Innopplinc - Blog

Wordpress site hacked and seo rankings lost heres how we fixed it

A Client’s WordPress Site Was Hacked & SEO Rankings Lost – Here’s How We Fixed It

Wordpress site hacked and seo rankings lost heres how we fixed it

Imagine you walk into work on a Monday morning, open your keyword ranking tool and notice that all your keywords that you were organically ranking for have been obliterated. Like, completely wiped off the digital map.

You scramble to your website and find that it’s not responding. You then open your email and you see a message from Google with the subject line, “[Webmaster Tools] http://yoursite.com/: Suspected hacking.”

It’s right then and there that you realize you’re week is going to be 100% terrible.

Sadly, this scenario happens way too often. According to Elite Strategies, SEO firms get 2-3 calls/week with cases just like this.

Recently, one of our clients (We’ll call them, Big Website LLC) had their WordPress site hacked and they called us right away. We’re mainly Los Angeles mobile app developers and don’t offer SEO services. But this was one of our best customers, so we couldn’t leave them hanging.

Here’s what happened: On a Saturday, everything was ok on Big Website LLC’s site. On Sunday, when they checked their rankings, they had lost everything. What’s worse, our team found thousands of multilingual links indexed along with the site. AKA – SPAM Town.

Spam links from WordPress site being hacked

Spam Links From Website Being Hacked

Then, our developers dug through their server files and found over 2GB of unknown data. This, combined with the 2000+ spam links, caused the loss in all their organic rankings and their site to go down. It was a really dramatic scene, with lots questions being raised.

Once we got over the shock, we started brainstorming on how we were going to fix the issue. Everyone agreed that getting the site up again wasn’t a big deal. No, the toughest part was going to be building back the organic Google keyword rankings for Big Website LLC.

Injected malicious code

2 GB of unknown files

Luckily, our lead SEO analyst had done this before and he boldly promised to bring back the old rankings within a week… and he did it! Here’s how.

How We Fixed The Hack and Got Back The Organic SEO Rankings

To recap, here are the issues we faced:

  1. Multi-language site links indexed in Google on Big Website LLC website
  2. Multilingual back links for Big Website LLC website
  3. Increase in 404 errors found in Google Webmaster/Search Console
  4. Malicious codes found in web files – More than 65k html injected in the web server
  5. WordPress site infected and compromised

As you can see, we had our work cut out for us. So, here’s what we did, step-by-step.

Step 1: Remove Unwanted Indexed Links

Note: Our SEO analyst decided to do this process as manually as he could. The reasoning behind this was so that anyone could mimic our results, with as few paid tools as possible.

In the browser, enter “site:yoursitename.com” – This will list all your website’s indexed pages.

  1. Collect the URLs you want to be removed in an Excel sheet
  2. Login to Google Search Console > Google Index > Remove URL. Click on “Create a new removal request” and paste the URL. Google will then remove the link within 24 hours. We manually did this step over 2000 times to get rid of the unwanted sites. Again, we did it the hard way. We know that. Create a new removal request

It’s not enough that you perform this step, as there is a possibility for the issues to crop up in 90 days. So you need to do all the following:

  1. In the browser, enter “yoursitename/robots.txt.” This will show all the disallowed files and foldersRobots.txt after hack
  2. Copy the entire list into Notepad. To disallow a particular extension, add the syntax “$” in the end (Note: The hacker had put in 2GB worth of html links on the site, so we blocked all URLs ending with .html. Luckily none of the other site links end with .html, so it was easy for us to block)Disallow with syntax “$”
  3. Re-upload the file back into the server with the changes. This feature only blocked the links, but does not remove them. The next section tells shows how to permanently remove these links

Not to complex, but semi-technical, for sure.

Step 2: Remove 404 Errors In Google Search Console

Once you block the site through robot.txt, the number of 404 errors will increase since the indexed files are no longer considered by Google. To remove the errors, it’s essential to manually remove all files so the number of indexed links is equivalent to the number of pages on your website.

