Updated on Jun 5, 2023
It can be devastating to land at the bottom of the SERPs and receive that terrifying red warning telling people to avoid your site. That could result from a mistake on your part (bad SEO, shady linking tactics, etc.). It's a different story if it happens because you were hacked and your site now contains malicious code. That is something we will discuss in this post. We will show you how to clean up your WordPress site after it has been hacked.
This post includes:
If you've been hacked, Google will most likely blocklist you. Google does not gamble with its reputation.
If your website seems to be even the slightest bit infected, the search engine will blocklist you. It will also warn anyone who visits your site to stay away because it's dangerous. The key is knowing what to do next.
A website that Google has blocked will typically see a significant drop in organic search traffic.
It's abrupt and massive, and when your Analytics graph inverts sharply, it's usually the most unambiguous indication to a webmaster that something terrible has occurred.
There are several ways your site could have ended up on the blocklist. In general, if a search engine detects suspicious code or activity on your site that its internal algorithms determine to be malware, it will immediately remove the site from search results.
Rather than jeopardizing the search results' integrity and user safety, removing the questionable site is the least resource-intensive action the search engine can take.
In this case, it could be anything Google considers suspicious, such as phishing schemes, hacks, information or email address scrapers, trojan horses, and so on.
Unfortunately, you usually won't even know your site has been hacked until your organic search traffic plummets. However, sometimes, there will be tell-tale signs that something is wrong.
They can be suspicious things you discover in your website's warnings, alerts, or other actions taken by external sources. Of course, there are times when the webmaster is in charge of the blocklisting. The following are things you should never do if you want to avoid the blocklist:
However, a lot of the time, hackers will implement these link-baiting and keyword spam schemes to infect your site with malware. Regardless of what has happened, however, Google will treat affected sites similarly: with a swift and thorough blocklisting.
Blocklisting is relatively apparent when it happens. Your analytics will take a nosedive, as we mentioned above. Or, if you do a simple Google search for "site:yoursitehere.com" and no results are found (assuming your site has already been indexed), chances are good that your site has been blocklisted. This is one of the manual ways to check for blocklisting.
Another way to check for blocklisting is to access and review data in Google Search Console.
That makes it easy to see what sites link to you, what search queries you're ranked for, 404s, server errors, and overall site health.
Any funny business happening with your site is likely to show up here before your site is blocklisted, so keeping a watchful eye is essential when attempting to maintain the integrity of your site.
Security plugins can also be a great tool to help determine if your site has been hacked or blocklisted.
When it comes to a plugin, Defender can stop brute force attacks, SQL injections, cross-site scripting XSS, and more vulnerabilities that will prevent you from getting hacked and blocklisted in the first place.
Defender can also scan your site and track down malicious code. If there's malicious code detected, Defender shows you precisely what it is and the locations. You can then delete it in one click.
So, we've already talked about preventative measures and how you can check to see if your site has been blocklisted. Still, discussing what some refer to as the "symptoms" of being blocklisted is a good idea.
Not every blocklisted site will exhibit these features, but this is a good rundown of what to look for:
It's also important to note the various security warnings Google can provide. While these aren't technically blocklisting, they can sometimes indicate your site is well on its way to being blocklisted.
Should you be fortunate enough to catch suspicious activity thanks to a security warning, you can sidestep the headache of being blocklisted altogether. These warnings appear on the search engine result page where your site is listed. They can also take a couple of different forms. Here are two of the most common warnings you'll come across:
While this article focuses on getting off Google's blocklist, it's worth noting other blocklists may pick up on malicious content or security threats on your site.
These are some of the main blocklists:
If Google reports your site as clean, it is still possible for Opera (the browser) or even Yandex (the search engine) to blocklist your site.
So if you notice a drop in SERPs or security warnings displaying in browsers other than Chrome, check these other blocklists to see if your site has been compromised.
Now that you're all clear on blocklisting, how to tell if it's happened, and the warning signs that you might be headed for the blocklist, we can start discussing how to get your site off it for good.
Before you move forward, you must be 100% sure your site has been blocklisted.
