Website attacks are always a serious problem. While most often hacking is associated with the theft of sensitive data, it’s also crucial to remember about other scenarios such as having malware that creates spammy pages and links plugged into your CMS. Such security breaches may seem less threatening at first glance, but if overlooked, they can drastically decrease your website visibility and hinder further business growth. Keep reading to learn more about cyber security SEO and see what to do if someone hacks your website.
Table of contents:
- Consequences of SEO Spam Attacks
- It’s Better to Be Safe than Sorry – How to Protect Your Site from SEO Spam Attacks
- How to Detect SEO Spam Attacks?
- Review Your Sitemap to Confirm That SEO Spam Attack Took Place
- What SEO Spam Attack Effects Can You Expect To Notice in Sitemap?
- What to Do When an SEO Spam Attack Is Detected?
- Removing The Aftermath Of The SEO Spam Attack Should Help You Regain Your Visibility.
- SEO Cybersecurity and SEO Spam Attacks – What You Should Remember
What you’ll learn:
- How to protect your website against cyber attacks
- How to recognize if your website has been hacked
- How to get rid of negative effects from the attacks
Although the theft of confidential data and situations when your website is down are very dangerous, SEO spam attacks that result in creating spammy pages and links can also have serious consequences.
Because website owners often need a lot of time to notice that something is wrong. During this period, their positions in Google continue to decrease. As you may guess, the longer it lasts, the harder it gets to regain the visibility your page had prior to the attack.
That’s why it’s extremely important to protect your website against SEO spam attacks and monitor the site on an ongoing basis to notice any irregularities early on.
How can you do it?
Keep reading this article for a step-by-step guide and learn from real-life examples.
Two websites of my clients have recently been hacked, so this entry won’t just be theory. I’ll show you how I managed to overcome this challenge.
Try our technical SEO services to keep your website safe and well-optimized!
Consequences of SEO Spam Attacks
Before I move on to discuss ways of solving the problem of SEO spam attacks, I would like to tell you about their consequences:
- In the case of this type of attack, the malware creates junk sub-pages on your domain. Unfortunately, there might be even thousands of such pages.
- Imagine that you have a website with 4000 pages indexed and suddenly it’s attacked and you notice that an additional 60 000 spammy pages are crawled.
- Your website has a given crawl budget, meaning resources Google uses to visit and index your pages. So, in this case, your budget is burnt, indexing spammy pages that don’t bring any value to users, aren’t related to your website content, and generally shouldn’t be indexed.
- Instead, Google should allocate these resources to crawl your valuable pages with unique content. However, this doesn’t happen. Consequently, if you have a new page or piece of content and you want to add it to Google index, you may not be able to do it. Why? Because you don’t have enough resources. This means that your products, or services aren’t indexed, and don’t appear in the search results.
- Additionally, it’s worth mentioning that pages created during SEO spam attacks are usually of very poor quality. If Google indexes them, it may consider your content thin. What does it mean for you? Your page visibility decreases drastically, and it’s not a reliable source of information for the search engine anymore.
See how the visibility of my client’s website deteriorated:
It’s Better to Be Safe than Sorry – How to Protect Your Site from SEO Spam Attacks
What to do to protect your website from SEO spam attacks?
Well, the simplest and easiest way is to regularly update your CMS and used plugins.
Most cybercriminals take advantage of potential loopholes to gain access to the website.
Updated versions of the software are usually much more secure. Moreover, hackers don’t know them yet, so it’s harder for them to perform SEO spam attacks.
If you see such a notification, it’s a sign that you should update your CMS.
Having an old version means that hackers have probably already learned how to hack it. This increases the risk of cyber attacks.
Even if your current software meets your expectations, it’s still worth updating it to decrease the chances of hacker attacks.
In addition, you can consider installing additional plugins to secure your systems. For WordPress, for example, this could be Wordfence – https://www.wordfence.com.
How to Detect SEO Spam Attacks?
If your website has already been hacked, it’s important to identify it quickly. This way, you’ll be able to limit the negative consequences and remove unauthorized access.
