If your website was hacked and you’ve successfully cleaned it up, it’s crucial to remove the hacked URLs from Google’s index to prevent them from appearing in search results and possibly harming your site’s reputation. Here’s a step-by-step guide to deindex old hacked URLs:
- Verify Your Site with Google Search Console (GSC):
- If you haven’t already, verify your website ownership with GSC. This provides you with access to tools and data that can help manage your site’s presence in Google Search.
- Identify Hacked URLs:
- Within GSC, check the ‘Security & Manual Actions’ section to see if there are any security issues identified. Google often detects hacked content and notifies site owners.
- Check the ‘Coverage’ report in GSC to identify unexpected URLs or spikes in indexed pages that could be a result of the hack.
- Remove URLs Using the Removals Tool:
- In GSC, go to the ‘Removals’ section.
- Click on the ‘New Request’ button (it might be labeled as ‘Temporary Removals’).
- You’ll have a few options:
- Temporary Remove URL: Removes the URL from Google Search results for about six months and clears the cached copy but doesn’t remove it from the index.
- Clear Cached URL: Only clears the cached page and displays the current version of the page.
- Outdated Content: This is for content that’s already been removed from the site but still shows in Google Search results.
- For hacked content, you’ll typically want to use “Temporary Remove URL”. Remember, this tool is powerful. Only remove URLs you’re sure about.
- If for example the hacker used a subdomain or a common file path for all the hacked URLs you can “nuke” that whole subdomain (hacked.yourdomain.com) or file path (yourdomain.com/commmonhackedpath/spam1,spam2,spam3, etc) in the Temporary Removals Tool without affecting your other URLs. However, if the hacker used a wide variety of URL paths it can take a long time for you to identify and remove all of them. It’s just going to take a little longer.
- Utilize robots.txt:
- If there’s a pattern to the hacked URLs (e.g., a specific directory), you can use the robots.txt file to block search engines from accessing those URLs.
User-agent: *
Disallow: /hacked-directory/
- Note: This method prevents crawling but doesn’t remove the URLs from the index. It’s a preventative measure.
- If there’s a pattern to the hacked URLs (e.g., a specific directory), you can use the robots.txt file to block search engines from accessing those URLs.
- Resubmit Your Sitemap:
- After cleaning your website, resubmit your sitemap in GSC. This prompts Google to recrawl your site and can help speed up the removal of hacked URLs.
- Address Manual Actions:
- If Google detected the hack and applied a manual action to your site, you’d need to address this separately. After cleaning your site, submit a reconsideration request through GSC. This informs Google that you’ve resolved the issues.
- Monitor and Repeat if Necessary:
- Regularly monitor your site’s performance and indexed pages in GSC. If hacked URLs appear again, repeat the cleanup and removal process.
- Take Preventative Measures:
- To prevent future hacks, ensure all software, plugins, and themes are updated.
- Use strong, unique passwords.
- Implement a security plugin or service.
- Regularly back up your website.
- Consider using a Web Application Firewall (WAF)
If those hacked URLs are still showing up after the temporary removal in Google Search Console lapses you can do another temporary removal. As long as the hacked URLs are either returning a 404 page or they 301 redirect to your homepage, Google will eventually take them off the SERPs/index. I had that happen once to me and it took almost 2 months for the URLs to finally disappear for good.
In the aftermath of a hack, it’s essential to act promptly to remove malicious content, protect your site’s users, and preserve your reputation in search results. After addressing the immediate issues, invest in preventative measures to reduce the risk of future attacks.