Hacked? How to Clean Your Site and Get Off Google’s Blacklist

So, did it hurt? When you landed at the bottom of the SERPs, I mean, and Google slapped a scary red warning message on your site telling people to keep out.

If this happened due to an error on your part (bad SEO, shady linking tactics, etc) that’s one thing. But if your site was hacked and now contains malicious code, that’s just adding insult to injury – and can really damage your reputation.

Unfortunately, that’s just one of the risks of being in charge of your own site maintenance. Stuff like this can happen. Sure, it’s fantastic being able to build your own site in WordPress, but as Spiderman says, with great power comes great responsibility. To put it plainly, you have control over how your site looks but you’re also in control when/if your site runs into problems.

If you’re hacked, you will probably get blacklisted by Google. Period. Google isn’t going to take any chances with its reputation. So, if your site smells even the slightest bit fishy, the search engine is going to blacklist you, knock you from your spot in the rankings that you’ve worked so hard for, send your site plummeting in the SERPs and tell anyone who lands on your site to stay away because it’s dangerous.

And that’s a real bummer. But the key is knowing what to do next. Should you find yourself on Google’s Blacklist (or you’re a bit fuzzy on what the blacklist even is), we’ve put together a comprehensive step-by-step guide to getting it handled ASAP. (Click here to go straight to the step-by-step-guide)

A malware notice shown to Firefox users.
A malware notice shown to Firefox users.

Google Blacklist: A Definition

A website that has been blacklisted by Google will generally experience a dramatic drop in organic search traffic. It’s sudden and huge and when your Analytics graph inverts sharply, it’s usually the biggest clue to a webmaster that something bad has happened.

How Did I Get on the Blacklist?

There are a number of ways your site might’ve got on the blacklist. But generally speaking, when a search engine finds suspicious code or activity on your site that its internal algorithms determine to be malware, it will remove the site from search results immediately. Instead of risking the integrity of the search results and their safety for users, removing the questionable site is the least resource intensive action the search engine can take.

Now, what is malware exactly? In this case, it can be anything that Google deems suspicious including phishing schemes, hacks, information or email address scrapers, trojan horses, and more. The sad thing here is that the vast majority of the time, you won’t even know your site has been hacked until your organic search traffic falls off a cliff.

In some cases, however, there will be tell-tale signs that something is amiss. This can either come in the form of suspicious things you come across yourself or through warnings, shutdowns, or other actions taken by external sources.

Of course, there are occasions where the webmaster is responsible for the blacklisting. Things you should never do if you want to avoid the blacklist include:

  • Violating copyright or DMCA claims. Stealing content is frowned upon by the world. Don’t do it.
  • Keyword masking. Hiding keywords by making the text the same color as the site’s background is so 1998. If Google finds out, you’ll be de-indexed quick.
  • Linking to spammy sites. Be mindful of where you link to. It should be a priority of yours to link only to high-quality sites.

A lot of the time, however, hackers will implement these link baiting and keyword spam schemes as a part of infecting your site with malware. Regardless of whodunnit, however, Google will treat affected sites the same way: with a swift and thorough blacklisting.

What Does Blacklisting Look Like?

Blacklisting is fairly obvious when it happens. Your analytics will take a nosedive as I mentioned above. Or, if you do a simple Google search for “site:yoursitehere.com” and no results are found (assuming your site has already been indexed) chances are really good that your site has been blacklisted. This is one of the manual ways to check for blacklisting.

Another way to check for blacklisting is to regularly access and review data in Google Webmaster Tools. This makes it easy for you to see what sites link to you, what search queries you’re ranked for, 404s, server errors, and overall site health. Any funny business happening with your site is likely to show up here before your site is blacklisted, so keeping a watchful eye is really important when attempting to maintain the integrity of your site.

The easiest way to check if your site has been blacklisted will soon be with the new security feature available to WPMU DEV members in the dashboard. Simply go to your profile and click on the “Security” link next to the website you would like to check and the dashboard will display an alert if a Google blacklisting is detected. This feature will be rolled out soon, so stay tuned!

In the meantime, there are several tools you can use to automate the process, including BannedCheck and Sucuri SiteCheck. In each of the above tools, you input your site’s URL and receive a result that says your site is either good to go or blacklisted.

There are also plugins that can help to determine if your site has been hacked and/or blacklisted, too. We will soon be releasing WP Defender, which, like the dashboard, will also alert you if your site has been blacklisted by Google. WP Defender will also automatically suggest ways to harden your WordPress install to prevent hackers and bots accessing your site and can scan your site for malware, shell scripts, database issues and changes to WordPress core – all the stuff you don’t want around. We’ll keep you posted when this service launches!

