SEO Sabotage – Can you trust your SEO Provider ?

I picked up a new project recently and was shocked and appalled to become embroiled in an ‘SEO Sabotage’ conducted by the previous SEO service provider – clearly an organisation with no professional ethics.

The client’s site was blocked from Google and instantly plummeted out of ranking. Site Users were deleted and worse a hacked file was installed into the site. With Simon Perrin’s valuable assistance we discovered code buried in the site that enabled the SEO service provider to remotely control the site’s Google performance as they pleased.

In the beginning

It all started shortly after commencing a new SEO project when my WordPress user ID suddenly disappeared. I restored access using the client’s hosting details to access the MySQL database.  Then a horror story of blatant sabotage started to unfold.

Site compromised but what did they do?

Simple History – an activity logger plugin I had fortunately installed captured a activity log reflecting a frightening story of professional deceit. Someone located in Melbourne accessed the site; deleted all other users then installed WP-FileManager then 24 minutes later deactivated it.

My concern about what happened in that 24 minutes was vindicated when I found the site spirally out of ranking.

The original robots.txt had been overwritten with one configured to ‘block all’ crawlers – ie remove the site from Google. On further investigation I found two robots noindex metatags buried in the site’s code which did the same thing. Someone was serious about killing this site!

Remote control on the Site’s SEO performance

One blocking meta tag was removed from the site’s header template but I had to resort to expert WordPress help from Simon over at Duografiks to locate the second meta tag – This was very concerning as the meta tag was controlled remotely from a non-public area in the SEO service providers website; i.e. the SEO Service Provider could turn the site’s Google performance on and off remotely as they wished – I wonder how many other client sites they remote control like this ?

I’m still trying to come to terms with the ethics of a business that would do this. A debt management strategy perhaps? My new client claims he didn’t owe money.

What should you do to avoid this ?

Nobody wants the get tangled up in these situations, but clearly they do happen so what should you do to manage risk in these situations ?


Keep up-to-date off-line backups of your website – my personal favourite is BackWpUp a free backup plugin for WordPress. It allows backups to be automatically pushed out to DropBox which will in turn copy the backups onto your local PC. Importantly BackWPUp copies WordPress files as well as the database.

Audit Trails

Simple History helped me identify what this person did, including time and date, activity and even IP and network details – somewhat naively the hacker used a fixed Telstra IP address in Melbourne – easily identifiable to authorities should my client decide to escalate the matter. Keeping track on what people are doing in your site is important.

Find a Reputable SEO Agency

Its abundantly clear this hack originated from the previous SEO Service Provider – there’s multiple layers of evidence including a direct tie to their website, but maybe this action was a disenchanted staff member and hopefully not company policy…

You’d hope its not a strategy they use to snare or blackmail clients – go else where and your ranking will fall – the embedded code to remote control Google ranking concerns me greatly….

Where’s the SEO Industry going?

Either way it’s a disappointing comment on my SEO industry. Client experiences reported to me suggest the SEO/SEM industry is increasingly plagued by dubious operators – local and off-shore.

Now we see evidence of blatantly unprofessional activity from an Australian multi-state SEO company. I’m very disappointed!

Wordpress is a hacker target

WordPress XSS Exploit|Update or risk being hacked

Wordpress is a hacker target

WordPress is a hacker target

Another exploit revealed today, reinforces the fact that keeping your WordPress, theme and plugins updated reduces your site’s exposure to being hacked.
Securi blog sent out alerts today regarding a Cross-site Scripting (XSS) exploit which may impact a range of popular plugins including:

WordPress 4.2.1 is a ‘critical update’  in response to this exploit and you should immediately, if not sooner apply this update.


Will Google Knowledge Vault undermine or help your Online Marketing?

Google Accommodation search elementIf you are in the accommodation industry you’ll be VERY INTERESTED to see a new Google search result element for accommodation related searches.

