Can Hackers Drop Your Site From The Google Index?

SMS Text

Unfortunately, the answer to this question is yes. Your site can be flagged and dropped entirely from the Google search index (i.e. blacklisted). This happens when a hacker injects malicious code onto your server. Google will drop it from the index in order to protect searchers’ PC’s from being compromised.

The images below illustrate an example of a site that has been compromised. While not immediately dropping the website from the index, blacklisting will bring your SEO to standstill, resulting in a significant loss of organic traffic.

Blacklisting will still turn away most visitors, as Google SERP’s will caution them from accessing the site, as illustrated below.

Source: Google Webmaster Help for Hacked Sites

Because of the recent proliferation of such attacks, Google has launched  the ‘Webmasters Help for Hacked Sites‘ support center. It outlines in detail the steps you can take to clean up your server and prevent your site from being dropped from the Google index. In the last few years, 130,000 webmasters have taken the necessary steps to get their sites listed again.

The charts below illustrate just how much of a problem compromised sites have become. This isn’t just for large banking or corporate sites, as you may have heard of in the news. This happens to sites small and large, with little to no traffic. In most cases, the hackers use automated processes to discover and exploit vulnerabilities on servers. In many shared and even dedicated hosting environments, these vulnerabilities are not protected against.

Source: Google Safe Browsing Initiative

Why Does Google Care?

Google cares because it doesn’t like being used as a gateway to malicious websites. Google’s success relies on user-trust, which is driven by its own dedication to quality. The existence of compromised sites makes Google’s job harder. In order to provide the same high-quality results, Google has to not only deal with auto generated content, link stuffing, hidden texts, and other black hat SEO practices, but also with much more complex scenarios such as Cross Site Scripting (XSS), malicious backdoors and other security related threats.

Compared to SEO malpractices, these threats are even harder to detect and their effect on users is much more devastating.  After all, it’s one thing to provide your users with a SERP link to a duplicated content piece, but another to provide them with a gateway to a site which will steal their private data or inject their computers with malware.

This is the dilemma that Google is now facing. Security threats are too widespread to be ignored. Google lacks the means to effectively identify online threats.

Why Should You Care?

Not caring can get you blacklisted. Remember, Google can’t remove the malware from your site, so it will do the next worst thing – remove your site from Google all together.

Google blacklisting is an often overlooked collateral damage of a website hack. Even in a best-case scenario, getting back into the SERP’s will take a lot of time, resulting in a loss of traffic and revenues. In the long-term, this also means the loss of search ranking positions. There is no guarantee that you will recover your “pre-hack” rankings, even if all issues have been resolved.

The De-Blacklisting Process

Resolving the issue can be hard, costly and time consuming.  While Google’s new help center provides some directions for getting listed again, its bottom line is:

“While we attempt to outline the necessary steps in recovery, each task remains fairly difficult for site owners unless they have advanced knowledge of system administrator commands and experience with source code…”

The multi-step process Google suggest requires keen understanding of source code (PHP, JavaScript, etc.), strong familiarity with your directory structure and each piece of content, close support from your hosting provider, and so on.

Such an endeavor is out of reach for many webmasters, especially shared hosting users. When the only alternative is a total loss of Google positioning, many would be inclined to pay hundreds to thousands of dollars for scanning and removal services.

Discovering a Better Alternative

At Cover Story Media, we are always on the lookout for a better solution, for ourselves and our readers.  About a year ago, when security related concerns began to rise, we began scouting the web for reasonably priced and effective security services. After testing several products we landed on Incapsula, a CDN (Content Delivery Network) based security service, which we still use to protect our website today.

Incapsula is a reverse proxy service that positions itself between the website and its visitors to filter malicious visitors. At the same time, it will also significantly speed up your site by caching its content, optimizing resources and delivering it from a number of proxy locations across the globe.

Security wise, Incapsula will protect against SQL injection, cross site scripting, remote file inclusion, bots, DDOS, and more. Simply put, Incapsula is an extremely effective security solution, which also offers many speed related SEO benefits. Even the free version is enough to prevent blacklisting, because:

  1. Freely provided bot filtering will prevent automated attacks, the main source of grief for SMB (Small & Medium Business) sites, which are usually not specifically targeted.
  2. A recently introduced backdoor removal tool will identify and quarantine existing shells, helping you recover from hacks and making your site presentable enough for re-submission and de-blacklisting.

