I picked up a new project recently and was shocked and appalled to become embroiled in an ‘SEO Sabotage’ conducted by the previous SEO service provider – clearly an organisation with no professional ethics.
The client’s site was blocked from Google and instantly plummeted out of ranking. Site Users were deleted and worse a hacked file was installed into the site. With Simon Perrin’s valuable assistance we discovered code buried in the site that enabled the SEO service provider to remotely control the site’s Google performance as they pleased.
In the beginning
It all started shortly after commencing a new SEO project when my WordPress user ID suddenly disappeared. I restored access using the client’s hosting details to access the MySQL database. Then a horror story of blatant sabotage started to unfold.
Site compromised but what did they do?
Simple History – an activity logger plugin I had fortunately installed captured a activity log reflecting a frightening story of professional deceit. Someone located in Melbourne accessed the site; deleted all other users then installed WP-FileManager then 24 minutes later deactivated it.
My concern about what happened in that 24 minutes was vindicated when I found the site spirally out of ranking.
The original robots.txt had been overwritten with one configured to ‘block all’ crawlers – ie remove the site from Google. On further investigation I found two robots noindex metatags buried in the site’s code which did the same thing. Someone was serious about killing this site!
Remote control on the Site’s SEO performance
One blocking meta tag was removed from the site’s header template but I had to resort to expert WordPress help from Simon over at Duografiks to locate the second meta tag – This was very concerning as the meta tag was controlled remotely from a non-public area in the SEO service providers website; i.e. the SEO Service Provider could turn the site’s Google performance on and off remotely as they wished – I wonder how many other client sites they remote control like this ?
I’m still trying to come to terms with the ethics of a business that would do this. A debt management strategy perhaps? My new client claims he didn’t owe money.
What should you do to avoid this ?
Nobody wants the get tangled up in these situations, but clearly they do happen so what should you do to manage risk in these situations ?
Keep up-to-date off-line backups of your website – my personal favourite is BackWpUp a free backup plugin for WordPress. It allows backups to be automatically pushed out to DropBox which will in turn copy the backups onto your local PC. Importantly BackWPUp copies Wordpress files as well as the database.
Simple History helped me identify what this person did, including time and date, activity and even IP and network details – somewhat naively the hacker used a fixed Telstra IP address in Melbourne – easily identifiable to authorities should my client decide to escalate the matter. Keeping track on what people are doing in your site is important.
Find a Reputable SEO Agency
Its abundantly clear this hack originated from the previous SEO Service Provider – there’s multiple layers of evidence including a direct tie to their website, but maybe this action was a disenchanted staff member and hopefully not company policy…
You’d hope its not a strategy they use to snare or blackmail clients – go else where and your ranking will fall – the embedded code to remote control Google ranking concerns me greatly….
Where’s the SEO Industry going?
Either way it’s a disappointing comment on my SEO industry. Client experiences reported to me suggest the SEO/SEM industry is increasingly plagued by dubious operators – local and off-shore.
Now we see evidence of blatantly unprofessional activity from an Australian multi-state SEO company. I’m very disappointed!