Until its release, you might want to check out some other great security plugins: Sucuri SecurityWordfence Security or iThemes Security.

When your site has been compromised, Google will display a big, scary warning messages, turning away any visitors to your site.
When your site has been compromised, Google will display a big, scary warning messages, turning away any visitors to your site.

Security Warnings & Diagnostics: A Primer

So, we’ve already talked about the ways you can check to see if your site has been blacklisted, but I feel like it’s a good idea to spend additional time talking about what Sucuri refers to as the “symptoms” of being blacklisted. Not every blacklisted site will exhibit these features but this is a good rundown of what to look for:

  • There is sudden traffic to your site for keywords that have nothing to do with your site’s content—particularly related to pharmaceuticals.
  • Your site suddenly redirects to another site not in your possession.
  • New administrators or users appear in your site’s dashboard that wasn’t created by you or anyone with authorized admin access.
  • Your site is suddenly flagged as potentially containing malware in search engine results and by desktop or mobile anti-virus detection software.
  • Your web host shuts down your site.

It’s important to note the various security warnings Google can provide as well. While these aren’t technically blacklisting, they can sometimes indicate your site is well on its way to being blacklisted. Should you be fortunate enough to catch suspicious activity thanks to a security warning, you may be able to sidestep the headache of being blacklisted altogether.

These warnings appear on the search engine result page where your site is listed. These warnings can take a couple of different forms. Here are two of the most common warnings you’ll come across:

This site may harm your computer

This warning occurs when Google believes your site contains a Trojan or other piece of code that triggers a download prompt that is malicious. Those fake anti-virus pop-ups and automatic file downloads are the most common examples of what Google is referring to when it displays this warning.

Google has detected malicious code on your site.
Google has detected malicious code on your site.

This site may be hacked

This gets to the point, doesn’t it? This warning displays when Google has reason to believe your site has been completely hacked and taken over by someone other than you. The sudden appearance of content that doesn’t belong with the rest of your site, bank directories, and other red flags trigger this warning.

Google has detected your site has been hacked.
Google has detected your site has been hacked.

Other Blacklists

While this article focuses on getting off Google’s blacklist, it’s worth noting there are other blacklists that may pick up on malicious content or security threats on your site. These are some of the main blacklists:

  • Norton Safe Web
  • Phish Tank
  • Opera
  • SiteAdvisor McAfee
  • Sucuri Malware Labs
  • Yandex (via Sophos)
  • ESET

If Google reports your site as clean, it is still possible for Opera (the browser, that is) or even Yandex (the search engine) to blacklist your site. So if you do notice a drop in SERPs or security warnings displaying in browsers other than Chrome, it’s a good idea to check these other blacklists to see if your site has been compromised.

A Step-by-Step Guide for Getting off the Google Blacklist

Now that you’re all clear on what blacklisting is, how to tell if it’s happened, and what the warning signs are that you might be headed for the blacklist, we can start discussing how to get your site off of it for good.

Step 1: Check if you’re blacklisted

Should go without saying, but you need to be 100% sure if your site has been blacklisted before you move forward.

  • Check your site’s status to determine safe browsing. Just input your site’s URL and review the results.
  • Fetch as Google to see what the Googlebot sees when accessing your site.

Step 2: Locate the Suspicious Code

There are a number of different places you can look on your site to find malware. It’s not always so easy and scanning through the code on each page, however. Sometimes, the culprit is embedded in your server somewhere. Still, there are a few places that hackers target more than others. You will need FTP access to get to some of these areas to start cleaning up the mess.

If your site is suddenly redirecting to another site, you should check the following areas for suspicious code:

  • Core WordPress files
  • Your site’s index (check both .php and .html!)
  • .htaccess

If your site is now triggering downloads for visitors, check out the following spots:

  • Header
  • Footer
  • Index (check both .php and HTML)
  • Your theme’s files

If you’re suddenly seeing a bunch of Pharma information on your site and believe it’s been compromised by a phishing campaign, check:

  • Any HTML file
  • Index .php and .html
  • For the appearance of new directories you didn’t create

You can also leverage the Google Diagnostic Page to figure out specifically what part of your site has been compromised. Is it just one page? One directory? Or the whole site?

Keep reading through the results to see when Google last visited your site. This is referred to as the “scan date.” Also, take note of when Google found the malware or suspicious content. This is referred to as the “discovery date.” Now, if you’ve tried to fix your site after the last “scan date,” Google doesn’t know about it yet. Patience is a requirement when getting your site off the blacklist, unfortunately. You can bring Google’s attention to your attempts to fix the issues, but we’ll talk more about that later.

