In late 2015 we had the opportunity to work with an amazing individual who owned a really cool website / blog in his industry. With respect to their anonymity we aren’t going to name them in this post, but it is a well-respected website in a competitive niche. In the title we say “un-SEO’ing” because this client had hired so many different SEO’s and website consultants over the years that there was more to be removed than there was to be added. Fixing a hacked website was our main goal.

On the front end, it was a normal WordPress blog. All of the title tags and meta-descriptions were in place, and from a quick glance it almost seemed to be a normal website. But once we opened the hood and really started taking a look we found some extremely concerning characteristics of this website, namely:

  • the website was hacked
  • there were multiple (4+) live versions of the website indexed
  • it had the most comment spam I have ever seen in my life
  • it was “broken” in many different ways plus had over 50 WordPress plugins enabled
  • several other consultants had access to this website
  • the website host was trying to upsell our client due to all of this
  • blackhat backlinks pointing to the website
  • it had evidence pointing strongly towards someone who had access to this site in the past selling links for profit

Keep in mind, the owner of this website is a non-technical individual and has no idea what any of this means, and didn’t realize they were being taken advantage of.

Fixing a hacked website

The hack wasn’t anything crazy, but it could have been a lot worse. It was due to having an outdated version of WordPress 3.8.1 when it should have been at least 4.1.1 at the time.

This was an easy fix, and we got the website “clean” before we made any server or SEO fixes. Server has to be secure before any optimizations are made.

It’s funny, we just got done analyzing a huge hacked SEO backlink network a month or so ago, but this one wasn’t even close to the size of that one.

Multiple Live Versions of Website

In addition to there being multiple live versions of the website indexed on Google, there were also complete backups of the website in tar.gz and .zip format just sitting on the server. This means they could have downloaded the entire website including wp-config.php with database password. This might have been how the hack happened also.

duplicate copies

Instead of deleting the “live” versions of the website, we simply moved them to a folder on the website that wasn’t public. Within a few quick keystrokes we brought the website from thousands of indexed pages, to a few hundred.

total index

Needless to say this was a big help, and we started to see improvements right away.

Oodles Spam Comments

Let’s be straight here, every site gets spam, particularly WordPress websites. This site was a bit different. Someone had set the website to “auto approve” comments across the board. That, compounded with the fact that the site was a PR5 with a DA of 50 it was ripe for the picking for blog comment spammers. I would say less then .0001% of these comments were real.

comments

Even though this was an excellent blog with stellar content, it was impossible to sift through all the cruft to find the good stuff.

You can see in this video just how much spam this site was getting:

Keep in mind, these comments were coming in at this rate every day, all day. It was getting to the point where if we let this go, it would shut the entire server down due to traffic, disk space, or CPU usage. Needless to say, we disabled comments globally for the time being.

One other thing to note: having this amount of live spammy blog comments on your website is going to slow it down. This site had 64,000 live blog comments on the website, each one with an outbound link, gravatar and content within each comment.

spam comments

One post in particular had to load 100’s of comments every time it loaded which took up to 60 seconds average load time. It also loaded dozens of paginated pages. Once removed, it was loading in 2-4 seconds on average.

It is no secret that UGC can cause a penalty / action. Removing the comments was a huge part of the problem and a big win in this case right off the bat.

Broken, misconfigured website

The website didn’t look bad, but it was “broken” in many different ways. Permalinks were so out of whack they made absolutely no sense. Someone or some “thing” tried to manually configure them via the .htaccess. The sitemap was broken, the robots.txt file was terribly misconfigured and there were errors out the whazoo.

There was a lot of other things that were wrong. Sooooo many plugins. We’re talking 50+ active plugins enabled, plus another dozen or so disabled. It was so bad. We started by chipping away and disabling plugins one by one, and replacing them with straight code or getting rid of them completely. For instance the website had 3 different plugins to check for 404’s and none of them were doing a good job of it. The database was filled with so much nonsense we chose to use a plugin called WP Optimize to clean it up a bit. This plugin basically scans the MySQL database to find tables / rows that were unnecessary and delete them.

In this case there were also a ton of comments in the database that had to be deleted. The image below illustrates just how large (and how unnecessary) the majority of the content within the database was. 98% of the content in the database was spam, garbage or temp information.

wordpress database cleanup

As you might have guessed, the website loaded much faster after this round of cleanup. On to the next.

Blocking other consultants

We found evidence of at least 5 other consultants who had access to the website via WordPress or FTP / cPanel. We blocked them off completely. How were we to know who was responsible for the hack, when we couldn’t tell why these people were logging in (we could have looked at the logs). If anyone called and wanted access, we would then monitor them and ask them why they need access.

too many users

We actually didn’t delete anything, we just changed the passwords. There is no reason for this many people to be logging into the website, especially considering none of them were actively blogging etc.

Website host = not helping

Throughout the course of the 30 or so days we consulted with this client, the website host flat out lied to our client a number of different times.

Once we started getting in there and getting our hands dirty, the host started to get vocal and dug through the server a bit. The pointed out that “more than one version of WordPress is installed, which is not optimal.” Gee, ya think? In essence, they started pointing out the things we were already working on. They then proceeded to try and sell our client a larger server because so much resources are being used.

Now, at this point I’d say that 50-70% of the load on this server was due to the blog comments coming in, the multiple live versions of the website, the backups, and all the extra cruft. Once we backed all of this up and got rid of it the servers resources dropped to that of a normal website.

Blackhat backlinks

If you haven’t guessed it already, there were 1000’s of blackhat backlinks pointing to the website. Luckily, there were also a few hundred high quality backlinks pointing to the site. In this case we recommended to our client to do a preemptive disavow of their backlinks in order to mitigate any possible actions Google might take.

Here is a snapshot of

blackhat links

Link farm?

Throughout the site I found several peculiar link placements that were not relevant at all. The author of the blog (also the owner) did not place them which leads me to beleive one of two scenarios happened:

  1. When the website as hacked, they placed links
  2. One of the previous consultants was selling links or placing them to their own sites

We didn’t have time to investigate this further, but either way the links had to be removed. They definitely could be acting as a negative SEO signal and could possibly cause Panda to come sniffing by. In total we found about 20-30 of these and removed them all. What really tipped us off was the very intentional anchor text that we found.

Tying it all together

In the end we didn’t get to proceed with the actual SEO portion of the website, but we definitely felt good about where we left the site. We started with a hacked, mismanaged, improperly configured, and un-optimized website and ended up with a secured, updated and properly configured version that we could work with.

A lot of people think SEO is all about adding content, adding title tags, adding backlinks or adding schema markup. While all of this is true, in many scenarios older websites need to be stripped down of all bad habits and mistakes made by consultants that worked on the website over the years.

We hope you enjoyed this case study, it would not be possible without the hard work of our team here at Elite Strategies!