Malware Hack Attack: When Bad Things Happen to Good Sites


Hacker-induced rage!

I wanted to share an experience I've been going through after one of my sites was infected with malware. I've been involved in search marketing for the past six years and have been lucky enough to have never had a site hacked. But, alas, all good things must come to an end.

About two weeks ago, one of my sites was the target of malevolent hackers. I became aware of the security breach when I visited the SERPs and saw that Google was displaying the toxic "This site may harm your computer" warning, which looks like this (NOTE: this is NOT my website's just an example):

This site may harm your computer warning

When users click on "This site may harm your computer" link, it leads them to a Google support page. If you miss the warning and click on the actual site listing, you're redirected to an interstitial webpage that blocks you from accessing the infected site.

Google badware warning on an interstitial webpage

Initial Malware Fallout

Beyond getting the badware removed ASAP, my initial concerns when seeing that the site had been hacked were:

  • Loss in traffic: I knew traffic to the site would come to a standstill. That's a given. Anyone seeing the virus hack warning in the SERPs isn't going to click on my listing.
  • Brand damage: Having Google label my site "harmful" would most certainly have a deleterious effect on my "brand." So the quicker the SERP warning was removed, the better.
  • Rankings penalty (???): With my knowledge of Google and Google policies, I was concerned the site might experience a rankings ding once it was recrawled, even after the malicious code was removed.

So the security breach turned out to be a hidden iframe exploit. I worked with the hosting provider got the malware removed quickly (within a day of being discovered). During that time, traffic flatlined (as expected) but rankings remained stable. Once I knew the site was clean, I submitted for a review in Google Webmaster Tools. The site was given a clean bill of health and within 24 hours the SERP warning was removed and everything seemed like it was back to normal. 

That is until this week.

Residual Effects: Malware Rankings Penalty?

Roughly two weeks after the malware incident, my site has experienced a sudden and massive freefall in the SERPs. I'm assuming this is due to the malware event and we're finally experiencing the fallout. I don't know what else it could be since the site is squeaky clean, white hat, fresh as the driven snow. There are no paid links or link wheel shenanigans that would warrant a site penalty. So I'm 99% sure this is malware-related.

As for the effect of the suspected rankings penalty, it's pretty gruesome. I track 40 competitive "head terms" for this website and here's a quick overview of the carnage.

Rankings penalty resulting from malware site attack

The above chart shows that the average rankings for my 40 keywords before the malware attack was "7." Yes, this site ranked extremely well in the SERPs. Then two weeks after removal, this site rankings plummeted for these 40 terms an average of 116 positions.

As an aside, if you want to perform your own average rank changes in Excel for keywords you track, here are the formulas (note: the formulas are set for a list of 40 terms, so adjust based on how many cells/terms you use):

Cell A: Keywords you're tracking
Cell B: [=SUM(B2:B40)/38]
Cell C: [=SUM(C2:C40)/38]
Cell D: [=SUM(D2:D40)/38]

To try and right the ship, I've submitted for a reconsideration request. Typically this is reserved for sites that have violated the Google Webmaster Guidelines, but it was recommended in this post, "Hey Google, I no longer have badware," on Google Webmaster Central Blog.

From Google's perspective, I guess I can see the logic behind penalizing sites that have experienced security breaches. Even though the malicious script on my site was not added intentionally by me, it did, nonetheless, host hidden malware that violated Google's guidelines. So I figure a reconsideration request is worth a shot, and at least I'm taking some sort of action to try and get this resolved.

My theory is that, if after a few recrawls the site is still clean, then rankings will be "reinstated," for lack of a better term. During my research, I've only come across a handful of accounts from other SEOs who say they'd experienced a "90 day ranking penalty" following similar malware attacks, but I've yet to read confirmation from anyone at Google that this is the case. On the flipside, the majority of SEOs I've spoken with have never seen a rankings penalty following a hack, so if this IS the case for my site, it's an unusual one.

That said, if anyone has any thoughts to share on this from their own experiences, that would be fantastic (and helpful) since I'm still suffering the penalty and I think it's something we can all learn from. Call it a cautionary tale.

