Don't miss the game changer LRT Smart | Contact Us+43 720 116440(866) 347-3660+44 800 011 9736(877) 736-7787
Home » Case studies » Google Recovery after Hacked Link Negave SEO Attack.

Google Recovery after Hacked Link Negave SEO Attack.

Happy endings exist. Though this university site was manually penalized because of hacking, Google removed it after one reconsideration request. See how they did it, and use their excellent link removal outreach email, reconsideration request, and blacklist of bad domains and URLs for your recovery.

Improve your Rankings with Internal Link Building, and no headaches
Learn how you can boost your rankings with simple changes to your own website, no outreach, no link buying and no hassles. Learn what to do and what NOT do. After this session, you maybe want to log into your WordPress right after to start building these internal links.

Hacking Causes Manual Penalty – Link Detox and Just one reconsideration request fixed it.

hacking causes manual penalty negative seo is possible

Hackers don't announce their presence. You may not know they have invaded your site until it's infested with spammy links. Guess what Google does when they see that? Penalty. That's what happened to this university.

Ignorance is no excuse. Though this educational site was oblivious to the hackers, Google penalized them anyway. It could have been avoided with regular link risk management, especially using link alerts.

But happy endings do exist, even post Penguin. After just one reconsideration request, Google removed the manual penalty, and this website has begun crawling back up in SERPs.

You can do it, too! Follow the advice in this case study, copy their link removal outreach email and reconsideration request, and download their blacklist. It will save you a lot of time and headaches.

Enjoy & Learn
Christoph C. Cemper

See Plans & Prices

Table of contents

Cemperpower trust is lrt power trustCEMPER Power*Trust is now LRT Power*Trust

You may still see CEMPER Power*Trust™, CEMPER Power™ and CEMPER Trust™ on some screenshots in this case study.

In 2015, we renamed these metrics to LRT Power*Trust, LRT Power and LRT Trust to reflect the shortname of LinkResearchTools - which is LRT.

Learn more about LRT Power*Trust

1.0 Introduction

Christian Leadership University Online is the number one ‘Lamad’ Christian Education site among Christian colleges and theological seminaries. Offering a wide syllabus of Christian classes to college age students and adults, CLUonline aims to instil the teachings of the Bible to help its students to clearly and consistently hear the voice of God.This case study tells the story of how the site was hacked in order to promote counterfeit products. Hackers built thousands of spam backlinks, which resulted in the site being penalized by Google.CLUOnline Homepage

2.0 Background

CLU approached our team at Backlink Surgeon at the start of April to take advantage of our manual action removal service.

VP of Marketing, Josh Virkler informed us that he had only undertaken limited link building and that the site had been hacked over the previous year to which they credited CLUonline receiving a penalty and causing a decline in SEO search visibility.

Checking Google Webmaster Tools confirmed that the site was subject to a “partial” manual action:

Webmaster Tools

2.1 Impact of Partial Action on Organic Search Visibility

Using Searchmetrics’ visibility index, we can gauge the impact of the partial action on CLUonline:

Search Visibility

You can see that the visibility of the site had been declining for some time with consecutive Penguin updates hitting the site until, finally, Penguin 2.1 finished off the site by flat-lining rankings. The partial action played a part in the site’s demise, but it appears the damage was already done way before the action hit with the site dropping from as early as 2012.

Unfortunately, CLUonline did not have Google Analytics installed and configured prior to the audit being conducted but we can still get an idea of how traffic to the site changed over time by looking at third party traffic data provided by SEMRush.

SEMRush Traffic

The traffic trend mirrors CLU’s search visibility graph with the site has experienced a gradual decline since late 2012, way before the partial action.

Now, here’s where it starts to get interesting… CLUonline was hacked in March 2013.

You can see from the traffic trend chart that there was a brief spike in April 2013, which we now believe to be the result of an initial boost received from an increased volume of incoming links being built by the hackers. Penguin 2.0 then slapped the site.

Our link audit has since confirmed that the hackers had not only broken into the site and created bogus pages that they used to promote counterfeit goods but they had also been very proactive in building spam links to these new pages in order to rank the pages for keywords related to their target products. These spam links are sure to have been a contributing factor to the drop in visibility in the SERPS at Penguin 2.0. However, the site started to drop at Penguin 1.2, so clearly there were already problems with the link graph before the hack took place.