While I haven’t stumbled over this one until now, it may have been around for a while – or not – who knows. It looks much like a reformatted Google Plus search result – however I suspect this is a Google Knowledge Vault ‘element’ – at least until someone shows me it isnt.

This follows the trend of Google’s ongoing introduction of their own search results which Im assuming is part of Google’s ‘knowledge vault project’.

Examples of these include:

movie search results showing movies ‘now showing’ – been shown for years now.

google knowledge vault movies

Spelling search results

You dont need a spell checker any more

google knowledge vault spelling

ip address search results (one for the geeks out there 😉

google direct answer ip address

How does this impact your business ?

So if your online marketing strategy – like many businesses – is to provide content that features in Google searches to attract prospective clients, how do you deal with Google suddenly bypassing your website’s search results – maybe even using data that it sourced from your site – and showing that information directly in the search results ? I have seen some of these search result elements that do attribute the data source.

If it happens in your market segment do you have any options other than using Google paid advertising ?

Interesting times indeed…

 Additional reading:

Wikipedia on Google Knowledge Vault

Google Plus commentary on Knowledge Vault:




More detail from Google on Mobile Usability Update

Google have provided some additional information on their upcoming Mobile Usability release April 21 that may take some pressure off for business owners who have websites that currently fail Google’s Mobile Usability tests.

Mobile assessment is ‘real time’

Google’s Gary Illyes confirmed that the penalty is ‘real time’. We assume this means your website’s individual pages are assessed each time Google’s crawler ‘GoogleBot’ visits them. So if you have corrected any mobile usability issues, then the next time Google’s crawler visits your site you’ll automatically recovered from the penalty. Of course this also means that if a mobile issue creeps into your site or Google changes their testing criteria, your site will promptly & silently disappear from mobile rank…

..and Page by Page

Further, Gary confirmed that the mobile usability algorithm runs on a page by page basis – the inference being that a page that fails the mobile test will be penalised, but not the entire site.  Whew!

Mobile Usability Fine Points

These items where identified in a Q&A session for mobile-friendly ranking change hangout

mobile friendly SERPETA: The Mobile Usability algorithm will start rolling out on April 21st and will take a few days to a week to completely and globally.

A little bit mobile friendly? You are either mobile-friendly or not, there are no degrees of mobile-friendliness in this algorithm.

Simple test: Check your site’s search results on a mobile device. If the Google SERP says Mobile-friendly relax – you pass the mobile usability test.
These details are a major relief for business owners scrambling to mobilise their websites before April 21. Some Google penalties take time to get removed while you continue to loose money with a site not generating sales leads/sales, so knowing there’s a prompt and automated recovery is a major relief.  Of course it will be interesting to see what happens once the rollout has settled in.

How big is Google’s Mobile Update ? BIG!

Google’s  Zineb Ait Bahajji has been quoted as saying:

 the upcoming mobile-friendly ranking algorithm that will launch on April 21st will have more of an impact on Google’s search results than the Google Panda update and the Google Penguin update did.

Use the remaining time to get your site mobile friendly.

Google is crushing Keyword Networks with Doorway Page Update

SEO Doorway is now shutJust to keep you on your toes while you are sorting out Google’s upcoming Mobile Usability update, they’ve also announced an impending update to target ‘Doorway pages‘ – Its been a busy month at Google that’s for sure!

Doorway Pages/Site is an ageing SEO strategy where your site was at the centre of a network of keyword focussed websites each feeding visitors for a particular search term into the central ‘mothership’ site.  Worked a treat in its day, but apparently not for much longer…

Read more:

Yoast exploit impacts 17 Million WordPress websites

Unfortunately an exploit has been discovered in Yoast – a WordPress SEO plugin (and my personal favourite SEO plugin!)

Update your site immediately to Yoast version 7.4 or later  – as all prior versions are vulnerable. If your WordPress site is configured to allow auto-updates then the patch may have already been applied – but check now – better to be safe than sorry! Our Website Concierge clients can be assured their sites have already been updated.

Act now to be safe.

