WordPress Spam Injection = Google Penalty for My Blog (But Not Website)

MIHMORANDUM NO. 73 | May 27th, 2008Reader Comments (12)

May 27th, 2008 Update:

After approximately four weeks under severe Google penalty, it appears that my blog is back in Google’s good graces. I’m back to #2 for search terms likeFlash Vs HTML websites,” which is more or less right where I was before the whole thing started.

When I submitted my request, Google said it could take several weeks before my it was considered; turns out it took about four. Interestingly enough, I never received a confirmation in my Webmaster Tools Message Center that my reinclusion request had been approved.

But it does go to show that if you follow the steps Google recommends, and you run a legitimate blog or website like this one, that even the “little guys” can expect reinclusion in a relatively timely manner. I do think it helped that this problem was widespread, and that Google’s engineers probably had a pretty good idea of what to look for to know whether a blackhat SEO or spammer was trying to pull one over on them. But regardless, thanks to the search quality team at Google for its hard work!

Original Post Below:

I write this post with a heavy heart; one that has discouraged me from writing posts in the past week. But I thought I would pass along my experience, in case others have had, or want to avoid, similar experiences in the future.

Things that I hope will be made clear by this post:

  • It’s a darn good idea to submit your site to Webmaster Tools because it can help you identify spam that might have gotten onto your site.
  • Older versions of WordPress might have a security glitch, so make sure you upgrade.
  • My SEOmoz PRO membership AGAIN proved its worth as part of this ordeal.
  • Why is Google penalizing only my blog folder? I am obviously thrilled they are smart enough to limit the penalty, but am surprised and amazed!
  • May 12 (+/-) UPDATE: READ THIS WHITEPAPER ON MAKING WORDPRESS SECURE. Thanks to stuntdubl for the tip.

Introduction: Houston, We Might Have a Problem…

Regular readers know that I am as lily-white an SEO as there is in our industry. The only links that I encourage clients to buy are from respected, human-edited directories, like Yahoo, Best of the Web, and JoeAnt. I have never purchased a link for my own website, though Greg Hartnett at BotW was nice enough to include me in their directory after I met him in San Francisco two years ago.

Part of the reason I am so white-hat is by choice; part is simply because I don’t know enough PHP to spam or automate link-building processes. (Not that I am passing any moral judgment on those who perform SEO that way; it’s just that I am building my business, and I don’t see those tactics as a viable long-term strategy, either for myself or for my clients.)

So obviously, it came as a great shock last week when my Google toolbar PR showed up grey (i.e., zero) for the address http://www.davidmihm.com/blog. I don’t pay a whole lot of attention to Toolbar PageRank; as long as my site, and my clients’ sites are somewhere around 2-6, I know things are ok. But when it was showing zero, I thought there might be a problem. So I did a couple of searches that I remember Rand recommending awhile back to see if your website is under penalty.

Step-by-Step: Diagnosing the Problem

I searched for the exact title tag of my blog homepage (“Mihmorandum: The Small Business Web Design + Local SEO Blog”), and for an extended excerpt of text I’d used in a post a couple of months ago.

The results were discouraging:

I immediately logged into Webmaster Tools (where I hadn’t visited in at least six months) and was horrified to see the following:

I then tried searching my site for some of those alleged keywords. Oddly, the only keyword that returned any results was for Valium:

I am normally pretty vigilant about approving / disapproving comments that my Akismet spam filter plugin catches, but I just assumed that a couple had slipped through the cracks. However, when I went to check those pages, I didn’t see any spam, either on the page OR in Google’s cached version.

I then checked to see whether I’d been banned, or had just been placed under severe penalty by doing a search for “site:davidmihm.com/blog”:

Pages in site: search meant that Google was still indexing my blog, just placing it under severe penalty.

Interestingly enough, it looks like the rest of my site, the part that lives outside the ‘blog’ folder, is/was doing just fine. Check out the following search for my Sitemap page (which is no-followed an thus should have no link juice pointing to it whatsoever). Google indexes and ranks that just fine:

Still, I was concerned about my blog.

That’s when I asked for outside help — one of the many great features of SEOmoz PRO membership is that you get to ask up to three questions per month of the expert staff. Jeff Pollard, SEOmoz’s CTO, emailed me back within 12 hours of my question to tell me that he had found the culprit in the source of the cached version–a hidden markup injection in the footer of my pages!

All I have to say is, FILMTHREAT, YOU SUCK. Unless you were hi-jacked also, in which case whoever hi-jacked you is the one that sucks.

Remedying the Problem

Armed with the code that Jeff had found, the first thing I did was upgrade to the latest version of WordPress, in this case, 2.5.1.

