Malware Hack Attack: When Bad Things Happen to Good Sites

Ken Lyons
April 3, 2015

Hacker-induced rage!

I wanted to share an experience I've been going through after one of my sites was infected with malware. I've been involved in search marketing for the past six years and have been lucky enough to have never had a site hacked. But, alas, all good things must come to an end.

About two weeks ago, one of my sites was the target of malevolent hackers. I became aware of the security breach when I visited the SERPs and saw that Google was displaying the toxic "This site may harm your computer" warning, which looks like this (NOTE: this is NOT my website listing...it's just an example):

This site may harm your computer warning

When users click on "This site may harm your computer" link, it leads them to a Google support page. If you miss the warning and click on the actual site listing, you're redirected to an interstitial webpage that blocks you from accessing the infected site.

Google badware warning on an interstitial webpage

Initial Malware Fallout

Beyond getting the badware removed ASAP, my initial concerns when seeing that the site had been hacked were:

  • Loss in traffic: I knew traffic to the site would come to a standstill. That's a given. Anyone seeing the virus hack warning in the SERPs isn't going to click on my listing.
  • Brand damage: Having Google label my site "harmful" would most certainly have a deleterious effect on my "brand." So the quicker the SERP warning was removed, the better.
  • Rankings penalty (???): With my knowledge of Google and Google policies, I was concerned the site might experience a rankings ding once it was recrawled, even after the malicious code was removed.

So the security breach turned out to be a hidden iframe exploit. I worked with the hosting provider got the malware removed quickly (within a day of being discovered). During that time, traffic flatlined (as expected) but rankings remained stable. Once I knew the site was clean, I submitted for a review in Google Webmaster Tools. The site was given a clean bill of health and within 24 hours the SERP warning was removed and everything seemed like it was back to normal. 

That is until this week.

Residual Effects: Malware Rankings Penalty?

Roughly two weeks after the malware incident, my site has experienced a sudden and massive freefall in the SERPs. I'm assuming this is due to the malware event and we're finally experiencing the fallout. I don't know what else it could be since the site is squeaky clean, white hat, fresh as the driven snow. There are no paid links or link wheel shenanigans that would warrant a site penalty. So I'm 99% sure this is malware-related.

As for the effect of the suspected rankings penalty, it's pretty gruesome. I track 40 competitive "head terms" for this website and here's a quick overview of the carnage.

Rankings penalty resulting from malware site attack


The above chart shows that the average rankings for my 40 keywords before the malware attack was "7." Yes, this site ranked extremely well in the SERPs. Then two weeks after removal, this site rankings plummeted for these 40 terms an average of 116 positions.

As an aside, if you want to perform your own average rank changes in Excel for keywords you track, here are the formulas (note: the formulas are set for a list of 40 terms, so adjust based on how many cells/terms you use):

Cell A: Keywords you're tracking
Cell B: [=SUM(B2:B40)/38]
Cell C: [=SUM(C2:C40)/38]
Cell D: [=SUM(D2:D40)/38]

To try and right the ship, I've submitted for a reconsideration request. Typically this is reserved for sites that have violated the Google Webmaster Guidelines, but it was recommended in this post, "Hey Google, I no longer have badware," on Google Webmaster Central Blog.

From Google's perspective, I guess I can see the logic behind penalizing sites that have experienced security breaches. Even though the malicious script on my site was not added intentionally by me, it did, nonetheless, host hidden malware that violated Google's guidelines. So I figure a reconsideration request is worth a shot, and at least I'm taking some sort of action to try and get this resolved.

My theory is that, if after a few recrawls the site is still clean, then rankings will be "reinstated," for lack of a better term. During my research, I've only come across a handful of accounts from other SEOs who say they'd experienced a "90 day ranking penalty" following similar malware attacks, but I've yet to read confirmation from anyone at Google that this is the case. On the flipside, the majority of SEOs I've spoken with have never seen a rankings penalty following a hack, so if this IS the case for my site, it's an unusual one.

That said, if anyone has any thoughts to share on this from their own experiences, that would be fantastic (and helpful) since I'm still suffering the penalty and I think it's something we can all learn from. Call it a cautionary tale.

So what do you do if your site has been hacked?

Try these resources:

How do prevent a hack from happening?

Try these resources:

Also, make sure you backup your files religiously. If you use WordPress, this is a great resource: Online Backup For WordPress.

Finally, if you use WordPress, make sure the version you're using is up-to-date and that you've updated your plugins as well (which is usually where the hackers gain access) and removed any that you're not using.