Google Moving in The Wrong Direction When It Comes to Information Provided on Hacked Websites

We clean up a lot of hacked websites, which means we often are dealing with website that flagged as serving malware by Google. In Google’s Search Console you can get whatever details they are providing on the issue they detected and request a review to have their warning removed after the website has been cleaned up. We often find that all they provide with is sample URLs where they have found the issue, but no details of the issue due to them being unable to isolate the malicious code being served. For us that usually isn’t a problem, but for those less experienced providing more information on what they are detecting in more cases would likely to improve cleanups. But now it seems things are going further in the wrong direction, as this week we dealt with a website where Google provided no details whatsoever on Security Issues page of the Search Console:


They also left a message where they did list a URL, so it seems the various pieces of their system are not working well together:


Hopefully Google will improve this, as in this case (and probably in plenty of others), the website only got properly cleaned up after Google started flagging it, so what they are doing is important, but could be better.

Google Needs to Improve the Review Process for Websites Labeled “This site may be hacked”

Early last year Google changed some of the underlying technology used in their process of of handling websites they suspect of being hacked (which leads to a “This site may be hacked” message being added to listings for the websites on Google’s search results). More than a year later we are still finding that the review process for getting the”This site may be hacked” message removed after cleaning up such a website is in poor shape and likely lead leading to a lot of confusion for people trying to navigate it if they don’t deal with it’s problems on regular basis (like we do). While we think that what Google is doing by warning about these situations is a good thing, the current state of the review process is not acceptable.

To give you an idea of what are people are dealing with lets take a look at what we just dealt with while getting Google to clear a website we had cleaned up.

Once you have cleaned a website with the “This site may be hacked” message, you need to add the website to Google’s Search Console and then you can request a review in the Security Issues section of that. That section will also give you information on what Google detected:



In this case Google detected that spam pages were being added to the website, which they refer to as an URL injection.

Before requesting a review last Monday, we doubled checked that the spam pages no longer existed using the Fetch as Google tool in the Search Console, which allows you to see that what is served when a page is requested by Google. The URL they listed on the Security Issues page was “Not found” when we used the tool, indicating that the spam page was no longer being served to Google.

On Tuesday a message was left in Google’s Search Console for the non-www version of the website’s domain indicating that hacked content had been detected:


Considering that Google was already listing the website as having a security issue for several days you might think this was a new detection, but it wasn’t. In the security issues section it still listed the old last detected date:


Using the Fetch as Google tool in the Search Console we requested the URL again and it was still “Not found”:


Then on Wednesday the same message was left for the www version of the domain:


Again the last detected date in the Security Issues section hadn’t been changed and the using the Fetch as Google too the URL was still “Not found”:


Then on Saturday the Security Issues page indicated that URL injection had been detected as of that day:


We again used the Fetch as Google tool and it was still “Not found”:


At this point we also checked the website over to make sure the malicious code hadn’t returned and it hadn’t.

Then this morning the warning was gone from the search results and the Security Issues page was clear:


Considering that nothing changed between Saturday and today, that detection on Saturday would seem to be some kind of a mistake. Seeing at the page wasn’t even being found this doesn’t seem like an understandable false positive, but something seriously wrong with their system. If you weren’t aware of that how problematic the process is, you might have been very concerned upon seeing the new false detection.

The fact that it took them a week to finally clear the website also doesn’t seem to be an acceptable in this case.


Google’s Bad Answers

Recently we wrote a post on how Google was placing bad instruction for upgrading Zen Cart directly in the search results. We have run across another example of where Google isn’t providing a good answer. If you do a search for “Magento PHP 5.5” currently you get the following answer above the normal search results:

This link says that Magento is compatible with PHP 5.2.13 - 5.3.24, but when you run the PHP script to check server requirements, it says that is okay to run on 5.4 and even 5.5. But I've seen some issues with 5.4 over the internet.Aug 23, 2013

Unlike the Zen Cart upgrade example, the information isn’t wrong, it just out of date. If you following the link referenced in that answer you are taken to the Magento System Requirements page which now lists the latest version of Magento, 1.9.1, as being compatible PHP 5.4 and 5.5 (as we mentioned in a previous post, as of Magento 1.9.1 the bare minimum it will allow being run on is 5.3.0).