Does it mean that you can’t sleep soundly anymore?
Not necessarily. Generally speaking, if you monitor your website regularly, you should be able to quickly notice weird fluctuations and changes that don’t result from your activities.
Moreover, you can check if your page has been attacked by looking at a few crucial metrics. I’ll describe them in detail below.
SEO Spam Symptoms – Increase of Visibility and Traffic from Unexpected Destinations
It’s worth noting that pages created as a result of SEO spam attacks are usually in a foreign language that doesn’t correspond to your original website language.
In this case, you may notice a sudden increase in your website’s impressions. After analyzing them, you may realize that they occur in places and locations unrelated to the area of our activities.
However, an increased number of impressions doesn’t have to be the only signal.
SEO spam attacks can generate completely unnecessary and worthless traffic.
How to check where your page traffic comes from?
Use Google Analytics. Enter the GEO and Location section as shown in the screenshot below:
When one of my client’s websites was attacked, I noticed new pages in Chinese, and I could see an increase in traffic.
After taking a closer look at it, I quickly realized that the traffic was from China, and was completely worthless for e-commerce operating only on the Polish market.
This was already a sign that something was wrong. After all, your website shouldn’t generate traffic from a location completely unrelated to your operation. If you notice it happens, it’s time to start looking for the cause.
SEO Spam Symptoms – A Spike of Indexed Pages
Check the number of indexed pages. You should regularly monitor your website indexing in Google Search Console. It’s a valuable tool that will allow you to detect any potential changes resulting from SEO spam attacks well in advance.
To check the number of indexed pages, select the coverage tab from the menu on the left. This way you can see how many of your pages are indexed.
As you can see, in this particular case the number of indexed pages has increased significantly – from about 19 000 to over 60 000.
If the change results from your activities, then obviously everything is fine. However, if you haven’t added any new pages and you notice such an increase, it’s a red flag and an indication of an SEO spam attack that creates spammy pages.
Locate the Effects of SEO Spam Attack using “Site:”
If you know the approximate number of your indexed pages, and you see a sudden change, you can use the site: your domain address formula, to check what pages are displayed in Google.
This is what it looks like in the case of Delante:
Usually, you’ll see your correct pages in the top positions. Spammy pages are typically displayed in distant positions. This means you should analyze the last pages of the search results as well.
I found such spammy pages on the 18th page of the search results:
If you see such a page indexed, your website has been attacked for 100%.
The search results looked practically the same in the case of my other client whose website was also attacked:
Check If the SEO Spam Attack Also Affected Your Link Profile
Sometimes, as a result of an SEO spam attack, you can see a drastic increase in the number of backlinks to spammy pages.
Because links improve indexing.
Unfortunately, often the software used to generate the links is extremely advanced and the links aren’t visible in external tools. However, it’s always worth checking them.
For this purpose, you can use various tools such as Ahrefs. Just select the Site Explorer tab from the top menu:
Then, enter the domain address you want to analyze.
Take a closer look at Referring domains and Referring pages:
In this particular case, the increase in the number of backlinks was the result of my activities during the SEO process, so everything was fine.
However, this shows how important it is to monitor your website on a regular basis and detect any irregularities early enough to take appropriate action and avoid unpleasant aftermaths.
Using the same analysis feature in Ahrefs, you can check anchors and CTLDs sections, which are located at the very bottom of the page.
You may notice something strange there. What do I mean? Perhaps there will be some exotic languages, like Chinese anchors that don’t match your business profile.
Moreover, in the CTLDs section, you can notice backlinks with weird endings that aren’t expected under normal circumstances.
Let’s analyze the same example again. To remind you, I’m talking about a Polish online store that operates only locally. Well, in this case, backlinks from Chinese websites don’t make much sense, do they?
If you notice something like that on your website, you can assume it has been attacked.
Review Your Sitemap to Confirm That SEO Spam Attack Took Place
If you have noticed any of the abnormalities described above, you can assume that something wrong is happening with your website.