The reason you should act promptly is that the hacker community (bless their little black hearts) now know the details of this exploit and will be feverishly setting up their hacking software to take advantage of it to vandalise at least some of the 17 Million websites that have downloaded Yoast.

Read more:

Slider Revolution exploit | Update or get hacked

Slider Revolution exploit

Back in September 2014 Slider Revolution – a slider plugin for WordPress – was found to have an exploit. Slider Revolution was widely used as it has been bundled with a number of popular WordPress themes. According to the Securi blog the slider authors issued an update, but the hack details somehow found its way into the hacker underground network, so thousands of websites were exposed to potential hacking – but only if they didn’t update the slider plugin.

Battling the Exploit

I was recently introduced first-hand to the Slider Revolution hack through an associate who noticed Google displaying ‘This site may harm your computer‘ in search results for their site. Not exactly an enticing invitation to lure prospective clients to visit your website.

SERP with hacked warning

After initially removing the obvious hacked files, the hack re-appeared – we hadn’t removed the exploit. Then coincidentally Google WebMasters helped solve the issue with an alert – it detected the exploitable version of Slider Revolution in the site and emailed an alert.

The Learnings

There’s a couple of lessons in this for all of us:

WordPress needs to be diligently updated, which includes:

  • Core software (ie WordPress code)
  • Themes
  • All plugins

This exploit was uncovered over 6 months ago, yet this site was hacked by it, and probably many more will too. If sites where updated, these online vandals would not have such a high success rate and might get discouraged and find something useful to do with their time.

Ensure there is a current backup for your site. In many situations there’s no alternative but to roll the site back to a previous update. If that’s from a year ago, then your recovered website will not feature any recent updates/posts etc.

Use Webmasters Tools
While Google Webmasters Tools (WMT) was traditionally an resource for geeks and SEO-types like myself, increasingly Google is providing timely, ‘health check’ style info, some of which is delivered in alert emails.

I recommend you connect WMT to your site and ensure someone receives the alert emails

Get it done – even if you don’t want to do it

If you don’t want to/know how to do updates, backups and WMT registration then ensure someone is doing this for you. If its not part of your web dev’s business model then consider our WebSite Concierge Services which are designed specifically to help clients improve the integrity of their websites to avoid this type of disaster.




Don’t naively fall into a Google Penalty

A Client asked: Is it a good idea to try to get links from other sites and directories to help make my site more powerful? 

This question pops up regularly from folks who want to build their website’s exposure in Google searches. Before the Penguin 5 release in October 2103 the answer was definitely YES, now the answer is it DEPENDS ON LINK QUALITY.

The whole area of backlinks i.e. links from other sites is now extremely fragile/potentially dangerous and I strongly recommend involving SEO professionals or risk destroying your website’s organic performance.

What is a Backlink ?

A Backlink a connection from another website (or web resource) back to your site.  If someone on the other site ‘clicks’ the link, they arrive at your site.

Backlinks and Google

Penguin 5 (later renamed Penguin 3.0 ) was a major turning point in Google’s critical examination of backlinks to your site. If  the Penguin software decided you were trying to scam Google with bad or ‘unnatural’ backlinks, the site was punished by reducing its ranking by 20-30 positions – across all keywords – i.e. pushing your site into obscurity.

Why Does Google punish websites with unnatural links ?

While the cynic inside me says ‘…because they can’, I have to admit it was overdue. Up to 2013 it was common knowledge in SEO circles that the more links, the better search exposure a website would get. SEO programs were essentially about getting as many backlinks as possible. An entire industry emerged that specialised in producing links for anyone who would pay. These flourished in countries where labour costs made this a viable service offering.

Then the brains trust at Google said ‘No More’ – this is scamming the system. They created a subsystem (called Penguin) to inspect back links to try to neutralise the positive influence of ‘unnaturally created’ backlinks in Google searches. Almost instantly, millions of websites were impacted. Globally, many businesses found their websites didn’t attract sales leads any longer because they disappeared from search results.

