Cleaning up a hacked website
Some forms of hacking create spam URLs appearing to originate from your domain.
You might get an alert from Google Webmaster Tools, or begin to notice a warning on your Search Engine Results Pages (SERP) “this site may be hacked.”
If you search your site in Google using the syntax:
site:yourdomain.com
you’ll get SERPs showing up to a thousand URLS purportedly originating from your site. If you’re seeing URLs you didn’t create, you’ve been hacked. They might be surprisingly filthy and diverse, containing terms like “cialis,” “dr_oz.” or much worse. (Not that these shown below are necessarily bad… they’re just not ones we created!)
Time to clean up.
First, you need to restore your site to its last known clean version. It might be possible to determine the date of infection by looking at data in Webmaster Tools or Google Analytics, such as a big spike in traffic, or a spike in the number of URLs indexed for your site, on a certain date.
If you’re keeping regular backups of your site, restoring from a date prior to the infection is a good place to start.
Some hacks can elude the detection of known scanning applications or sites. It can be difficult to identify the source or nature of the infection.
One way to find out if you’ve got a detectable invasion is Google’s safe browsing tool. Other resources include Sucuri (checks for ddos blacklisting, hacking and malware) and IsItHacked.com . A recent cleanup job we confronted passed all these tests, but was infected nonetheless, showing over 500 ugly URLS in the Google index. Php injections are insidious and can be hard to find.
Some forms of attack involve the creation of files in an unguarded directory on your site, or the injection of obfuscated php code into your site core files, or into a vulnerable plugin.
It’s a good idea to seek the service of a reputable cleanup person. We’ve used the service offered by hackrepair.com. The service was reasonably priced, efficient and fast, with great reporting after the fact. And we like the guy, too!
Removing Hacked URLs from the Google Index
One thing the restoration service doesn’t do is remove bad urls from the Google Index. Given that these toxic URLs will still be there after cleaning up your site itself (Google lets go of them eventually without having to remove them, we’re told), your site can still be found for all the hideous terms you’ve been inadvertently indexed for. Actively searching out these urls and removing them can accelerate the removal of a Google “Manual Penalty” – that is, get rid of Google’s alert in the SERPs. It’s good for your site, and helps Google restore your correct status and indexing.
They have to be removed one at a time, manually, however. It’s not possible (at present) to upload a csv list of URLs to remove. It’s also not obvious or easy to develop a list of the toxic URLs to begin with, even as you can see page after page of them in the SERPs.
1.Develop your list of URLs
Chris Ainsworth at Highposition.com tells us how to assemble a list of your site’s URLs.
Use Chrome.
Add the extension ginfinity
Go to Google search page.
Use the settings icon to change Search Settings to “Never Show Instant Results”
Set results per page to 100
Perform your search: site:yoursite.com
Click the bookmarklet
Copy the URL only section from the page of url results and paste it into a text editor
Delete the desired urls, and keep the urls you want to remove.
A nice clean list of URLs is a great starting point for your removal requests.
In the last case I dealt with, according to Webmaster tools, there was a spike from around 200 indexed URLs to over 1500. At this writing, so far only about 800 have surfaced into our various harvesting methods, and more are still showing up, even though we got our notice that Google lifted its manual penalty.
Even under the best conditions, it might take a day or more for more URLs to surface into the SERPs – kind of like toxic gases rising from mud at the bottom of a lake. You’ve got to keep after it for awhile. They surface at the rate of 3-50 per day. It could take awhile to get them all.
2. Use a Macro to post the removal requests
As mentioned above, the removal requests need to be entered one at a time, but it’s possible to automate that process with a macro tool like Quick Keys, Keyboard Maestro, or any number of other macro recording tools.
A Macro app that can switch applications, replicate keystrokes and mouse clicks can be programmed to perform the repetitive tasks involved in entering a long list of urls into the Google URL Removal request tool. After developing the macro script (which can take a little while), the entry itself can be done at the rate of about one every 2 seconds.
If you need this done, but don’t care to undertake all of this yourself, this is a service we offer. We can do it for you. We’ll charge 50¢/URL, with a minimum order of 100.