  1. Enter “site:yoursitename.com” in Google search (Note: It shows there are 20,500 links to Big Website LLC’s site, but that’s not the case. In the previous section we blocked the links that the hackers put in, but we didn’t remove them. Those indexed links now show as “404 error,” which need to be removed manually to have an error-free site)Clear Increased 404 Errors In Google Search Console
  2. Gather all the links that have the 404 error
  3. Login to your Google Search Console Tool
  4. Then, Under Google Index > Remover URLs
  5. Click on “Create a new removal request”Create a new removal request
  6. Paste the desired URL, click on “Continue” and select “Remove page from search results and cache”
    Remove page from search results and cacheRemove page from search results and cache 2
  7. Click on “Submit Request” for Google to remove the link. It will be removed in less than 24 hours

FYI: Doing this more than once won’t speed up the process.

Step 3: Remove Unwanted Backlinks

One Google ranking factor is the quality of the backlinks to a website. There were tons of backlinks from unreliable sources that had to be removed to gain back the lost rankings.

  1. We got a list of backlinks from a free tool called BackLink Watch, Google backlinks checker, etc. We also tried various Google search queries like “yoursitename/wp-content” to determine backlinks that did not show up using the tools
  2. Compile a list of unnecessary/spammy backlinks in an Excel sheet
  3. Go to the page for Google DisavowGoogle Disavow Page
  4. Ensure you are logged in using your Search Console account
  5. Choose the website you want to remove backlinks from
  6. Click on Disavow links
  7. Upload the backlinks from the Excel sheetGoogle Disavow Results

Note: It might take time for Google to remove the backlinks because it needs to crawl all the links on the list.

All these processes helped us rectify the first three issues, but to clear Big Website LLC’s site from all the malware, we needed our developer and network admin to pitch in and do what they do best.

Step 4: Conduct An Intense Code Review To Find What Went Wrong

Sadly, we found a lot of malware code injected into Big Website LLC’s source files, which had to be removed fast. These injected codes served as a backdoor entry for hackers to enter Big Website LLC’s server and upload unwanted files. Here’s how our process to perform a code review.

  1. Make a backup of your entire website and database
  2. Our network admin scanned the source code using Wordfence Security plugin. This plugin helps in finding out malicious codes. Clicking on “Restore Files” helps in getting back your original edited source code
    Injected code in WordPress

    Injected Malware Code

  3. The cleaned source code was further scanned using Kaspersky antivirus software. This helped in checking if there were any malware or viruses in the source code. If any were found, then they were deleted.Kaspersky Anti-Virus
  4. Download a fresh copy of WordPress with updated plugins and themes
  5. Replace all website files other than wp-content and wp-config.php in your existing files
  6. In wp-content folder > plugins > look at each and every folder for loop/backdoor files and if you find any, remove them
  7. Under wp-content > themes > locate the correct folder for the used theme. If you find any loop/backdoor files or URLs, remove them. Also, in the theme’s base file, replace all JS files with a fresh copy
  8. Inside wp-content, go to uploads. If you find any html files or php files, remove them
  9. Don’t make any changes in the upgrades folder found in wp-content
  10. In the database side, there are 13 tables by default and additional tables are added for each plugin introduced. Check if these additional tables are authentic. If there are any malicious tables found, then remove them

Additional Tips: Change the admin user name, password and admin login URL (if possible). Try incorporating a login captcha to enhance security. Enhance password security by including alphanumeric characters.

Step 5: Resubmit Website Sitemap

Once all the links/spam/malware are fixed, it’s time to resubmit the sitemap.

  1. Login to Google Search Console
  2. Under Crawl > click on Sitemaps
  3. Add the XML sitemap link and click on Submit Setup
  4. Fetch the indexed site using the feature Crawl > FetchSubmit new sitemap
  5. Create some fresh content on your site and promote it on all social media sites for faster indexing

Important: If your site is flagged by Google, then once your site is clear, make sure you email Google Search Console to remove the tag immediately. This flag harms the reputation of your website a lot.

Organic SEO rankings returned

And there you have it. This took us about 4 days to do all of the above. Within 7 days of the first hack, we got the site up and running, saw keyword rankings return and made Big Website LLC very happy. Currently, 99% of their organic keywords are ranking again.

Want to make sure this never happens to you? We specialize in developing extremely secure Drupal websites. Contact us today about our web development and security services.