Hackers don't announce their presence. You may not know they have invaded your site until it's infested with spammy links. Guess what Google does when they see that? Penalty. That's what happened to this university.
Ignorance is no excuse. Though this educational site was oblivious to the hackers, Google penalized them anyway. It could have been avoided with regular link risk management, especially using link alerts.
But happy endings do exist, even post Penguin. After just one reconsideration request, Google removed the manual penalty, and this website has begun crawling back up in SERPs.
You can do it, too! Follow the advice in this case study, copy their link removal outreach email and reconsideration request, and download their blacklist. It will save you a lot of time and headaches.
Enjoy & Learn
Christoph C. Cemper
Table of contents
- 1.0 Introduction
- 2.0 Background
- 2.1 Impact of Partial Action on Organic Search Visibility
- 3.0 Manual Action Removal Process
- 3.1 Step 1 – Link Audit
- 3.1.1 Anchor Text
- 3.1.2 Links Built by Hackers
- 3.1.3 Fake Profile Links
- 3.1.4 Blog Comment Spam
- 3.1.5 Article Directories
- 3.2 Step 2 – Link Removal Outreach
- 3.3 Step 3 – Disavow File and Reconsideration
- 4.0 Success – Penalty Revoked First Time!
You may still see CEMPER Power*Trust™, CEMPER Power™ and CEMPER Trust™ on some screenshots in this case study.
In 2015, we renamed these metrics to LRT Power*Trust, LRT Power and LRT Trust to reflect the shortname of LinkResearchTools - which is LRT.
CLU approached our team at Backlink Surgeon at the start of April to take advantage of our manual action removal service.
VP of Marketing, Josh Virkler informed us that he had only undertaken limited link building and that the site had been hacked over the previous year to which they credited CLUonline receiving a penalty and causing a decline in SEO search visibility.
Checking Google Webmaster Tools confirmed that the site was subject to a “partial” manual action:
2.1 Impact of Partial Action on Organic Search Visibility
Using Searchmetrics’ visibility index, we can gauge the impact of the partial action on CLUonline:
You can see that the visibility of the site had been declining for some time with consecutive Penguin updates hitting the site until, finally, Penguin 2.1 finished off the site by flat-lining rankings. The partial action played a part in the site’s demise, but it appears the damage was already done way before the action hit with the site dropping from as early as 2012.
Unfortunately, CLUonline did not have Google Analytics installed and configured prior to the audit being conducted but we can still get an idea of how traffic to the site changed over time by looking at third party traffic data provided by SEMRush.
The traffic trend mirrors CLU’s search visibility graph with the site has experienced a gradual decline since late 2012, way before the partial action.
Now, here’s where it starts to get interesting… CLUonline was hacked in March 2013.
You can see from the traffic trend chart that there was a brief spike in April 2013, which we now believe to be the result of an initial boost received from an increased volume of incoming links being built by the hackers. Penguin 2.0 then slapped the site.
Our link audit has since confirmed that the hackers had not only broken into the site and created bogus pages that they used to promote counterfeit goods but they had also been very proactive in building spam links to these new pages in order to rank the pages for keywords related to their target products. These spam links are sure to have been a contributing factor to the drop in visibility in the SERPS at Penguin 2.0. However, the site started to drop at Penguin 1.2, so clearly there were already problems with the link graph before the hack took place.
Given that traffic has pretty much flat-lined, it was imperative for us to get to grips with the link profile. We also had to understand what links the hackers built and get the partial action revoked by cleaning up and disavowing all spam links.
3.0 Manual Action Removal Process
We perform a three stage cyclical process for removing manual actions for clients. This process has ensured that we have a 100% success rate.
Stage 1: We conduct a deep-dive manual review of every single link using a mixture of Link Detox in combination with our own in-house tools. The objective is to identify all link schemes and decide on a course of action to fix them.
Stage 2: We perform link outreach for all links that are in violation of Google’s Webmaster guidelines to request changes or removal. Each Webmaster is contacted three times and all outreach is tracked for evidence in a Google Doc.
Stage 3: Disavow all links that are unnatural and in violation of the Google Webmaster guidelines and submit a reconsideration request supported by our link outreach documentation.
For a more detailed account of how we recovered a US telecoms site from a double manual action penalty, be sure to check out Derek’s last case study if you missed it!