Note: Sometimes, Google Webmaster Tools will show that certain HTML pages of your site have been infected but this isn’t necessarily the case. When dealing with WordPress, it’s likely that the core file responsible for generating the HTML file in question is infected. 

Step 3: Dig Deeper: Pretend You’re a Bot or User Agent

Sometimes running tests to see if your site (or a client’s) is infected would put your own computer at risk. You couldn’t just open up you web browser and load the site directly without putting your machine in danger. So, to bypass this, you can use cURL in the command line interface (CLI) to basically pretend you are a Google bot or a user agent.

According to Sucuri, you would input the following to emulate a bot:

$ curl –location -D – -A “Googlebot” somesite.com

Once you input this, you’re going to want to look for anything that doesn’t make sense in the code. So, bits that are in a different language than your own or content that looks like total gibberish. Yes, you’ll need to understand HTML at the very least, here. Anything in an iframe or script tag should get your careful attention, too.

You can also use this bit of code to emulate a user agent:

$ curl -A “Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)” http://www.somesite.com

You can swap out what browser is referenced here depending on your needs.

A few other commands you might want to get familiar with include Grep, Find, and SSH. These will help you to locate specifically where the hacking took place on your site, so you then manually remove the code that put you on the blacklist.

If the CLI stuff is leaving you scratching your head, here’s a list of resources you can use to get up to speed on the terminal and the specific commands you’ll need to clean your site:

Once you locate the source of the problem, you can remove it.

Step 4: Removing Bad Code 

If your site has been hacked, you’ll need to remove the malware that caused the blacklisting and/or security warnings. If the hackers created new pages with malicious code, you can remove them from the SERPs altogether by going to the Search Console and using the Remove URLs feature. You’ll also want to delete the pages in question from your server, but using Remove URLs can help expedite Google’s awareness of your cleanup attempt.

Remember, you shouldn’t use Remove URLs for pages you want to be indexed but have bad code. This is a feature you should only use when a page should disappear from search results for good.

To remove all evidence of the hacking from your site, you’ll need to backup from an older version of your site. Regular backups are super important for this very reason, so hopefully you have a clean version of your site on file to use. This is the first step in cleaning your site’s server.

Next, install any new core, theme, and plugin updates that are available. Make sure everything is as up to date as possible. This will reduce your site’s vulnerabilities. Follow best practices for site security here (limit the number of plugins you use, delete outdated themes you no longer use, old user accounts, etc).

Finally, change all the passwords for your site. And I mean all of them. Not just the WordPress administrator and user passwords. You also need to change the passwords for your FTP account, database(s), hosting, and anything else related to your site to ensure security.

If the version of the site you’re restoring from the backup is way out of date, you should take a disk image of your infected but current site before installing the clean outdated version. Once you install updates and change passwords, you’ll need to restore the new content manually. Google offers some pointers on how to accomplish this.

Step 5: Resubmit Your Site

If your site has been blacklisted, it’s been removed from the search results. To get back in the SERPs, you’ll need to submit your site for review. Otherwise, Google won’t know that you’ve taken steps to remedy the problem (or, at least, won’t crawl across your squeaky clean site for a long time). And every day your site is out of the SERPs is money lost, right? So to speed things up, you have to go through a couple of official channels.

If your site was infected with malware or was involved in phishing, you’ll need to submit a reconsideration request via Google Webmaster Tools. I’m going to assume your site is already added, so once you’re logged in, click on Health > Malware. You should then be prompted to submit a review.

If your site was hacked with spam content, you’ll need to look in the Webmaster Tools for Reconsideration. You’ll be presented with a dropdown menu. Select your site, fill out the form, and submit it. The review should occur fairly quickly. If it’s been a couple of days and you don’t see any changes in Webmaster Tools, it’s likely the problem wasn’t 100% fixed.

Have You Ever Been Hacked? 

The process of cleaning up after being hacked and getting on Google’s blacklist can be arduous at best, I’m not going to lie. But if you lay out a plan or create a checklist for the steps to take, you can tick them off little by little until your site is clean, back online, and back in the SERPs. It’ll take some effect, but the important thing is you’ll restore your site’s reputation. And if anything, it’ll give you the opportunity to prioritize security in a way that you might not have thought about before. Small silver lining?

Has your WordPress site ever been hacked? How did you deal with it? How long did it take you to fix? Please share your own gruesome hacking tales below. And if you have any questions about WP Defender, you ask them, too!