To confirm this and minimize the negative consequences, it’s necessary to review the sitemap and robots.txt file.
How to Find Sitemap
You can find your sitemap in a number of ways. The easiest one is to simply enter the domain.pl/sitemap.xml address.
If you use WordPress and your page was configured correctly, this will redirect you to the sitemap index as shown in the screenshot below:
It may also happen that after entering this address you’ll see a 404 error page. In this case, you have a few options.
Some CMS systems have their own sitemap address pattern, and you need to use it.
For Shoper, for example, it’ll be /console/integration/execute/name/GoogleSitemap. This is simply one specific address where you can find a sitemap of a website using Shoper.
Just paste the formula after the slash in your URL address and you should be able to access the sitemap.
If none of these methods work and you still aren’t able to find your sitemap, you can use other methods such as the robots.txt file.
To access it, go to domain.com/robots.txt and at the very bottom you’ll see the sitemap address as shown in the screenshot:
However, it’s worth keeping in mind that not every robots.txt file contains a sitemap address. If you don’t find it there, your last resort would be to check Google Search Console (provided your sitemap was submitted there).
How to do it?
Go to Google Search Console and select the Sitemap tab from the menu on the left. You should see the access address of your sitemap:
Moreover, if you use some rare or custom CMS system or a plugin that generates a sitemap (and this sitemap wasn’t submitted to GSC), you can go into the system settings and check at what address the sitemap can be found.
In this case, I’m not able to give you specific directions as they’ll vary from CMS to CMS. So, if you aren’t sure how to do it, look it up in the documentation of your system or ask for support.
What SEO Spam Attack Effects Can You Expect To Notice in Sitemap?
Once you’ve found the sitemap, it’s time to check it.
I’ll use the example of a client’s website that was actually attacked. Therefore, many items will be blurred due to confidential data.
The first thing you may notice is multiple sitemap indexes. Usually, in the robots.txt file, we have one sitemap/sitemap index link so if you encounter more than one index that’s another red flag:
Sometimes, when looking at the sitemap index, you may already notice that something is wrong.
In the screenshot below, you can immediately notice numerous spammy elements that were created as a result of the SEO spam attack:
What’s more, all of these elements have .xml endings and are tagged as sitemaps. This suggests that they may contain a ton of junk pages. In three words – it is bad.
At this point, you already know there is a problem and your website has been attacked. But you can go further.
Click the sitemap and enter it. Normally, you should see the addresses of all your pages. However, in the case of the SEO spam attack, you’ll probably notice hundreds of weird spammy pages that shouldn’t be there.
Usually, you’ll be able to tell right away that the URLs are weird. However, sometimes they may seem normal. In this situation, you’ll have to thoroughly scrutinize your website.
Because this way you’ll be able to find out which pages belong to your website and which are spammy and were added there as a result of the attack:
Although these links look normal at first glance, they aren’t related to my client’s business profile and led to sub-pages created during the attack.
Unfortunately, the malware used for such attacks is getting more and more advanced and its operation can hard to notice. In the screenshots above you can see examples, I have encountered.
However, if you suspect your page might have been attacked (based on the symptoms mentioned above: more impressions, traffic from weird channels and locations, or more indexed pages), you should go through the sitemap and robots.txt file.
This way, you can find suspicious elements that you, SEO specialists, and developers aren’t familiar with. They may be an indication of unauthorized activity.
What to Do When an SEO Spam Attack Is Detected?
If you’re sure that your website has been attacked, it’s time to deal with the consequences, make sure that your site can’t be accessed by unauthorized parties, and prevent similar cyber attacks in the future.
Remove Unauthorized Access and Improve Your Website Security
The first thing you should do is remove unauthorized access and secure your website for the future.
Start with updating your CMS and all the plugins you use. This can almost automatically remove the malware and ensure that the site is better protected against possible future attacks.
When doing it, you should benefit from the developer’s support. A site with malware installed may work correctly and the update will run smoothly and solve the problem, but unexpected things can also happen.