To give a better idea of what Incapsula can do, here is a snapshot of our dashboard. Notice the 72% daily cached volumes and the number of attacks that it blocked, just in the last three months.

For more information you can read this article on cloud-based security or this in-depth review of Incapsula.

Alex Schenker
Alex Schenker is the President of Cover Story Media, Inc., an online publishing and internet marketing company, and the resident SEO expert at, a... Read Full Bio
Alex Schenker
Alex Schenker

Latest posts by Alex Schenker (see all)

Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Chris

    Yup, and false positive malware flags can do the same!

    F you very much have a nice day was the gist of the communications I received from Google.
    Look fwd to trying out the free version.

    • Alex Schenker

      Hi Chris, glad you enjoyed the article! Looking forwards to hearing how your experience with Incapsula goes.

  • Nathan

    This happened to all of my sites hosted with the same provider. The cause of this was a vulnerable server my sites were hosted on. I have many other sites with other host providers and they were not affected. I would always recommend using a trusted hosting provider and also a malware monitoring system for your website. Prevention is always the best solution.

    • Alex Schenker

      Great tip on using a trusted hosting provider Nathan! Sorry that you had to deal with a compromised server. Thanks for sharing with our readers.

  • Travis B.

    Wow! As if battling with the 9k SEO updates a day from Google is not enough of a pain, now let’s also worry about how well our hosting companies are protecting our websites.

    I would like to see a list of the hosting services with the most compromised sites or something like that, it could be interesting.

    Anyway, thanks for sharing.

  • Thomas Smith

    @Travis B,

    I can definitely see your point about the SEO updates (although I think that figure is slightly over-exaggerated?) but at least Google are making some sort of effort to combat hacked websites… even if it is only for their own personal gain (the trust factor, which was mentioned in the article).

    On another note, thanks for suggesting Incasula, I’ll be sure to give it a look. Yet another great post by someone at SEJ!

  • zubin kutar

    Always keep checking the Google Webmaster Tools for such notifications from Google…Google notifies you if your site has been hacked.

  • Travis B.

    @Thomas Smith

    Well, maybe the actual number of updates is more like 5k a day instead of 9k! All kidding aside it is good to see that as a visitor to sites I will be warned on potential threats.

  • Thomas Smith

    @Travis B,

    In all honesty you were probably closer with the original 9k… but it is nice to get a heads-up BEFORE that backdoor trojan gets on your computer, unlike AVG where they tell you afterwards. In fact, I’m going to start trusting Google a bit more as an antivirus program!

  • Chris


    Not in my case, zero notification from Google via Webmaster Tools – we (both the client & myself) actually found out because their Adwords account got suspended. Total fail on our server company’s part (as mentioned above), which then Google acted on (preemptively) with zero notification.

    Lesson learned on the hosting, but for Google to take action suspending accts & tanking rankings with zero notification (or anything more than lip service after admitting the mistake – in writing) is unacceptable…but not really, because we just have to swallow it and accept it, and move forward.

  • Ronee

    My husband’s site was hacked twice about two years ago, within a month. The web server explained that it may take someone several days to hack a site. He also explained that if he developed a habit of changing all of his passwords, to the control panel, and his WordPress dashboards, that this will cause a hacker to lose several days of work and therefore, cause him to have to start over. The end result, he will go on to some one else’s site. Is this true?

  • Thomas Smith


    It depends on the method the hackers used to get into the website. In the case you described it sounds as though the web server are saying it’s a brute force attack – an attack that targets every possible combination of letters and numbers it can, often taking hours, days and even weeks to complete – in this case changing your password on a regular basis would help, seeing as the brute force attack would have to start again to go over the passwords it has already tried.

    However, if another method was used, for this example we’ll use SQL Injection as the method (unsure if this works on WordPress sites though, this is just an example), then password changes won’t really help at all. This is because in this method your sites database(s) is/are targeted, not the physical site itself.

    As I have tried to portray (very badly), it depends on the type of attack aimed towards your site. Although, frequent password changes are always a sensible thing anyway.

  • Jason

    I never knew that this was even possible. I really like your blogs about theoretical topics. Please keep them coming. I look forward to reading more. Have a great Friday.

  • Yusri Big

    So very very dangerous when this happen.