If your WordPress site has been hacked you aren’t alone as this happens quite often where there aren’t at least basic plugins in place to scan and block malware. As a result of this happening often, there are tried and tested fixes and preventative measures you can employ to minimise the chances of your site being hacked.
A WordPress site that we’re working on recently got hacked and a script on the site was creating fake URLs which then redirected to external sites. These URLs were all related to “dating” sites and there were over 2,000 of them – you would be surprised at the creativity involved in creating 2,000+ “dating”-related URLs!
We saw a significant increase in the number of pages indexed in the Google Search Console account – as we regularly check this for our SEO reports. This was the first indication that something was up.
We then checked the messages section of Search Console but we didn’t see anything, which was odd, as typically you would get a message like: “This site may be hacked”.
We then did a site search in Google to see all of the pages that were being indexed using “site:website.com” and after scrolling down past the legitimate pages on the site we saw URLs relating to “dating” sites like;
…and so on.
All of the spam URLs included the word “dating” so we did another site search, this time using the search operator; “dating” site:website.com and this generated the following results:
We found over 2,000 results relating to these URLs so it was clear the problem was quite extensive.
The first step was removing the malicious script from the server that was generating the spam. We enlisted the help of our development partners to remove this from the server.
There are several plugins that scan and remove spam, as well as monitor the site moving forward. Popular plugins include:
We went with WordFence as we are familiar with it and know it works well.
We know that the URLs return a 404 error now and that Google should see these 404’s and eventually drop them from the index. However, as there are over 2,000 of these and that the site gets crawled and indexed every other day at varying amounts of URLs, this may take a month.
We want to speed up the crawling of these new spam 404 URLs to encourage Google to drop them from the SERPs, so let’s look at a couple of options for this.
Option 1 (slow to implement):
Option 2 (quick to implement):
Based on the 2,000+ spam URLs we found, this process took us about a month to fully remove all the spam from the index. We chose to do it daily and it only took about five minutes, so it’s not too difficult if you schedule it at the start of every day.
Use Google Search Console to monitor your spam removal:
These are checks you should be performing as standard on a website you manage, which will help to avoid this happening in the future. Using the WordFence plugin or similar will also help prevent future spam attacks. It’s the responsibility of our Technical SEO department to perform checks on client’s websites and as a website owner or manager we recommend performing these at least every week if not daily:
These are some of our results from the work we did:
You can see where the spam URL indexation spiked and when it started to normalise.
URLs were added to the sitemap daily at the start of the issue, then we left it to be crawled and pick-up 404s to drop out of the index. There were a few legitimate URLs already on the site that mention the term “dating”, that is why you see 39 URLs as indexed because these do not 404.
Here we see an increase in 404s due to the spam 404 pages being picked up in the sitemap. We will clear this out completely soon by “marking as fixed” to re-set and only see legitimate 404 errors moving forwards.
Here’s a log we kept while checking the spam issue which shows that based on a website with 800 legitimate pages, plus 2,303 fake/spam pages and a crawl/index rate of every day/every other day, the issue was resolved within a full month.
Therefore, you can get a rough idea, based on the size of your site and rate of indexation how long it will take for you to remove these URLs from the Google index.
If you think your website has been hacked, whether it’s on WordPress, Magento or any other platform, and would like us to take a look feel free to get in touch today and a member from our Technical SEO team will help you.