Then, I logged into Google Webmaster tools and submitted a re-consideration request to Google. I checked out Matt Cutts’ authoritative post on the subject, explaining exactly what had happened and what I had done to fix it. Here’s the crux of Matt’s synopsis:

Fundamentally, Google wants to know two things: 1) that any spam on the site is gone or fixed, and 2) that it’s not going to happen again.

I asked Jeff to take another look at the code of my blog & he says that it looks like upgrading did indeed clear it up. And as for Matt’s #2, I sincerely hope WordPress 2.5.1 permanently fixes this vulnerability :).

I am still not sure why or how Google only banned one folder of my domain, but I am thankful that they did :).

I am also thankful to Yahoo and MSN for continuing to rank my site just where it used to be throughout this whole process. (I am not sure if that’s because they could tell that my site had been hacked and were able to devalue those links, or if they just didn’t catch the spam!)

12 Responses to “WordPress Spam Injection = Google Penalty for My Blog (But Not Website)”

  1. Dr. Pete says at

    That just plain sucks, Dave. Pardon my unprofessionalism, but I’d like to find every idiot who ruins other people’s livelihood to make $5/month on some half-assed spam scheme and personally beat them senseless. These spam attempts are so low value, and probably make the perpetrators less money than working at McDonalds, and yet they can cost you and I hundreds or thousands of dollars. Get a job, you morons! Or at least go back to playing World of Warcraft.

    Sorry, rant over :)

  2. David Rosenberg says at

    Sorry to hear your trubles David, I am glad that everything got fixed up or is in the process. The sad truth is as Dr. Pete said that these attempts don’t even bear fruit for the spammers. I had a similar problem with a test site that I had wordpress on, I ended up trashing the site and parking it for now.

  3. David Mihm says at

    @ DrPete – I know, I totally hear you. It was very hard for me not to turn this post into a rant, cuz it basically killed an entire day-plus, which at my hourly rate if I am working on client work is around $1000. Not to mention the lack of legitimate search traffic my blog will not receive until it is removed from penalty. I appreciate your sentiment.

    @ David Rosenberg – I have a couple of sites in the works that are personal projects & I just recently took one out of parking. After this little episode I may decide to put it back in… Thanks for your empathy.

  4. MiriamEllis says at

    David,
    This was just awful to read! I’m so sorry this happened to you, despite the fact that it’s been a learning experience. Learning how to deal with being hacked is anything but fun, I’m betting, and here’s my vote for Google re-including you posthaste!

    In the meantime, don’t worry, we’ve got you safe and secure in our feedreader and will keep on reading. Thanks for sharing the step by step process.
    Miriam

  5. John Beagle says at

    David,

    What happened to you is something we fear everyday. The spammers attack and sometimes they win. I see you blog still has no pr, but hopefully, by the grace of the Google gods, you will be restored to a level that corresponds to the work you do.

    See you in Seattle.

  6. Will Scott says at

    Darn it, I need to read your blog more often.

    I was wondering why I’d fallen off the #1 position for a phrase I’ve held for 18 months. And then, my main site was still ranking because of my RSS feed display on the home page.

    Checked my code and there it was – bugger-all.

    Dadgummit. Should be fixed in half an hour.

    Thanks David!

  7. Will Scott says at

    David,

    It took less than a week for my re-inclusion request to be accepted and I’m back to ranking for some of my favorite phrases :)

    Thanks again for the heads-up.

    Will

  8. Magda says at

    Hello David:

    I read the story and I am glad the problem is solved. I am wondering if similar situation can happen to any web site. I know your blog was on WordPress. We build web site on CMS developed in house and of course we want to keep it safe.

    Magda

  9. David Mihm says at

    Magda – WordPress is the only CMS with which I have significant experience & it looked like the upgrade to 2.5.1 worked.

    I’m guessing that WordPress greatest asset, the fact that so many people use it around the world, is also it’s greatest liability, because it allows spammers to concentrate on finding a solution that can scale to a whole bunch of blogs. I wouldn’t think spammers would focus on one custom-built setup unless you or one of your clients has a site with a ridiculous amount of traffic.

  10. Jennifer Manson says at

    I will appreciate if you provide more details on this. Thanks.

  11. Jorge Escobar says at

    I was attacked about 4 months ago and lost all my Google PR and started seeing strange Vitamin and pill ads on my blog without knowing what it was. Thanks to this post, I fixed my blog, but had to check my blog using ugly commands every so often.

    So I decided to write a nice application so that people can check their blogs or sites easily, you can check it out at http://spamcheckr.jungleg.com

    Hope this helps people to check their sites against these pests!

  12. Private Exchange says at

    Your personal invaluable tutorial means an excellent deal to me and in addition to my workplace workers. Thank you from everybody of us.

Leave a Reply

You are here: Home > Blog > WordPress Spam Injection = Google Penalty for My Blog (But Not Website)