A Case Study on a Hacked Website

Home / Beginner SEO / A Case Study on a Hacked Website

Last week I helped out someone whose website rankings had been dropping for no apparent reason.  The site was properly optimized and they had been doing some non-aggressive link building which had been helping until about a month ago.  It was a confusing situation because there was nothing obviously wrong with the site.  So I began an investigation to see what was going on.  Was his site the target of a malicious attack by a competitor?  Was he blocking access to the search engine crawlers somehow?  Did something change on the site to cause such a drastic drop in such a short period of time?


I have been working with this person for some time now.  In fact I’ve known him for about 10 years.  He is a very effective and competent website designer who knows what it takes to build a website that Google and the other search engines will look favorably on.  He’s so dedicated to his craft that about 10 years ago he flew here to meet with me to learn more about how search engines work so that he could apply that knowledge to website building.

And he has been very successful at it.  Many of his sites are ranking quite well for important search phrases while also meeting the clients’ strict design requirements.

So when his own site began losing rankings he was confused and asked me to look into it.  So I did.

Initial Findings

After reviewing his site I found nothing apparent on it, so I began looking at external factors, such as the links to his site.  About 6 weeks ago I did find 2 occurrences where his site gained and lost a large number of links over a short period of time, so I assumed that was the culprit.  I assured him that once those links were accounted for his rankings would start to improve.

And for a time they did start to improve.  That is, until around Christmas when things took a turn for the worst again.

So I completed a review of the backlinks again, sure that was the problem.  And I did find another spike in new links which had since been removed so I was sure that was the issue again.  I told him not to worry as it would turn itself around again.

But this time it did not turn around.  So we again talked this past week as rankings continued to slide.

Where his site was once on page 1 for quite a few competitive terms he dropped to page 10 and lower for those terms.

As we were reviewing and discussing he found some strange code on his site – something that neither he nor his tech people put on the site.  I knew within 10 seconds of looking at the code that his site had somehow been hacked and someone put this code on the pages.  I immediately removed the code from his site but then wanted to see if I could figure out when it was installed.

I did a site:domain.com search for all the pages Google had indexed for his site and began reviewing the cached pages to see if I could identify whey the code had been added.

It turns out it was added around December 24th and had remained on his site for about 1 month.  This obviously explains why the site never recovered from the last large link change like it did previously.

The Outcome

As I said, he identified the code last Thursday and it was removed then.  My searching revealed that it was installed around December 24th so it had been on the site about a month.  However he never received any warnings from Google that the site was infected, which is the usual way webmasters are informed if their site has been hacked.  That means this particular hack had not been identified by Google yet.

The good news is that within about 48 hours his rankings began to improve dramatically.  By Saturday his site’s rankings was mostly back to where they were previous to the link issues identified in November and again in early December.

While it is still too early to tell if there had been any lasting impact, all early indicators are that the site has recovered.  According to Google Webmaster Tools his impressions are up this past weekend, higher than they have been in weeks and, as I said, his rankings have returned and continue to improve.

What impact did this extra unknown code have?  Many of his rankings went from first and second page to nowhere in the top 200.  Yet 48 hours after removing the extra code he was back to where the rankings were previous to all this excitement.

What Was in the Code?

Likely the reason Google hadn’t flagged the site as being hacked or having malware is because the code that was added was a bunch of anchor text links pointing to a bunch of payday loan sites.  So technically there was nothing wrong with it.

The reason it lowered the site rankings is because both the outbound link count and keyword density of the pages changed drastically.  As such the site became less of an authority for the chosen search phrases.  Once the extra links and text were removed, search phrase density returned to what it should be.

How was the Code Identified?

If you are a small business owner you may not understand how to read the HTML output that displays your website.   That is OK as you don’t need to.  Google can help you identify if your site has been infected.

The easiest way to check is to search for your site.  If you can’t find it where you are used to seeing it, search for it like this:


Where domain.com is replaced with your website address.  Now you should get a list of pages for your site.

If you put your mouse over a page you will see 2 arrows like this:  >>

Put your mouse over these arrows and you will see a snapshot of your page.   Now move your mouse over and click the “Cached” link.  Now you will see a copy of the page the last time Googlebot visited your site.  Click on the “text only version” and you will be able to see what text and links Googlebot sees.

You want to look for anything out of the ordinary.  In this case it was quite obvious – there was a block of text and links to various payroll sites that shouldn’t have been there.

Once you’ve identified if there is a problem it should be quite easy to resolve and hopefully  your site can recover just as this one did.

If you are still unsure, why not contact us and we can help you determine if this is the case with your website.

Related Posts
    pingbacks / trackbacks