicious – as far as I can tell, the site is clean.
Tuesday 12 January, 12:30 PM:
Google’s John Mueller takes note of my Twitter storm, and I connect with him. I DM him the website and he promises to have a look.
Wednesday 13 January, 11:55 AM:
John Mueller responds via DM, acknowledging that Google saw a case of mobile cloaking on the site – which is exactly what the hack did. He also admits that “Differentiating between a one-off hack and something shady that a site owner does on their own is tricky, and the reactions would generally be very different.” One would hope so.
Thursday 14 January, 3/4 AM:
The penalty is revoked and organic traffic starts coming back in to the site. The Manual Action message in Search Console also disappears. We do not get any further message though, and there is no response to the reconsideration request.
More Questions Than Answers
What basically happened here was that a site was hacked and malware injected in various pages. The hack was detected and the damage undone within 4 hours.
Google obviously must have crawled the site in this 4-hour window, and a flag was raised for the site to be manually reviewed. This happened four days after the hack, and a penalty was applied that de-indexed the entire site.
Now this is a very worrying chain of events. Remember, the hack was already fixed when the manual review took place. The cloaking code had been removed. The site was, at the moment of the review, not in breach of any Google webmaster guidelines.
But a penalty was still applied. The site was still de-indexed. Fortunately, with the help of John Mueller, it took only 3 days to reverse the penalty. Yet it still meant a loss of thousands of visits to the site.
This raises a whole range of questions about Google’s manual penalty process:
1. Is a ‘manual penalty’ actually manual?
The Google Search Quality engineer that reviewed the site should have spotted that the cloaking code was no longer present on the site. So one of two things happened: the engineer did not actually review the site but simply rubber-stamped a cloaking report, or the engineer did look at the site but still applied the penalty for reasons unknown. A third option is that the ‘manual’ penalty is not manual at all, but an automated response disguised as a manual process.
2. Is there any sort of quality assurance in Google’s penalty process?
If a manual penalty is applied to a website, is there any form of quality check to determine the penalty is for legitimate reasons? Or is it simply left to the discretion of a single engineer, who may or may not be doing any proper due dilligence?
3. Why is there a delay between the penalty being applied and the site being notified?
For mission critical websites, any Google penalty will be detected within a few hours of it being applied. Yet the Search Console message arrived more than a full day after the penalty was applied. For many site owners, a one-day delay won’t be that big a deal, but in high-volume fast-moving industries this is a huge gap and leaves the site owners confused, uncertain, and prone to making wrong decisions. Why can’t the GSC message be sent the instant the penalty is applied?
4. Does Google have a safeguard in place to differentiate between hacked websites and actual cloaking attempts?
Aside from the unforgiveable error of a penalty being applied for something the site had already removed, the more serious question is how Google differentiates between a website’s attempt to deceive Googlebot vs a website suffering from a malicious hack.
It is obvious this is not a foolproof process. In this case, Google got it horribly wrong, and penalised a website where instead it should have sent a security warning. Which it hasn’t:
Theoretically, thousands of hacked websites could have been penalised, leaving site owners in the dark about what has actually happened. If Google knows it’s hard to make the distinction between hacked sites and cloaking attempts – as John Mueller admits – then why do they still hand out these penalties? Wouldn’t it be infinitely more preferable to err on the side of caution and send a Security Issue warning message instead?
5. Is there any accountability for wrongfully applied penalties?
In this case it seems blatantly obvious the penalty should not have been applied. The penalty was the result of a flag for cloaked content, which only existed on the site for a 4-hour window four days previous. The site was not in violation of any webmaster guideline when the penalty was applied.
For mission-critical websites, a penalty such as this can be truly catastrophic. The potential loss of revenue could be disastrous, with serious ramifications for the business. People could lose their jobs over things like this.
Yet there doesn’t seem to be any way to hold Google to account for these sort of errors. There is no method of appeal – aside from the lengthy reconsideration request process – and no way to recover any lost damages outside of attempting a legal case. But with Google’s immense litigative power, any SME’s efforts to sue the search giant is going to be prohibitively costly and likely to end in disappointment.
In this particular case the site had a massive benefit: the involvement of expert SEOs that know what to look for and can call on help from other sources. Even with John Mueller’s aid, the site did not recover from the penalty for three days.
Imagine this happening to a small business website with limited access to expert SEO advice. It could take weeks – months even – for the root cause to be identified, and weeks more for the penalty to be reviewed and removed. The damage would be almost immeasurable.
Yet none of it is really the site owner’s fault. The site was compromised by a malicious hacker, and even when that hack was detected and fixed, the site was still subsequently penalised. There is no way to recoup any of the damages from Google – nor from the hacker, for that matter – without serious effort and resources, which small businesses simply don’t have.
