How to Remove a Google Manual Penalty Caused by Hacked Content
A manual penalty from Google.
It can even happen to the best of us.
Even with the best intentions and a keen eye on your website properties, Google penalties can happen. We recently were tasked with fixing a manual spam penalty for having hacked content on a site. It was an unexpected penalty because the site is under constant management, and not neglected or pursuing "black-hat" SEO strategies.
Removing the penalty was a get-this-done-now type of task or it would start to cause trouble. Thankfully we were able to move fast and get the penalty removed quickly. Read on to see the steps you can take to remove a penalty if it happens to you.
You might remember that we've covered manual penalty removal before on our blog. That post covers a link spam penalty and requires different steps to remove. If you didn't already know, there are a number of different types of spam that Google applies manual penalties on. Google has documented each type to help people like you and me make fixes, and avoid warnings in search engines, like you can see in the header image of this post, or being removed from the index altogether - the worst case scenario for website managers.
How do you know you have a penalty?
If you have Google Search Console set up for your site, which you should, you will get an alert email sent to you from Google, and a message in your Console view. The email will have a explanation of the type of penalty you're receiving and give you instructions to remove it. It looks like this:
The "Here's how to fix this problem" section is very important and has more steps, so look below for a description.
Why did the site get a manual penalty?
So what happened was, the website affected with spam is a brand blog that was previously on a separate domain from the main website. In order to consolidate content and link equity, they implemented a strategy that placed the blog on the main brand site. A good idea!
The biggest problem is that the blog is managed on WordPress, and became hacked because of unsatisfactory govenance. Yes the most popular CMS in the world has problems with hackers when not managed properly. We've also documented the perils of using WordPress for your website in on our blog, and because of it's ubiquity, it's very common to get hacked if you have a WordPress site.
The site we were working on had over 140 pages that contained links to ... ahem ... "male enhancement pill" websites. These links were injected into the body of blog posts and were invisible to the user because of a <div> tag the injected them to the absolute left of the page, thousands of pixels off of the main page view.
This type of issue happens often through the plugins that are not updated, unsecured passwords, and other methods which allow spammers to infiltrate the site. It happens so often that Google mentioned incomplete WordPress updates as a common symptom of sites injected with pharmaceutical terms in the article about the Hacked type: Content injection penalty.
How to fix the problem
Getting back to the original email notice from Google, here are the steps they provided that we had to follow, and how we followed them:
- Check Security Issues for details of the hack - This requires checking into the three example pages to find the hacked content. I was able to find the links with the <div> tag mentioned above and figure out that they were injected into the post with the help of developers on our team, and then looking into the WordPress posts themselves. This process would have been more difficult if it was in a theme file of WordPress and would have required more development skill than I possess.
- Look for other compromised pages or files on your site
- Use Fetch as Google tool to isolate the malicious content - 2 and 3 are similar, though the Fetch as Google tool is in Googles Search Console that doesn't always help. We used Screaming Frog to crawl the site for spam content and effectively isolated all of the pages on the site with the "absolute left" position.
- Remove all malicious content - I edited over 100 blog posts and deleted the content from the post editor. Yes, that took a while. Documenting all of this work in a Google Sheet is an important step here because it provides some evidence that you did the work of removing content. A simple column listing each page that has links with columns saying that the links were removed and a column saying when the work was done is good enough. You will need this sheet to be available for anyone on the web to view so that your reviewer at Google can inspect it.
- Secure your site from any future attacks - This involves taking steps to secure WordPress in ways that Google really can't figure out on its own. You have to commit and follow-through on a promise to update plugins, platform versions, passwords, etc. If you don't do what you say you did and you get hacked again, Google might be less inclined to remove a penalty from your site.
- Submit a reconsideration request - This is where you confess your profound guilt and regret for allowing your site to be spammed, and then explain in detail all of the changes you made to remove the hack. My letter was like this:
Dear Google Webspam Team,
On DATE OF MESSAGE RECEIPT, our team was alerted to the “Hacked content detected” notification and then manual action received from Google for the following WEBSITE.com pages:
- hacked page 1
- hacked page 2
- hacked page 3
[Paragraphs describing your efforts to find the details of the hack, where they occurred on the site (including if you used Fetch as Google), and how you removed all of the links]
Here is a link to the Google Sheet which I used to document the instances found with Screaming Frog and track their removals:
LINK TO YOUR GOOGLE SHEET HERE
After removing the offending links we took the following steps to prevent this from happening in the future:
- Updated plugins and WordPress platform
- Updated all user passwords
- Updated hosting cpanel password
This situation has inspired a more vigilant approach to managing this blog, so our resources will be more active in maintaining the site aside from adding the content.
With all of this complete, we ask that you please remove the manual penalty from WEBSITE.com as we have now implemented a more secure procedure to managing the WordPress environment.
Thank you for your consideration and for taking the time to read through this documentation. I look forward to hearing back from you,
Reconsideration Request Approved
This letter is to be submitted in Search Console in plain text form, and when you submit you get a warning that it will be reviewed within a week or two. My submission was received and accepted within 4 days. So for some reason either I did a really good job, or the webspam team at Google had a light backlog of requests that day!
Long story short, a manual penalty isn't the end of the world as long as you're willing to work on fixing the problem. Getting your penalty removed quickly will help you avoid catastrophic loss of organic traffic. Getting these fixed can also give you the opportunity to correct WordPress management procedures and secure your site for the future. All good things in the long run.
Do you need help managing your website in a secure way and monitoring your site in Google Search Console? Check out our SEO services and give us a call to get to the root of your situation.