So what do you do if your site has been hacked?

Try these resources:

How do prevent a hack from happening?

Try these resources:

Also, make sure you backup your files religiously. If you use WordPress, this is a great resource: Online Backup For WordPress.

Finally, if you use WordPress, make sure the version you're using is up-to-date and that you've updated your plugins as well (which is usually where the hackers gain access) and removed any that you're not using.

Find out how you're REALLY doing in AdWords!

Watch the video below on our Free AdWords Grader:

Visit the AdWords Grader.


Richard Kraneis
Sep 23, 2010

A Business Opportunity?

Another fine article about the nuts and bolts of online marketing: cleaning up a malwared website and the aftermath of dealing with Google's assessment of your site.

Someone like you can resolve this problem for his own site. Large corporations can assign a swat team to resolve these problems.

But I wonder what understaffed mid-size firms do to resolve this problem?

I wonder how you would search for websites that have this problem? There must be a business opportunity in there somewhere...

Ken Lyons
Sep 23, 2010

Good point, Richard.
Better yet, instead of looking for infected sites, you can infect them first and then shoot them an email offering your malware removal services.
It's kind of how the Mob operates when they sell "protection" services. Protection from whom? Protection from the Mob.

David E.
Sep 27, 2010

Yup there are teams like that that trouble-shoot Malware attacks and injections. BUT no, they don't do it mob style (lol) there's a strong belief in karma...More like the SWAT style where they get called to the scene.

David E.
Sep 24, 2010

We had that happen to a lot of sites we were hosting and got them running right. When we learned more about Malware attacks and what hackers get out of it, your post made me think that they really scrape your traffic and you can only watch as it happens. Give it a few more days or weeks and double up on your SEO- all will be set right. BTW why not get the plug-in from WordPress that automatically upgrades your site to the newest version as it becomes available? Wish you all the best!

Ken Lyons
Sep 24, 2010

Hey, David.
Thanks for dropping by. I didn't know that plugin existed, but I'm installing it now.
Thanks for the tip.

Sep 27, 2010

We just had the exact same thing happen to our sites.

We have removed the malware and we submitted our sites for reconsideration.

Did your rankings get back to normal? If so, how long did it take?



Ken Lyons
Sep 27, 2010

Hey, Raymond.
So I never did submit for reconsideration. I wanted to wait until I saw evidence of another recrawl before I did that.
Just to update everyone, the penalty or "time out" has been lifted and the site is back to the pre-malware rankings.

To recap, it took about 10 days for the penalty to get lifted. Looks like the site was crawled again and got a clean bill of health, so all was forgiven. All I can figure is this was some sort of probationary penalty for sites that get infected.

I would also assume that if the site were to get infected again, it would incur a more severe penalty, given it already has one strike. That's just pure speculation on my part, but it would seem logical.


Apr 30, 2012

Hi Ken, so please follow through with this malware issue you had back in September 2010. How have things fared with this website till now? How long did it take for your rankings to be restored? Thanks,Sid

Jul 15, 2011

Just discovering your site but helpful information here!

Jul 27, 2012

very useful information about a topic not much is written site got a malwarn warning today, source was one of my advertisers iframe code. we removed the malicious code within 6 hours and requested and submitted a review through google in google webmasters. within 6 hours after our request our site was accessible in chrome and firefox again, without the warning page. however to visitors clicking from google on our results still a warning page is shown. i guess this will take some more hours before it's updated all over google's servers.however currently thats not my biggest worry... that loss of hits for a day, fine ill have to accept that. what worries me more is that when i search for keywords that most of my traffic was coming from the ranking decreased significantly. for all words i was listed on #1 page, my result is moved down to #7 or even lower. it makes sense google penalizes sites while they have a malware warning going just keeping my fingers crossed that once that warning is gone, rankings will be recovered immediately or that i have to build it up from the scratch again. Did everybody here got FULLY recovered after the mallware attack?Thanks,Paul 

Leave a comment