One wonders, how many websites have been wrongly penalised by Google? How many businesses have suffered from wrongfully applied Google penalties? How many jobs have been affected? How many people have undergone tremendous stress and anguish over something entirely outside of their control? How much damage has been done to people – financially as well as personally – as a result of unwarranted Google penalties?
And does Google know about the flaws in its process? Does Google take any form of responsibility for the harm it causes? Do they even care?
There are quite a few lessons SEOs can learn from this episode:
- Security is mission critical: If you perform SEO audits and you don’t analyse a website for security flaws, you’re missing a trick. While the site had some level of basic security measures in place, such as non-standard user names and secure passwords, this was insufficient to protect the site from a hacker. After the hack the site owner immediately implemented additional security measures, and time will tell if these are sufficient to protect the site. As we all know, a determined hacker can get in to any system, no matter how well-protected.
- Google takes quick notice: The malware code was only live on the site for a few hours. Yet that small window of time was enough for Googleto spot it and flag it. Assume that any new code on the site is seen by Google almost immediately – even if they do not yet act on it.
- Google does not recognise intent: The hack resulted in code being injected on the site that Google identified as an attempt at cloaking. Google did not recognise it as a hack, instead flagging it as attempted webspam, and acted accordingly. Suffice to say that, obviously, Google is not omniscient – it cannot determine whether a site has been hacked or is intentionally trying to deceive.
- Penalties might be applied retro-actively: Even when you’ve acted quickly and cleaned up the site, there’s still a chance Google will apply a penalty – legitimately or otherwise – to your site. In this case, the gap was 4 days, though Tim Grice from Branded3 tweeted that he sees partial penalties applied months after the fact:
Seeing loads of hacked sites receiving partial penalties months after the malware has been cleaned up… with no message to alert @JohnMu
— Tim Grice (@Tim_Grice) January 14, 2016
- Penalty Notices can be delayed: From the moment the penalty was applied to when we were notified in Google Search Console, 28 hours had passed. I expect such delays are more common than we think. When you see a site’s traffic fluctuate, and you suspect a Google penalty but there is no message in GSC, don’t be surprised if one appears later.
- Manual Penalties are flawed: This is a very clear case where Google should not have applied a manual penalty when it did. It shows that Google’s process is deeply flawed and lacks basic safeguards against human error and potential abuse.
- Erroneous Manual Penalties are not easily lifted: Even in this instance of a wrongful manual penalty, it took Google several days to act on the new information we supplied and revoke the penalty, and that was with the added benefit of direct communication with John Mueller. By all appearances, Google does not acknowledge a wrongful penalty – it penalises quickly, but corrects slowly.
How Can You Prevent This?
A small part of me hopes Google will learn from this episode and perhaps put measures in place to prevent further wrongful penalties. But that’s a very slim hope indeed.
It is very difficult to protect your website from suffering a similar fate. These things are almost enturely out of your control. As this case study shows, even when you do not engage in any black hat SEO practices, your site is still at risk.
At the very least you need to make sure your website is as secure as it can be. Don’t compromise on security – get the right systems and safeguards in place to prevent your site from being hacked in the first place.
Yet even the best security measures can be bypassed. You should have a clear process in place for when your site is breached, so you can act quickly to undo the damage. Know who to contact, what to do, how to roll back to previous site versions, etc. A basic security plan is essential.
Always assume Google sees the effects of the hack. If your site is compromised and malware code injected, Google is very likely to see it. Don’t assume that a quick fix means the hack went unnoticed.
Expect a delayed response from Google, so keep an eye on your traffic and on Search Console messages. It can take days (or weeks? Months even?) for Google to act on a flagged crawl.
It pays to have inside contacts, so stay friendly with expert SEOs that have some measure of influence in the industry. If they can persuade a Googler to have a look at your particular case, it might help speed up the reconsideration process. Keep in mind though that Googlers like John Mueller are swamped with questions all the time, and they’re only human, so even with the best of intentions they can’t instantly jump to your aid.
Most of all, never put all your eggs in one basket, and have a back-up plan. In this case, Google traffic evaporated and caused the site significant traffic loss. Yet we were able to make up for that – to an extent – with additional social media efforts. When your site suffers from such a dramatic traffic drop, you need to be ready to fire on other channels to make up the loss. Paid search, paid social, email marketing – whatever it is, have a backup plan ready to go for when one of your site’s cornerstone traffic channels suddenly dries up.
A security breach on your website can lead to a severe Google penalty, even when the breach is quickly fixed. Google’s manual penalty process is deeply flawed and can lead to innocent websites being de-indexed from Google search. There is no accountability and very limited potential for appeal. Be prepared for a worst-case scenario like the one described above, and have plans in place to keep your site ticking over until the Google gods can be bothered to review and, hopefully, revoke your penalty.