Recently, there has been an increase in the number of webmasters who are reporting that they have lost all Google referral traffic.  Normally, when one sees organic referrals from Google drop to zero, the natural assumption is that the site has a site-wide manual action applied.  Yet when looking in Google Search Console, there is nothing listed under manual actions.

Investigating Deeper

The plot thickens when looking deeper into Search Console – indexed pages seem normal.  There are no abnormal crawl errors or any other things that look odd or suspicious in the account.  In fact, everything points to “business as usual”.

When viewing the website, everything looks normal and even looking at the source code usually doesn’t reveal anything is awry, if anyone bothers to look that closely.  There are no signs of blocking Googlebot via robots.txt or with a noindex tag.  Google cache looks normal.

Even checking rankings in the live Google search results doesn’t reveal any problems.  The pages are still ranking normally, even in incognito mode. A site: query looks normal as well.

What is Really Going On

But if someone clicks through from an actual search result (which many people don’t), suddenly it all becomes apparent.  When clicking on a search result, the searcher is not sent to the page on the website they expect.

I have seen two types of redirects happening.  I have seen affiliate sites used as the destination, in a market somewhat along the same lines as the hacked site.  The other is being immediately redirected to a spam site tries to auto-install malware to the unsuspecting visitor.

It isn’t only Google that is being targeted.  I have seen it happen from multiple other search engines, too.  So if you have been deindexed and having problems finding a Google referral, check Bing or Yahoo.

Other Ways to Discover the Hack

The good news is that Google seems to be picking this up some of the time and showing alerts in Google Search Console.  And it sometimes pops up with a “This site may be hacked” alert in the search results.

But when Google sends an email to the users, they include a direct URL – meaning without a Google referral – so even if one clicks through from the email in search of the malicious code that Google claims is there, the webmaster won’t see any evidence of malicious code.  In fact, the only way to tell that something malicious is going on is by clicking from a Google referral or examining the .htaccess file – a file many webmasters are too scared to touch lest they mess it up.

Additionally, Google Safe Browsing Site Status often doesn’t pick up on it, at least not initially, also leading to the confusion that there isn’t any problems with hacking.

If you run AdWords campaigns, it is actually often the AdWords warning about malicious redirects that alerts webmasters to the problem first, prior to it showing up in Google Search Console.

Also complicating things is that sometimes along with the redirects, they are also adding new pages of spam content.  But again, if you type the URL directly, or sometimes only if you visit it while logged into WordPress, it will show a 404.  It is only visible when referring from a Google referral or to those not logged into WordPress.

Fixing the Malicious Redirect

The vast majority of the time, it is in the .htaccess file.  Clean up the file, and the redirects will stop.  It doesn’t seem there is a common denominator of entry point, but rather simply any exploit that allows access to the .htaccess cause cause it.

That said, if you don’t fix the exploit, it will likely happen again, or you will end up with a bunch of pages for Viagra and Uggs next time it happens.  So if you use WordPress, this means updating your WordPress, all plugins, your themes, etc.  And if you have something that hasn’t been updated for a while, it is worth doing a quick search and make sure that there isn’t an issue with a theme or plugin that the author has since abandoned.

Also check with your host.  If you give them the date you see on the server that the .htaccess was last updated, they might be able to tell you the point of entry that led to the site being compromised.

Yay for No Manual Action, But Boo for Being Hacked

In the grand scheme of things, I suspect many webmasters would prefer to clean up from a hacked site than deal with recovering from a manual action!

So if you see a sudden drop in your Google referrals, yes, it could mean you were hit with a manual action…. and more often than not, it probably is just that.  But if you aren’t seeing anything manual action related in your search account, your next step should be checking to see if your site has been hit by a sneaky hacker who is taking steps to ensure their hack sticks around as long as possible.  After all, how often does a webmaster visit their site without either using a bookmark or typing it in?