New Website 301 Redirect Question

What did you do wrong on URL 2?

If it carries a penalty 301 redirecting to a new site could recover the penalty or pass it on to the new site.

This has been tested by some (me included) and they have had mixed results: I've recovered rankings this way (only tried a couple of times for unnatural links penalty, but not spammed links so not much data on it), but others have and haven't recovered, so you may or may not be risking your other URLs.

What are you trying to achieve? Recover content from URL 2 or recover backlinks?

David

Hey David,

So! My WordPress website was on page 1 since the dawn of time, had traffic coming in for years etc and I was #1 for years too. It was hacked around about 2 months ago and the homepage was replaced with a virus.

The hacker created 2 subfolders on my hosting: 'Creams' and 'Stretch'.

These pages were removed and the hack was fixed within 4 days, during these 4 days, my website was blacklisted by all major anti-virus companies and by Google. I eventually managed to remove this listing, but at a heavy cost, I was on Page 2 since then.

A week passed and I noticed that 3,000 backlinks (450 domains) were pointing to the folders the hacker created. I have had 3,000 links (approx 300. domains) built to these pages per day for the past 2 months. So totaling around 180k links.

I have disavowed every new domain pointing to those pages on my website since this day but my ranking have been falling and falling. I'm on Page 1 for a few terms, but around the bottom somewhere. This website has not been penalized however.

I was going to make a new website, 301 redirect this spammed site (with power) to my old website and 301 redirect my old site to the new one. Hopefully, pulling across the power but also buffering it. Make sense?

Hello Dave,

Thanks for the advice, brilliant really! But I do have a concern, I usually don't have a problem with waiting for recovery. But these links are not slowing up, 7k per day without fail and they have been coming in for two months now. My ahrefs is now flooded with anchors on Eye cream, trust/ citation flow is destroyed and so is my WMT relevance. I'm even starting to rank for some eye make up creams.

I don't see this working in the long run, do you still stand by your statement?

Actually, would a re-direct to a web 2.0 help? The PA of my site and the DA of the web 2.0 should work quite nicely together. Apologies if I seem to be going a bit grey/ black hat, but i've lost all my business and I don't see Google jumping in to help me

You also need to be 100% sure you have removed the hack and vulnerability to your site. These kind of hacks can be nasty and will often return. I had a client with a similar issue. Lawyer that got injected with about 400 Payday loan pages on their site. Tons of links started popping up. If you do not completely remove the offending code, the pages will keep being generated.

A friend traced the code back to some nasty Romanian group that was known to do this to a lot of sites.

Odds are it's a base64 hack on a Wordpress theme or plugin.

Even If you've found hacker built sub-folders it's a WP site, a webmaster installed hack (theme/plugin) is easy from a hacker POV. Cracking host passwords is usually time consuming unless you have weak/default passwords.

• How to check your site for base64 links

Agreed, first remove the hack vulnerability.

IME best solution for a hacked WordPress site is use a clean backup, it is hard to fully clean a hacked site.

I make weekly backups so as soon as I find a problem (it happens to all of us eventually if you own a lot of sites) find the last clean backup and restore.

This removes anything that was changed by the hacker, but the site will be vulnerable to the same attack as before.

Change all password, and I do mean all, FTP, MySQL, WordPress login... Make sure all themes and plugins are up to date, make sure the server is up to date. Delete all plugins and themes you aren't using, an inactive theme with a vulnerability is an entry point. Only keep active plugins, active theme and the default WordPress theme (currently TwentyFourteen). Everybody should go do this now, don't have plugins and themes on your site that you aren't using, why take the risk they have vulnerable code.

Take into account even themes/plugins in the WP repository aren't checked for vulnerable code when they are updated, the repository has themes/plugins with vulnerable code right now.

Recover content that wasn't in the backup: keep an offline copy of all content. In WordPress the only thing I'd loose is comments and even then I can recover them.

I had half a servers sites hacked, couldn't find an entry point via the server, think (not 100% sure) it was a combination of an out of date Internet Explorer Adobe plugin and the way Filezilla stores FTP passwords.

Filezilla has an option to save your passwords and the list is unencrypted, if someone can get hold of the Filezilla XML file they have all your login details!!!

I don't use Internent Explorer very often, just for testing and hadn't updated the Adobe plugin which had a vulnerability.

I think someone used the Adobe vulnerability to access my PC, download my Filezilla XML file which gave them all my FTP login details. They hacked all the domains that had a home page PR4+, at the time half the domains on the server was hacked!!! At the time my PC had antivirus software and malware protection and I know how to be careful when installing new programs etc...

I no longer let Filezilla save passwords and when downloading server backups also update all my work PCs software.

You have to be vigilant with everything connected to the Internet.

David

The best advice I cam give you is to start with a clean slate. Don't redirect those automated spam links to your site. A redirect will redirect every single thing including penalties and issues.

It's better don't implement redirection and start with a fresh. Try not to do the mistakes you have done before and don't leave a single loop hole by which you can get hacking attack again. Also, upload a robots.txt file into your sites root directory.

My passwords were very secure and this must have been a targeted attack given the pure amount of spam. I'm no newbie to internet security, if a hacker wants to get into a website, he will, eventually.

301'ng spammed domains will only pass along the problem. Remove the links or ditch the domains completely. Disavowing is a waste of your time and will not work.

You really don't have many options at this point, either build out a new domain entirely and keep the others around in the event they aren't penalized or proactively work on getting the spam removed.