How Black Hat SEOs hack websites for SEO benefit

At Click Consult, the final week of July started with a message from Google Search Console, informing us that one of our client’s websites had been hacked. Disaster!

---

This is one of only two occurrences in our 12 year history that Click has had to deal with the compromised security of a client’s website (it is important to keep in mind that in both cases, neither website was hosted by Click Consult). Within 24 hours, Click was able to isolate the problem, resolve it, and have Google remove the “This site may be hacked” message from the search engine ranking pages (SERPs).

The following post details both the issues faced by the client’s site, as well as how Click were able to rectify the problem in order to cause the least amount of inconvenience and distress, both for users of the website and for the client.

The issues

Arriving into work on Monday morning, the Click team were greeted with the below message in the ‘Security Issues’ tab of Google’s Search Console:

Inspecting the SERPs for the home page of our client’s website, we saw the below message:

Upon navigating to the sample URL, we discovered that the hacker had created around 4,500 pages which were not accessible through the website’s navigation. Each of these pages included several paragraphs of auto-generated nonsensical text copy that included at least 10 anchor text links.

Each anchor text link included the term ‘Longchamp bag’ and strangely, each was linking to another of the 4,500+ pages (internally) that had been created on the client’s website, rather than linking externally to a website seeking to derive benefit from the hack.

As we analysed further, we also noticed that over the last two months, it would appear that the same people responsible for the hack had created links from a large number of websites to the 4,500+ pages created on the client’s website (as below).

This is obviously very peculiar from an SEO perspective, because it is the opposite of what we’d expect to happen. Logically, one would expect a Black Hat SEO to hack a website with the purpose of discreetly creating pages, with each page featuring text copy that was consistent with the language used throughout the rest of the website (so as to arouse least suspicion).

The hacker would then place a small number of anchor text links within the copy of these pages, and these links would a) include a keyword that the hacker wanted his/her site to rank for; and b) link to the website the hacker wanted to have benefit from this process, therefore passing authority from the hacked site to the external site.

Diagnosis & treatment

Click’s first task was to work with the client’s technical team to ensure all passwords for entry points to the website were changed.

In order to uncover how the site’s security had been compromised, Click’s developers first accessed the website back end, using File Transfer Protocol (FTP), in order to attempt to find any unrecognised stray WordPress (WP) files.

After not uncovering anything unusual, Click then logged into the WordPress CMS (which was being used by the client to house the blog section of the website) and discovered that the version of WP in use had not been updated for a relatively long period of time.

This was almost certainly the reason for the security compromise and Click’s developers then began to manually update WordPress, as well as further reviewing all core WP files to ensure these were normal.

Older versions of WordPress have a known vulnerability which may allow a hacker to add files to a site, potentially giving them full control of a server.  Once the hacker has this ability they often insert several files in various locations nested deep on the server making it difficult to completely eradicate the server of the infection.  It is important that we were extremely thorough with our search for any infected files.

Once Click had deleted the responsible files, we then installed the Sucuri WordPress plugin, which checks all WP files for malware and other unusual activity, such as instances of dangerous files masquerading as WordPress files.

Since Sucuri checks only WP files, our developers also did another manual check of the site’s core files, which were ordered by ‘last modified’ in order to make this task easier.

Finally, the mail queue was checked to make sure that it wasn’t being used to send spam, and any running processes were killed to ensure that the next time these processes were run, they used ‘clean’ code, rather than potentially remaining infected.

Once we were satisfied that the correct files had been removed and that the URLs of the hacked pages were now returning 402 status codes (thus cleansing the site of the hacker’s vandalism), it was time to ‘Request a review’ to Google, in order to prove to the search engine that the vulnerabilities had been corrected in the hope that they would remove the ‘This site may be hacked’ message from the SERPs.

This request was submitted at around 16.00pm GMT on Monday the 27th of July. By 8.00am the next day, the ‘This site may be hacked’ message had disappeared from the SERPs, and the ‘Security Issues’ tab in Google’s search console was clear.

How to prevent website hacks

Google alerts

Webmasters can use free tools such as Google alerts to help keep an eye on suspicious keywords on your website. For example, you could monitor queries such as below. This would result in the webmaster receiving an email each time one of these keywords was detected as a mention on your website.
“site:example.com longchamp OR Viagra OR porn”

Check your anchor text

The SEO industry offers some brilliant tools for analysing your link profile, such as Moz’s Open Site Explorer, Majestic SEO and AhRefs. These tools give an indication of the overuse of particular anchor text, and by analysing the keyword anchors; you can get a good indication of whether your website is being targeted by hackers, since you’ll see strange anchor text pointing at pages you know should not exist.

Keep up to date

As this case study demonstrates, it is absolutely vital that all technology related your website is kept as up to date as possible. This includes your content management system (WordPress, Drupal, Magento, etc.), all plugins, adobe reader, and any software used to access your website (for example, FileZilla, Cyberduck, Tunnelier, etc.)

Secure passwords & regular backups

The simpler your password is, the easier it will be for a hacker to access your website. Use a combination of upper and lowercase, numbers, letters and special characters for ALL passwords.
Should the hacker be successful in exploiting any lapses in security, the habit of keeping regular backups of the site will pay dividends when it comes the time to restore your website to its former clean self.

Conclusion

Having a website hacked for whatever reason, whether by Black Hat SEOs for the purposes of spam content and links, or by other cybercriminals intent on implementing malware or attaining sensitive information through phishing techniques, is always a stressful time for webmasters and business owners alike.

However, having access to experts can make this process as stress free as possible. The client in this case study was somewhat lucky that the compromise in their security only amounted to the implementation of spam on the website for the purposes of search optimisation.

This case study is testament to the need to ensure that your website is fully up to date, in order to ensure continuous security. By working closely with the client’s internal technical team, Click Consult’s expert developers dealt with this problem swiftly and painlessly, causing the least amount of anxiety possible for the client.

If you believe the security of your website has been compromised for the purposes of Black Hat SEO tactics, please contact Click Consult today on 0845 205 0292 to speak with one of our search marketing experts.