After 14 years of nary an incident, and despite pretty solid security SOPs, this site was hacked earlier this month and shot up with malware. It was fine last time you read one of my blog posts, and it’s fine now. Most likely the problem was a bad plugin (a common weakness). For now, let’s just say that old Cochise had a bad hoof.
If your business rides on your site, then there’s always a chance you can get hacked, and so can just about everyone else. (Not having a site isn’t a good alternative: You’re still in a forest of Google Maps spam and other spam, and may look even tastier to the local wildlife.) That’s probably not news to you, but a possible hack may seem like an abstract problem that you can’t do much about, or the kind of bridge you cross when you come to it. It’s less tangible than, say, keeping your local rankings or visibility afloat so you keep new leads and business coming in. For most, hacking isn’t a problem at all until it’s the chainsaw scene in Scarface.
But what if you learned that a hack can directly and immediately cleave a chunk out of your local rankings? One nice thing about doing SEO for a living is sometimes you’re the experiment. When that happens – voluntarily or not – you can prevent or figure out some problems for other people later. Then at least you know those problems are out there, and so you even if you choose to do nothing, you’re not totally blindsided in the middle of the night.
So let me tell you the short version, which I’ll explain in more detail in a minute. If your business’s site gets hacked and altered (like with malware), your local SEO likely will take two direct hits: (1) your GMB landing page URL will probably be removed by Google, and (2) a ton of your pages will be deindexed by Google. Your landing page URL is a huge determinant of how you rank on the local map, and many of the other pages on your site also drive both your organic rankings and your Maps rankings. In a competitive market, having those two torpedoes hit Engineering can sink you.
That’s just the local SEO damage. The most basic function of a site – even before it ranks for jack – is to inform, impress, and convert word-of-mouth referrals and other people who may look up your business by name. It’s supposed to be a big catcher’s mitt for anyone who heard about you anywhere, but a hacked site can’t even do that.
Anyway, if all you want to know is what specific local SEO problems a hack can cause, there you have it. For more color commentary, plus my suggestions on how to harden up your site and your SEO, read on.
The hack: a summary
There were no issues on my site for many, many years. I’ve had relatively strong security SOPs, like on who has access to what, keeping the most-current version of WordPress and plugins, etc. (I can’t be much more specific than that, for obvious reasons.) I’m sure dumb luck also factored in somewhere.
So you can imagine my surprise when on April 11 my hosting company emailed me to say that my site had been hacked on April 8 and used for cryptomining. They also said they put a safe version of my site in a Chernobyl-like sarcophagus that only I could access, and they sent a long list of tasks to complete to get it live again. My developer and I started shoveling.
I’d seen some hacked sites before, but on those the infected files weren’t as hard to find or remove. That wasn’t the case here. The infected files were in there real good. So I, my developer, and the hosting company went back and forth for a few days on various particulars.
Meanwhile, what was Google up to? First, a few days into the hack, Google started showing gibberish search results for some of the pages of my site, as Google usually does. That’s a fine warning to some would-be clickers, though the optics aren’t great for me, of course.
Around the same time – April 11 – Google started deindexing pages by the truckload. Like many blogs, my blog has a ton of pages that aren’t indexed – like “tag” and “category” pages. So the already-high baseline of pages not in Google’s index increased a little bit, but the number of pages not indexed because of a specific server (401) error went WAY up. In other words, I had a ton more pages that people tried to visit but that my host had to block them from visiting. That number of blocked pages went from 0 to about 300 to about 1200 in the span of a few days.
By the way, that was a good reminder of something I end up telling clients a few times a year: it doesn’t matter how many pages Google hasn’t indexed, but it matters very much which pages aren’t indexed and why Google hasn’t indexed them. If they’re your service pages, homepage, or other money pages, you’re on the horns of a dilemma.
What’s a little off-putting is that Google Search Console didn’t send me any notification until April 17, more than a week into the hack. Don’t assume that no news is good news. You will get plenty of notifications from Search Console about minutiae, though.
That was the technical side of Google’s allergic reaction, so what about the Google Business Profile side? Crickets for days, until on April 16 I learned that Google clipped out my landing page URL.
As you may know, your choice of landing page URL (usually your homepage), its backlinks profile, and how you optimize that page have a huge influence on how you rank on the map.
If that URL field gets wiped (or in some cases just changed), all of a sudden Google won’t associate your GBP page with your domain in the same way, and your Maps rankings usually will sink fast. The stronger your site (in terms of on-page optimization and backlinks), the more responsible it probably is for how well you’ve ranked on the Map. All of a sudden you’ll be down to one oar in the water.
Google didn’t give my GBP page a hard time otherwise. If your site is hacked, Google is likely to use a light touch, rather than remove your page, make you re-verify, or auto-update other info. That makes sense when you consider that Google can change one thing (the landing page URL) that makes the hack a non-issue to some customers. It’s all too common for sites to get hacked, and Google has no motivation to kick legitimate businesses out of the search results and make the search results even less complete and compelling. Remember that the main point of GBP is that it’s meant to be substitute for websites. Back when it was “Google Local Business Center” (circa about 2005-2010) that was because relatively few businesses had websites, at least compared to now. In recent years the GBP page has served as a substitute because Google wants to keep all searchers bouncing around in the search results for maximum ad revenue.