The Magento System Requirements page was the first result when we did the search:


So excluding a direct answer would have produced a better result in this case (by comparison the page Google took their answer from was ranked 7th).

Google Adds “This site may be compromised.” Warnings To Search Results

In the last several weeks Google has begun to show “This site may be compromised.” warnings, for websites they “believe may have been hacked or otherwise compromised”, in their search results. According to Google’s article about of the warning they have been added “To protect the safety of our users” and they recommend users “should be careful about providing personal information to the site” being flagged.

In the past when Google has detected websites they believe to be hacked and violate their Webmaster Guidelines, they have removed the websites from their index and placed a “Notice of Suspected Hacking” message in their Webmaster Tools to let the webmaster know. It’s unclear at this point if Google has replaced doing that with the new warning or if the warning is only for websites that have been hacked in such a way that does not warrant being removed for their search index. Unlike the malware warning (“This site may harm your computer.”) Google places in their search results, which sends users to an interstitial page when they click search result for an affected website, users are still able to directly access the website.

For websites which display the warning, after the hack has been removed reconsideration needs to be requested from Google to have the warning message removed. According to a post by Google employee John Mueller “These requests are processed fairly quickly (usually within a day, though it’s not possible to give an exact timeframe). “

Google Sites Hosts Files Used In Attempted Hackings

Since June, Google has provided hosting for files used in attempted hackings of websites through an account with their Google Sites services. A listing of all the files hosted is available at Some of those files are used in remote files inclusion (RFI) attacks which seek exploit vulnerabilities in software that allow remotely hosted files to be be executed. If the attacks are successful modifications are made to website that place spam or malware on the website, or allows the hacker remote access to the website. Attempting hackings utilizing these files have occurred at least as recently as three days ago. We have reported this to Google using the “Report Abuse” link multiple times but the files have continued to remain up.

Google Increases Search Query Data in Webmaster Tools

Google has significantly increased the amount and depth of the data they provide for in the Top Search Queries feature in their Webmaster Tools. The data was previously limited to the top 100 queries, it now displays a much larger sampling of queries.  The data previously only provided the percentage of impressions and clicks that each query had. The data now includes the number of impressions and clicks broken down by the position of the query in the search results. The data shown can now be restricted to specified periods of time instead of set intervals set by Google. Finally, they have also added a chart that displays impressions and click for the currently active data set.

Google Begins Factoring Site Speed into Rankings

Google today announced that several weeks ago they began factor the speed that a website responds to web requests into search rankings. Site speed is not currently a significant factor with “fewer than 1% of search queries are affected by the site speed signal” according to Google. Site speed is also only currently factored in searches preformed on in English. Google did not say exactly how they determine page speed, only saying that they use a “variety of sources to determine the speed of a site relative to other sites.”

Bing Gains US Market Share In February

According to Nielsen’s US search share data for February, Microsoft’s Bing search engine gained 1.6 point of search share during the month. Bing gained a point of market share in the previous and their market share reached 12.5 percent this month. Google’s share was 65.2 percent, 1.1 points of search share less than the previous month. Yahoo’s share was 14.1 percent, a decrease of .4 points from the previous month.

Google Adding Hacking Notification to Webmaster Tools

Google has announced that they will begin displaying “Notice of Suspected Hacking” messages in their Webmaster Tools when they detect that a website has potentially been hacked. The messages will provide example URLs of the hacked pages, next steps for fixing the issue, instructions on getting back into Google’s search results after the issue has been fixed. Google will also being added notifications of spammy or abused user-generated content and abused forum pages or egregious amounts of comment spam. Once you have signed up for Google’s Webmaster Tools you can instruct Google to forward these messages and other messages, including malware notifications, to an email address you select.