You can look on your site to find malware in many different places.
As mentioned, the simplest way to find malware is with a plugin.
Scanning through the code on each page can be challenging if you're not using a plugin. However, sometimes the culprit is embedded in your server somewhere.
Still, there are a few places that hackers target more than others. You will need FTP access to some areas to clean up the mess. We have a tutorial on FTP and how to use it if you need more information.
If your site is suddenly redirecting to another site, you should check the following areas for suspicious code:
If your site is now triggering downloads for visitors, check out the following spots:
If you're suddenly seeing Pharma information on your site and believe it's been compromised by a phishing campaign, check:
You can also leverage the Google Diagnostic Page to precisely determine what part of your site has been compromised. Is it just one page? One directory? Or the whole site?
Keep reading through the results to see when Google last visited your site. That is referred to as the "scan date." Also, take note of when Google found malware or suspicious content. That is referred to as the "discovery date."
If you have tried to fix your site after the last "scan date," Google doesn't know about it yet. Patience is a requirement when getting your site off the blocklist, unfortunately.
You can bring Google's attention to your attempts to fix the issues, but we'll talk more about that later.
Sometimes running tests to see if your site (or a client's) is infected would put your own computer at risk. You shouldn't open your web browser and load the site directly. That will put your computer in danger.
To bypass this, you can use cURL in the command-line interface (CLI) to pretend you are a Google bot or a user agent. For example, you can input the following to emulate a bot:
$ curl –location -D – -A “Googlebot” somesite.com
Replace example.com with the website you would like to take a look at. Once you input this, you will want to look for anything that doesn't make sense in the code—things in a different language than your own or content that looks gibberish. You'll need to understand HTML, at the very least, here. Anything in an iframe or script tag should get your careful attention, too.
You can also use this bit of code to emulate a user-agent:
$ curl -A “Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)” http://www.example.com
Depending on your needs, you can swap out the browser referenced here. Once you locate the source of the problem, you can remove it.
If your site has been hacked, you must remove the malware that caused the blocklisting or security warnings.
If the hackers created new pages with malicious code, you could remove them from the SERPs altogether by going to the Search Console and using the Remove URLs feature.
You'll also want to delete the pages in question from your server. However, removing URLs can help expedite Google's awareness of your cleanup attempt.
You shouldn't use Remove URLs for pages you want to be indexed but have lousy code. That is a feature you should only use when a page should disappear from search results for good.
To remove all evidence of your site's hacking, you'll need to back up from an older version of your site. Regular backups are super important for this very reason, so hopefully, you have a clean version of your site on file to use. That is the first step in cleaning your site's server. Next, install any available core, theme, and plugin updates. We have extensive tutorials on how to install WordPress plugins and themes and how to secure them.
Finally, change all the passwords for your site: not just the WordPress administrator and user passwords but all possible passwords associated with your website.
If your site has been blocklisted, it's been removed from the search results. You'll need to submit your site for review to get back in the SERPs. Otherwise, Google won't know that you've taken steps to remedy the problem (or, at least, won't crawl across your squeaky clean site for a long time). And, every day your site is out of the SERPs is money lost. To speed things up, you must go through several official channels.
If your site was infected with malware or was involved in phishing, you must submit a reconsideration request via Google Search Console. The steps required to submit a review depend on your specific security issue. Still, luckily Google has an outline of the procedure here.
Once you've completed the review process, and if Google finds your site is clean, warnings from browsers and search results should be removed within 72 hours. You should also verify your site works as expected: pages load correctly, and links are clickable.
If your request is NOT approved, reassess your site for malware or spam or any modifications or new files created by the hacker. Alternatively, you can seek help from security professionals.
Cleaning up after being hacked and getting off Google's blocklist can be arduous.
But if you lay out a plan or create a checklist for the steps to take, you can tick them off little by little until your site is clean, back online, and back in the SERPs.
Plus, you can prevent hacking in the first place. It'll take some time, but the important thing is you'll restore your site's reputation. It will allow you to prioritize security in a way you might not have thought about before.
We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!