Using Link Detox, we were able to get a snapshot of the toxicity of CLUonline’s backlink profile.
I imported all of CLUonline’s links from Google Webmaster Tools, Moz, Majestic, Sistrix Links, Searchmetrics and SEM Rush to give the most accurate representation of their backlink profile as possible.
In total, 240,265 links were found pointing to CLUonline.com, although this number was reduced to 5,054 when we restricted site wide links to 5 per site.
A crude way to assess CLUonline.com’s link profile as a whole is first to look at the new “Domain detox risk.” This provides one definitive metric within which to judge the toxicity of the site’s whole link profile.
Unsurprisingly, the “Domain wide Link Detox Risk” for CLUonline was calculated at 2154:
In our experience, a DTOXRISK score over 2000 is extremely likely to be penalized by Google.
With a score of 2154, it was clear that CLUonline’s backlink profile contained a lot of spam links that required a manual review.
3.1.1 Anchor Text
One of the best places to start any link review is to look at the anchor text of incoming links. Having seen sites that have been hacked in the past, there are usually many clues that would indicate some unnatural linking activity.
Using DTOX, we were able to see an overview of the site’s anchor text:
Straight away we have our first clue that something highly suspicious is going on with incoming links.
Two of the most visible anchor texts are “Louis Vuitton Outlet” and “Coach Outlet Online.” Clearly, for a site offering Christian courses this anchor text is very suspect and totally off-topic.
Let’s look at the breakdown to see if there are any other anomalies that can be identified:
The breakdown of CLUonline’s anchor text clearly highlights that the site has been the victim of a hack.
This is a common problem that we are seeing a lot in sites that we audit, especially if they have historically had weak security protocols.
Here’s how it works…
The hackers break into the target site. They create many deep nested pages promoting their own products, usually counterfeit products from well-known fashion brands or some type of pharmaceutical product.
The hackers are able to hijack and take advantage of the PageRank of the site to rank the new sales pages on the hacked site. Alternatively, they embed links on the hacked site that then use to power other sites in their network of hacked sites, creating a vast spider-web of cross-linked sites all boosting each other.
The end game is to get visitors to find their sales pages and to click through to their own ecommerce sites where they can sell dodgy merchandise. It’s all very illegal but highly sophisticated and very effective. Often site owners don’t even realize they have been hacked because the new pages are not linked to from obvious locations.
The high concentration of unrelated, highly commercial anchor texts such as “coach outlet online,” “Louis Vuitton outlet” and “coach outlet online” is a dead giveaway - these are terms totally unrelated to CLUonline.
The second suspicious anchor text jumping out to us was the high concentration of anchors that appear to be a person’s name, such as “Ellen Burkowitz,” “Alfred Morris,” and “Charles Thompson.” Perhaps these were people associated with CLUonline, or this could also have been an indication of blog comment and form profile spam, which usually uses people’s names as the anchor text.
3.1.2 Links Built by Hackers
A high portion of text links had been built to pages on CLU that clearly promoted the sale of counterfeit goods and designer accessories. These pages were created by the hackers after they successfully breached the security of CLUonline’s CMS.
The counterfeit pages for this hack targeted well-known brands, such as:
The hackers had also cross linked existing internal pages within CLU back to the hacked pages, as well as building links from sites with a poor LRT Power*Trust back to the target pages.
This hack exploited CLUonline’s authority and passed sufficient link juice through the use of highly competitive Money keywords that would give the counterfeit site perceived legitimacy to consumers and help the site rank on Google.
The footprints for the hacked network were easy to find and included:
- Oakley Sunglasses
- Louis Vuitton
- Mulberry Bags
- Jeremy Scott
The team at CLUonline were quick to delete any pages created by the hackers, one example that no longer exists is: www.CLUonline.com/louis-vuitton/
Links were also created to legitimate CLUonline pages, presumably to boost the overall PageRank of the site. Unfortunately, this compromised the whole site.
A manual review of CLUonline’s 5,054 links revealed that there were just over 600 links from hacked sources making up 12% of CLUonline’s total backlink profile.
I believe these links were one of the reasons that CLUonline received a partial manual action from Google. This case shows that negative SEO is possible.
Though it has to be said that the hacked links were not the only bad links pointing at the site, they did exacerbate the issues that already existed.