Resurrection & recovery
As much I as I enjoy being the National Geographic cameraman waiting for the cheetah to find the impala, I wanted my damn site back up.
After much effort and more back-and-forth, suffice it to say we got the infected files cleaned and hardened up the site in various ways. That was April 19, or 11 days after the hack and 8 days after I found out about it.
For a day I didn’t do anything, and just observed what Google did automatically. Very little, it turned out. They did nothing about one of the problems: the removed “website” field on my Google Business Profile page. It wasn’t automatically re-added. At some point Google probably would have added it back automatically, but I thought the more-interesting experiment would be: if I add the URL back myself, does it stick right away? It did. Less than a day later (it was probably a few hours, but I didn’t watch it like a hawk) my landing page URL was back on my GBP page. If you just finished cleaning up your site post-hack, re-adding your website URL to your GBP page should be one of your first orders of business.
The even-bigger rankings killer is how many of your pages Google will de-index during the hack. That’s especially the case if you rely on national or international visibility, but it’s also true of businesses that rely on local rankings. As I’ve explained over the years, “service” and “product” pages and the like often pull you into the local map for many or most of the terms you rank on the map for, in addition to getting you whatever amount of visibility in the organic results. Because of that, as you know, building effective “money” pages can grow your visibility a lot. The other side of that coin is that having those pages removed will shrink your visibility a lot.
This is where Search Console is your buddy. All I did was resubmit my XML sitemap (under “Sitemaps”) and requested reindexing of my homepage, and I’ve seen a big uptick since. That’s probably all you’ll need to do, too.
That’s just the start of the uptick, I expect. Also, some of that might have happened anyway, because my side has some decent backlinks to rub together and a lot of direct traffic, so Google already pays some attention to it. My point is that you shouldn’t assume Google will scoop up your deindexed pages any time soon, so you should go into Search Console and give ’em a nudge.
What should you do?
First and foremost, prevent a hack if you can. I’m not even a pale imitation of an expert in this, but I have seen a few hacked sites, many rock-solid sites, and many more that are teetering on the edge of a problem. Though I suppose any site could be hacked, solid habits minimize the chances yours gets hacked. I’m talking about super-obvious SOPs, like picking tough and unique passwords for your site and your hosting and registrar and FTP client, changing those passwords every now and then, not sharing passwords much, creating separate admin profiles for anyone you wave into your site, etc. I’m also talking about somewhat-obvious SOPs if you use WordPress, like keeping your version of WordPress current, installing as few plugins as possible, keeping the plugins up-to-date, etc. There is a ton of excellent info on the “prevention” topic, from places like Sucuri and Krebs on Security, which you can research easily enough.
But let’s say you end up getting hacked. What should you do to minimize the hit to your local rankings and ability to bring in business? A few things, roughly in this order:
- Send a smoke signal to existing customers who might conceivably go to your site. Tell them that if they want or need to place an order, schedule an appointment or visit, or take whatever action they normally can take on your site, that they’ll need to skip the site for now. They should just contact you with any requests, questions, orders, etc., and you’re sorry for the hassle. Not only will most people appreciate the heads-up, but you may even get some business that you may or may not have gotten anyway.
- Empty the “website” field of your Google Business Profile page, Yelp page, and of maybe a couple of other places where would-be customers are most likely to find you. Sure, you know that will hurt your local rankings after a couple of days, but you may not know exactly how long you’ll be down for. In the meantime, what you really don’t need right now are 1-star reviews from people who went to a broken site and left with steam coming out of their ears.
- Consider setting up a free Google Site. It’s far from ideal, but it is an old beater you can use to get from point A to point B while your daily driver is up on blocks.
- Optimize the snot out of your Google Business Profile, if you haven’t done so already. Load up the categories and services. Maybe finally upload more photos and even a video or two. Also, I’m not saying you should do this, but if ever there was an understandable time to shoehorn a keyword or two into the “name” field of your GBP page. Your competitors probably do it anyway, and the worst that happens is it’s removed. Not saying you should or shouldn’t, but rather that it is an iron in the golf bag, and it can offset some of the hit you just took.
- Save cached or other copies of your most-critical pages and/or posts, in case something happens to your database and all that content on your site is hard or impossible to get back (there is always the Wayback Machine, though). In case you need to fire up another domain you own, you may want or need to transplant that content into it.
- Fire up another domain you own, if applicable, and if it appears your site may be down for a while. Build it out in the way you built out the site that ranked well. It won’t necessarily rank well soon, but in a specialized niche or small market, it just may. Also, if you rely on Google Ads for a big chunk of your business, you’ll have pretty much no choice but to go to the lefty in the bullpen.
