A client had a random forgotten about WordPress install get hacked this past week. I have personally worked with hacked sites 10 times so far this year. The hacks come from weak passwords or more often outdated WordPress installs or vulnerable plugins. WordPress is kind of like Windows. It works great but you have to update it and keep it secure.
Anyways if you receive a message from Google which says “Hacked Content Detected” you need to clean it up as quickly as possible. The message Google sends out looks like this:
Hacked Content detected on http://**********.com
To: Webmaster of http://***********.com/,
Google has detected that your site has been hacked by a third party who created malicious content on some of your pages. This critical issue utilizes your site’s reputation to show potential visitors unexpected or harmful content on your site or in search results. It also lowers the quality of results for Google Search users. Therefore, we have applied a manual action to your site that will warn users of hacked content when your site appears in search results. To remove this warning, clean up the hacked content, and file a reconsideration request. After we determine that your site no longer has hacked content, we will remove this manual action.
Following are one or more example URLs where we found pages that have been compromised. Review them to gain a better sense of where this hacked content appears. The list is not exhaustive.
Removing hacked content
To get WordPress fixed it is easiest to hire a pro. I’ve done this a few times but these days I just reach out to someone who does it all day long. If you need a reference email me and I’ll connect you with someone who can fix up your site for around $300.
Will this hurt SEO?
Google and even Bing and the others understand that you’re the victim here. If you quickly get the site repaired you can easily tell the search engines that it is fixed. In every instance I’ve seen rankings returned to where they were previously.