Let’s now look at some examples of links that the hackers built to pages on CLUonline – you can see the pages all contain spun text content, highly targeted Money keywords from Comments, Forums and Web 2.0 articles / blogs:
CLUonline was hacked around March 2013 and actions were taken in May to start deleting. This lines up perfectly with the link velocity chart:
The Competitive Link Velocity shows the spike in internal links coming into the site, illustrated by the darker colored boxes.
It also shows that the number of links being created decreased quickly after the team took action on the hacked pages.
3.1.3 Fake Profile Links
A recurring footprint we uncovered while reviewing the hacked links to CLUonline were forum profiles with the name “tnairpress.”
These forum profiles were usually incomplete with very little content, except for a single link back to CLUonline. Another approach was to create a single post on the forum with commercial anchor text.
Forum profile links with no content on them (apart from a homepage link) are usually associated with auto-posting software like Xrumer, which was most likely used to help create links back to hacked pages.
A quick Google search for “tnairpress” in inverted commas reveals 8,050 forum profile pages created with the profile name of “tnairpress”:
Examples of Tnairpress forum profile links promoting a highly suspicious “brochure page” on CLUonline include:
Now follows examples of the types of forum posts from Tnairpress obviously utilizing an automatic forum creation and posting tool such as Xrummer.
(Notice that these links were still being made to legitimate CLUonline pages in June, even after the CLU team took action on the pages created by the hackers.)
3.1.4 Blog Comment Spam
There was a high concentration of anchor texts using random names.
We initially suspected this was blog comment spam built by the hackers, but with further investigation we discovered these links had been built by an SEO company hired by CLUonline themselves….D’oh!
CLUonline outsourced their link building from January to March 2013 to a less than reputable SEO company, which resulted in a large number of random DoFollow comments being left on blogs loosely related to Christianity.
These random posts were often on sites that also featured other random topics such as “solar panels” or “pay day loans,” creating an obviously spammy footprint.
Our manual review found random posts by many fabricated authors:
- Daniel Webster
- Charles Thompson
- Alfred Morris
- Felicity Zimmerman
Blog spam is an obvious footprint that can be detected by search engines; it should be avoided.
Matt Cutts commented on the subject:
“If your primary link building strategy is to leave comments all over the web, to the degree that you have a huge fraction of your link portfolio comments, and no real people linking to you, then at some point that can be considered a link scheme. At a very high level we reserve the right to take action on any sort of deceptive or manipulative link schemes that we consider to be distorting or rankings.”
Examples of some blog comment spam, which were pointing at CLUonline’s homepage, include:
What is notable about these comments is that they are obviously half-hearted but there’s some attempt to make them look natural.
A recurring theme with these posts was the author was often called Backlink04 and the title was usually the same. It’s obvious these blog comment posts are spam and part of a link scheme designed to pass PageRank.
3.1.5 Article Directories
We manually checked each link of CLUonline’s backlink profile.
In addition to the hacked links and the blog comment spam, we uncovered a number of other tactics that were in violation of the Google’s Webmaster Guidelines on Link Schemes.
A tactic adopted by the CLUonline team was submitting articles to article directories. These articles were then syndicated to other sites with poor LRT Power*Trust.
All of the articles identified follow a similar footprint:
- Contains a bio author link stating it was written by Mark Virkler or Joshua Virkler.
- Contains a number of highly commercial DoFollow footer links.
We traced some articles back to 2011 when this approach was commonplace so it would not be fair to point the finger at the guys from CLU. In 2011, this tactic worked! These days, though, these types of links need to be disavowed.
Matt Cutts advised not to use article directories as a SEO tactic in this video. He states that Google is filtering and even penalizing articles following the footprint identified above and distributed en masse to article directories:
“We certainly have some algorithmic things that would mean it is probably a little less likely to be successful now compared to a few years ago, for example. So my personal recommendation would be probably to not upload an article like that.”
Examples of articles submitted by CLUonline to article directories include:
Examples of articles that were originally submitted to article directories, which were then syndicated to weak, low LRT Power*Trust sites include:
Once we completed my deep-dive audit of CLUonline’s backlinks and identified all links that violated the Google Webmaster Guidelines, we undertook a link removal campaign.