- Try to get reviews on a variety of sites, starting with Google Maps. I hope you’re already well down that road, but if not, start now. Getting a trickle of Google reviews can help you a little bit on the map, and getting reviews on other review sites will help you become much more visible in those non-Google venues, too. Plus, it will confirm for anyone who’s wondering that you probably ARE still in business.
- Don’t rely on Google Search Console or Analytics to alert you to what’s wrong and what’s solid. Consult them often, but check on your site personally and often.
- Once your site is infection-free and hardened up, add your website URL back to your Google Business Profile and anywhere else it’s been absent.
- Submit or resubmit your XML sitemap in Google Search Console, and request indexing of (at least) the pages or posts you consider most important.
- Sign up for an ongoing security or preventive-maintenance program for your site.
- Don’t rely on Google, or on your site, for 100% of business. Those should always power your word-of-mouth marketing anyway, in that you want many of the customers you get online to become repeat customers, refer you to others, or do both. Plus, some old-school offline marketing never hurts, and occasionally it can help your SEO in strange ways.
I have a full dance card always, and got leads and some new clients even while the site was down, so in the grand scheme of things the hack wasn’t a huge deal for me. But if your business relies on daily sales or appointments, and most of them originate online, you can lose serious money if your site goes down even for a couple of days. Stay alert.
Shout out to Josh Benson of Joker Media (a great developer) and Pair.com (a great web host).
Please let me know if you see anything amiss with my site. I’d appreciate it big-time.
Any horror stories, questions, or suggestions? Leave a comment!
Andy Kuiper says
Wow! Thanks for sharing your experiences on this bumpy trip Phil 🙂
Any time, Andy. Whatever doesn’t kill you….
Several companies I have worked actively search for copyright/trademark infringement of their Intellectual Property, and send DMCA’s to website owners to have it removed. If that doesn’t work, which seldom gets noticed anyway, next step is to contact the hosting company which always seems to work. Most of these site are hacked, and the website owners don’t even know it, and their frustration is understandable. Once they look into it with their teams, they find thousands of hacked pages infringing on hundreds of other brand’s IP in various industries. I have never seen the other side on this blog chronicling the damage it costs with Search Console screenshots. This is rare content.
Great point. Yeah, by the time just about anybody sees a hacked site, usually it’s an autopsy on a super-ripe cadaver that’s now attracting flies to its neighbors.
What I found most interesting is how gradual Google was in reacting to it. The drop in visibility is WAY more sudden and severe if, say, you’ve got a bunch of pages that return a 5xx error, or if you’re on the wrong side of an algorithm update.
Tony W says
Great warning. Bummer for you, but glad to hear you got it squared away. I manage a bunch of client sites and so far have been super fortunate, knock on wood. Having backups is important, I keep multiple. I think it’s only a matter of time before everyone gets hacked 🙁
It’s good to know that Maps rankings are fairly recoverable, especially since Search Console is so slow to inform you of things other than truly useless errors.
Hey, thanks, Tony. That’s a great record, no doubt due to solid SOP.
The backup solutions sure are important. If you can find out when the hack occurred (like from the hosting company), then I think in a lot of cases you can just roll back to a previous version of the site (probably just the database). Unless maybe the virus is still active, in which case it would just corrupt the new file(s), too.
Yeah, if you can’t quickly triage most Search Console notifications based on what the email says, and if stop what you’re doing and investigate everything GSC sends you, pretty quickly GSC becomes the boy who cried wolf. Even most proactive site owners just get burned out.
Hey You says
Just a few simple measures we use to thwart script-kiddies. The #1 thing we do on all sites is block access to login via IP address in htaccess. If your IP doesnt match, you get sent via 403 to YouTube and are forced to watch “Makin Bacon Pancakes”, the 10 hour version.
1. Load Wordfence plugin. Even the free version. But pay for the pro version
2. Load Sucuri plugin – get notified of logins, post changes, etc
3. edit htaccess to block access to wp-login, wp-admin, xmlrpc.
4. Delete the xmlrpc•php file from your server – does anyone really use this?
5. change property of wp-config to 0600
6. Delete any theme/plugin you are not using, especially the free themes.
Unable to load images here, but hmu if you want to view our htaccess setup.
Thanks, Nick. Great suggestions. I doubt anybody could or would mess with your site.
Sorry this happened Phil. I know the pain of this well after a hack occurred on my site via a plugin. To make matters worse, the malware tunneled up to the server files and replicated itself on other sites I operate. The main advice I would give is get Word Fence (even the free version) and enable two-factor authorization for log in. Don’t go through Jet Pack because they’ve been hacked in the past and is a plugin itself.
If you have a money producing website, it is critical to invest in a solid website security application. It is worth the $100-$200 a year. You will be able to sleep at night.
Thanks, John. Had decent security measures here before, and more now.
Good info on Jetpack. I didn’t know it had been hacked. Which doesn’t surprise me too much, given that it’s a plugin and that TONS of sites use it.