What’s more, the plugin updates should be preceded by an analysis of potential challenges. Such problems may occur after the update, so the entire process should be managed by the person responsible for the site from the technical side. This person needs to be able to quickly solve all possible problems.
I have encountered situations when clearing the cache after the attack took the website down. This shouldn’t happen if your page is “healthy”. The attacked site may perform differently than you might expect.
In extreme cases, such a situation may force you to restore the site from a backup. Keep in mind that after doing it you should immediately update the CMS and all plugins to increase security.
Restoring your website from the backup can be more time-consuming than the updates. However, it can be a good solution if you know that the problem started on a specific date. In this situation, you can try to restore the site using its backup version from before that date.
This should automatically set up a 404 error on all illegally created pages.
At this point, it’s also crucial to reset passwords for all users who have access to your CMS.
Because cybercriminals who attacked your page might have used password-stealing software.
Eliminate the SEO Spam to Regain Visibility
After removing the unauthorized access, you can start repairing your website.
The first step is to create a new sitemap and robots.txt file (free of post-attacked URLs).
How to create a new sitemap? Use your CMS or plugins. After updating it and removing spammy pages, it should be enough to refresh it. Then, check if the sitemap shows you only the correct URLs.
If the sitemap is fine, your website is technically safe. However, if the sitemap still includes spammy pages, it’s a sign that you should keep looking for the cause of the problem.
In such a situation, there are no more generic solutions and tips. You need an individual approach that will allow you to find a loophole that was used to upload the malicious script.
To upload a new sitemap to Google Search Console, you need to go to your service, open the Sitemap tab from the left menu and click the three dots in the upper right corner.
This will allow you to first remove the old sitemap and then upload the new version:
Prepare a backup of the infected sitemap before deleting it, as you may need it to create a list of pages that should be indexed out.
Sometimes despite having a correct sitemap, Google keeps the hacked, spammy pages in the index. In this situation, the backup will allow you to easily find such elements.
In addition to the sitemap update, you should set either a 404 or 410 error on all pages that have been created as a result of the attack.
410 errors are particularly advisable in this case. Why? According to World Wide Web Consortium:
The 410 response is primarily intended to assist the task of web maintenance by notifying the recipient that the resource is intentionally unavailable and that the server owners desire that remote links to that resource be removed.
Put simply, you want Google to forget that such a page exists in the first place.
Developers normally set such errors, so a list of all spammy pages created during the attack may come in handy at this point.
Unfortunately, the process isn’t all a bed of roses in real life. Why? Because if you put such a huge number of spammy links in htaccess which is responsible for redirects, it can significantly slow down your website loading. As you may know, this is an important factor that can also decrease your visibility.
That’s why you should look for common features of spammy URLs. Maybe they are in the same directory, or they all have some common address elements, which will allow you to set such an error for a group of links using one rule.
This will reduce the amount of necessary code, and thus will not slow down the operation of your site.
Unfortunately, this isn’t always possible, so sometimes it may be necessary to get rid of each such page separately.
Removing the Aftermath of the SEO Spam Attack Should Help You Regain Your Visibility.
In the screenshot below you can see the visibility of the same page I have shown you at the very beginning of the article. Of course, this is the visibility after performing all the necessary activities:
SEO Cybersecurity and SEO Spam Attacks – What You Should Remember
Unfortunately, SEO spam attacks are a common problem faced by many website owners. As it’s better to be safe than sorry, it’s worth remembering to update your CMS and plugins regularly. This way, you can protect your page against most such attacks.
However, even if you do the updates, you should monitor your website and the parameters described in today’s entry on a regular basis.
This way, when your site is attacked, you can notice it well in advance and take necessary actions to prevent negative consequences like decreased traffic and visibility, and remove unauthorized access.
The activities described in this entry make it possible to detect the attack and remove its effects. However, the process isn’t a piece of cake. It requires experience, individual approaches, and expertise in various areas like SEO and website development.
So, if you notice there’s something wrong with your website and you need support, don’t hesitate and contact us. We’ll be happy to check everything for you and get rid of spammy links or pages to restore your site’s positions and visibility.