At this point we were using Rmoov for link removal outreach. However, we are now using Pitchbox for all link removal, since it is more tightly integrated with DTOX.
Here’s the email we used for CLUonline link removal outreach:
We contacted each Webmaster three times with each email documented in a separate Google Doc.
If we fail to hear back from the webmasters after the third attempt, or they demand a fee for removal, then we just disavow at domain or URL level depending on the overall trust of the site linking.
50% of the links were successfully cleaned up:
3.3 Step 3 – Disavow File and Reconsideration
Having identified all of the bad links, the final step to revoking CLUonline’s penalty was to submit the disavow file and reconsideration request to Google.
We have successfully removed penalties since the first unnatural link warnings were sent out. Since then, we have created a blacklist of spam domains and URLs that we add to the site’s disavow file. These are sites we have checked by hand and know to be complete spam.
Here’s a snapshot of our blacklist:
Want a copy of our blacklist?
Please feel free to link to this case study from your blog/website – anyone who does so can contact us for a copy of our blacklist built up over the last two years. ☺
After uploading the disavow file to Google Webmaster Tools, we use DTOX Boost to get all the disavowed domains re-crawled and to ensure Google knows we have taken action on the unnatural links pointing at the site.
When it comes to the reconsideration request, we have found the best way to have a penalty revoked is to explain:
- That you understand why you have received the penalty and accept the decision;
- Why you received the penalty (highlight that it was external SEO companies that you used, and you were ignorant to their exact tactics of link building and the rules in place, or that it was your own ignorance when link building);
- Document any violations you have found (Google Document 1);
- Document steps you have taken to rectify the situation with link outreach (Google Document 2) and disavowing domains;
- Clearly state the steps you have taken to make sure this never happens again.
Here is the reconsideration request we used for CLUonline:
4.0 Success – Penalty Revoked First Time!
After we submitted the reconsideration request at the end of June 2014, we heard back from the Google Webmaster team on the 8th of July informing us that the reconsideration request was successful:
When originally commissioned to conduct a penalty removal for CLUonline, we were working under the premise that the partial action had been caused by hackers building a significant volume of dubious Money anchor text links. However, it appears it was the accumulation of legacy link building techniques combined with the hackers’ links that tipped the site over the edge. Rankings and SERP visibility started to drop well before the hacking occurred.
The links built by hackers undoubtedly contributed to CLU’s partial action, but it’s unlikely they were solely to blame. The link profile revealed many common old school link building tactics that in 2014 are clearly against the Google Webmaster guidelines.
Blog comment spam and article directories made up a vast proportion of CLUonline’s backlink profile, and although CLUonline ceased these tactics some time ago, they did not take appropriate action to manage the risk of their link profile over time.
It now makes perfect sense to be proactive in your link auditing and carry out regular link risk management in order to monitor your link graph and pre-emptively disavow any unnatural links before they impact the integrity of your site.
Our advice to all webmasters is to implement Link Alerts on your site. This simple measure will serve as a watchdog keeping guard over your site. You are able to review new links that LRT finds weekly, which makes spotting new suspicious incoming links very easy. We suggest building this into your weekly routine and looking out for anchor texts that you don’t recognize; you might just have been hacked and not even realize it!
We are pleased to report that lifting the partial action has seen a positive increase in the site’s impressions:
Keyword rankings are also up:
Some keywords that CLUonline previously had ranked for - but had dropped - also returned to the SERPS:
These results are all encouraging. However, there is still a lot of work to be done. The site is undoubtedly still being algorithmically suppressed by Penguin, which means we need another Penguin update in order to get out of full suppression. It’s clear to us there are also some issues onsite that need to be fixed.
We are sure the CLU team will keep this momentum going. Their focus is now to try and leverage their loyal fan base to earn new high Power*Trust natural links to replace the poor quality links that were removed and disavowed.
All in all, this case study highlights the importance of carrying out regular link risk management in order to keep a close eye on what is happening with your link profile. The hackers here showed no mercy and were able to compromise the integrity of the site, resulting in a manual action from Google unbeknownst to the site owners.
Weekly monitoring of your link profile is a great way of ensuring that any suspicious linking activity and hacking is identified and can be dealt with quickly. So, if you haven’t already, go and set up link alerts now.
We hope you have found this case study insightful and look forward to any comments from the community.