Who knows how many businesses who specialised in link building collapsed – and I imagine that 100’s of thousands of people (many in 3rd world countries) lost their employment. Let’s not get into a discussion about the ethics of Google’s decision(s) or their largely unfettered  influence on the global economy.

Notably spending on Google ads increased as business owners scrambled for online exposure, when SEO was less certain.

What is Link Quality?

The Penguin software assesses if the links to your site are principally ‘real’ or if they are ‘unnatural’ in which case applies an automatic or  ‘algorithmic penalty’ on the site. As you might expect making this judgement is a complex process, which occasionally makes mistakes so from time to time Google updates its Penguin system to presumably refine it.

Note that Google also uses human backlink assessors in some situations who can impose a manual penalty on sites. Presumably they are alerted by software (probably Penguin) if a site has a suspicious backlink profile that can’t be automatically assigned a penalty.

This FAQ on What is a Low quality Backlink documents factors Google uses to determine Link Quality

How do I know which are the good backlinks?

It’s not easy, but I find that these two toolsets provide the most reliable assessment of backlink profiles:

  • Cognitive SEO
    My favourite link profile toolset as it provides:

    • The ability to import links that are reported in Google Webmasters Tools
    • ‘Auto-Classifies’ links into Un-natural, Suspect and OK
  • AHRefs
    uick and convenient

Each of these SEO Toolsets provides some ability to provide link profile assessments without having to buy the product, so you can certainly have a bash at self-assessing your site, but if you need a detailed link profile report contact me and I’ll prepare and interpret it for you.

How many bad links can I have before a penalty?

Great question but unfortunately the answer is only speculative, and like many things Google, it’s a moving target. There are a small number of unnatural links in most site’s link profile – often these are inadvertently or innocently ‘unnatural’.
As a broad rule of thumb I suggest keep the ratio of unnatural links well under 10% of all links. NB This could change without notice!

How do I get rid of bad backlinks?

Essentially you need to get them removed, and as they exist on another website you need to get the person who controls that site to do it.  This article covers the process of removing unnatural backlinks.

Your fall-back position is to ask Google to disavow your site of these links.

I’ve removed the back backlinks. What now ?

Sit tight and wait for the next Penguin crawl. When is the next Penguin update you ask? Great question. I wish I knew the answer. You can visit resources like Algoroo that track Google updates, and wait with bated breath.

…and now the character building comment: It’s unlikely your website will bounce back to its pre-penalty ranking. Yep. That is a fact. The path to full recovery from a penalty is indeed long and tortuous

I hope I’ve persuaded you that it’s really important to not get penalised in the first place.

How exposed is your site to a Penguin penalty ?

Just this week I examined a website’s link profile to discover that some idiot has just added 300+ clearly unnatural links over the last 2 months. It’s a penalty time bomb, and the site will surely collapse into search obscurity after the next Penguin spin cycle.

I’m horrified to see an allegedly ‘professional SEO provider’ is still performing unnatural back linking. I’m also concerned for the client who has been paying good money for this naive and dangerous ‘SEO Service’. They’ve got some short-term results but at any moment their site is going to fall into a Penguin penalty.

Make no mistake. It’s still going on right now.

Take Aways:

  1. Get your website’s backlink profile checked
  2. Get bad backlinks removed
  3. Breathe
  4. Go to 1.


April 21 is Mobile D-Day

Further to our recent post about Google increasing its emphasis on ‘mobile compatible websites, they have now announced major mobile-specific changes that will have a “significant impact in search results.”

Mobile Friendliness is an even bigger rank signal

Starting April 21 Google are “…expanding our use of mobile-friendliness as a ranking signal.
The announcement goes onto say this will have a “significant impact in search results.”

Do yourself a favour

As far as I’m concerned that’s Google-speak for earth shattering so this is an excellent time to

  1. Check if your current site is ‘mobile compatible’
    This compatibility tool will help you
  2. If it isn’t do something about it ASAP
    The best approach is to contact your web developer to discuss options with them