No. 73
May 27th, 2008

WordPress Spam Injection = Google Penalty for My Blog (But Not Website)

May 27th, 2008 Update:

After approximately four weeks under severe Google penalty, it appears that my blog is back in Google’s good graces. I’m back to #2 for search terms likeFlash Vs HTML websites,” which is more or less right where I was before the whole thing started.

When I submitted my request, Google said it could take several weeks before my it was considered; turns out it took about four. Interestingly enough, I never received a confirmation in my Webmaster Tools Message Center that my reinclusion request had been approved.

But it does go to show that if you follow the steps Google recommends, and you run a legitimate blog or website like this one, that even the “little guys” can expect reinclusion in a relatively timely manner. I do think it helped that this problem was widespread, and that Google’s engineers probably had a pretty good idea of what to look for to know whether a blackhat SEO or spammer was trying to pull one over on them. But regardless, thanks to the search quality team at Google for its hard work!

Original Post Below:

I write this post with a heavy heart; one that has discouraged me from writing posts in the past week. But I thought I would pass along my experience, in case others have had, or want to avoid, similar experiences in the future.

Things that I hope will be made clear by this post:

  • It’s a darn good idea to submit your site to Webmaster Tools because it can help you identify spam that might have gotten onto your site.
  • Older versions of WordPress might have a security glitch, so make sure you upgrade.
  • My SEOmoz PRO membership AGAIN proved its worth as part of this ordeal.
  • Why is Google penalizing only my blog folder? I am obviously thrilled they are smart enough to limit the penalty, but am surprised and amazed!
  • May 12 (+/-) UPDATE: READ THIS WHITEPAPER ON MAKING WORDPRESS SECURE. Thanks to stuntdubl for the tip.

Introduction: Houston, We Might Have a Problem…

Regular readers know that I am as lily-white an SEO as there is in our industry. The only links that I encourage clients to buy are from respected, human-edited directories, like Yahoo, Best of the Web, and JoeAnt. I have never purchased a link for my own website, though Greg Hartnett at BotW was nice enough to include me in their directory after I met him in San Francisco two years ago.

Part of the reason I am so white-hat is by choice; part is simply because I don’t know enough PHP to spam or automate link-building processes. (Not that I am passing any moral judgment on those who perform SEO that way; it’s just that I am building my business, and I don’t see those tactics as a viable long-term strategy, either for myself or for my clients.)

So obviously, it came as a great shock last week when my Google toolbar PR showed up grey (i.e., zero) for the address I don’t pay a whole lot of attention to Toolbar PageRank; as long as my site, and my clients’ sites are somewhere around 2-6, I know things are ok. But when it was showing zero, I thought there might be a problem. So I did a couple of searches that I remember Rand recommending awhile back to see if your website is under penalty.

Step-by-Step: Diagnosing the Problem

I searched for the exact title tag of my blog homepage (“Mihmorandum: The Small Business Web Design + Local SEO Blog”), and for an extended excerpt of text I’d used in a post a couple of months ago.

The results were discouraging:

I immediately logged into Webmaster Tools (where I hadn’t visited in at least six months) and was horrified to see the following:

I then tried searching my site for some of those alleged keywords. Oddly, the only keyword that returned any results was for Valium:

I am normally pretty vigilant about approving / disapproving comments that my Akismet spam filter plugin catches, but I just assumed that a couple had slipped through the cracks. However, when I went to check those pages, I didn’t see any spam, either on the page OR in Google’s cached version.

I then checked to see whether I’d been banned, or had just been placed under severe penalty by doing a search for “”:

Pages in site: search meant that Google was still indexing my blog, just placing it under severe penalty.

Interestingly enough, it looks like the rest of my site, the part that lives outside the ‘blog’ folder, is/was doing just fine. Check out the following search for my Sitemap page (which is no-followed an thus should have no link juice pointing to it whatsoever). Google indexes and ranks that just fine:

Still, I was concerned about my blog.

That’s when I asked for outside help — one of the many great features of SEOmoz PRO membership is that you get to ask up to three questions per month of the expert staff. Jeff Pollard, SEOmoz’s CTO, emailed me back within 12 hours of my question to tell me that he had found the culprit in the source of the cached version–a hidden markup injection in the footer of my pages!

All I have to say is, FILMTHREAT, YOU SUCK. Unless you were hi-jacked also, in which case whoever hi-jacked you is the one that sucks.

Remedying the Problem

Armed with the code that Jeff had found, the first thing I did was upgrade to the latest version of WordPress, in this case, 2.5.1.

Then, I logged into Google Webmaster tools and submitted a re-consideration request to Google. I checked out Matt Cutts’ authoritative post on the subject, explaining exactly what had happened and what I had done to fix it. Here’s the crux of Matt’s synopsis:

Fundamentally, Google wants to know two things: 1) that any spam on the site is gone or fixed, and 2) that it’s not going to happen again.

I asked Jeff to take another look at the code of my blog & he says that it looks like upgrading did indeed clear it up. And as for Matt’s #2, I sincerely hope WordPress 2.5.1 permanently fixes this vulnerability :).

I am still not sure why or how Google only banned one folder of my domain, but I am thankful that they did :).

I am also thankful to Yahoo and MSN for continuing to rank my site just where it used to be throughout this whole process. (I am not sure if that’s because they could tell that my site had been hacked and were able to devalue those links, or if they just didn’t catch the spam!)