Given that traffic has pretty much flat-lined, it was imperative for us to get to grips with the link profile. We also had to understand what links the hackers built and get the partial action revoked by cleaning up and disavowing all spam links.

3.0 Manual Action Removal Process

We perform a three stage cyclical process for removing manual actions for clients. This process has ensured that we have a 100% success rate.

Stage 1: We conduct a deep-dive manual review of every single link using a mixture of Link Detox in combination with our own in-house tools. The objective is to identify all link schemes and decide on a course of action to fix them.

Stage 2: We perform link outreach for all links that are in violation of Google’s Webmaster guidelines to request changes or removal. Each Webmaster is contacted three times and all outreach is tracked for evidence in a Google Doc.

Stage 3: Disavow all links that are unnatural and in violation of the Google Webmaster guidelines and submit a reconsideration request supported by our link outreach documentation.

For a more detailed account of how we recovered a US telecoms site from a double manual action penalty, be sure to check out Derek’s last case study if you missed it!

3.1 Step 1 – Link Audit

Using Link Detox, we were able to get a snapshot of the toxicity of CLUonline’s backlink profile.

I imported all of CLUonline’s links from Google Webmaster Tools, Moz, Majestic, Sistrix Links, Searchmetrics and SEM Rush to give the most accurate representation of their backlink profile as possible.

In total, 240,265 links were found pointing to, although this number was reduced to 5,054 when we restricted site wide links to 5 per site.

A crude way to assess’s link profile as a whole is first to look at the new “Domain detox risk.” This provides one definitive metric within which to judge the toxicity of the site’s whole link profile.

Unsurprisingly, the “Domain wide Link Detox Risk” for CLUonline was calculated at 2154:

Average DTOX Risk

In our experience, a DTOXRISK score over 2000 is extremely likely to be penalized by Google.

With a score of 2154, it was clear that CLUonline’s backlink profile contained a lot of spam links that required a manual review.

3.1.1 Anchor Text

One of the best places to start any link review is to look at the anchor text of incoming links. Having seen sites that have been hacked in the past, there are usually many clues that would indicate some unnatural linking activity.

Using DTOX, we were able to see an overview of the site’s anchor text:

Anchor Text Cloud

Straight away we have our first clue that something highly suspicious is going on with incoming links.

Two of the most visible anchor texts are “Louis Vuitton Outlet” and “Coach Outlet Online.” Clearly, for a site offering Christian courses this anchor text is very suspect and totally off-topic.

Let’s look at the breakdown to see if there are any other anomalies that can be identified:

Anchor Text Breakdown

The breakdown of CLUonline’s anchor text clearly highlights that the site has been the victim of a hack.

This is a common problem that we are seeing a lot in sites that we audit, especially if they have historically had weak security protocols.

Here’s how it works…

The hackers break into the target site. They create many deep nested pages promoting their own products, usually counterfeit products from well-known fashion brands or some type of pharmaceutical product.

The hackers are able to hijack and take advantage of the PageRank of the site to rank the new sales pages on the hacked site. Alternatively, they embed links on the hacked site that then use to power other sites in their network of hacked sites, creating a vast spider-web of cross-linked sites all boosting each other.

The end game is to get visitors to find their sales pages and to click through to their own ecommerce sites where they can sell dodgy merchandise. It’s all very illegal but highly sophisticated and very effective. Often site owners don’t even realize they have been hacked because the new pages are not linked to from obvious locations.

The high concentration of unrelated, highly commercial anchor texts such as “coach outlet online,” “Louis Vuitton outlet” and “coach outlet online” is a dead giveaway - these are terms totally unrelated to CLUonline.

The second suspicious anchor text jumping out to us was the high concentration of anchors that appear to be a person’s name, such as “Ellen Burkowitz,” “Alfred Morris,” and “Charles Thompson.” Perhaps these were people associated with CLUonline, or this could also have been an indication of blog comment and form profile spam, which usually uses people’s names as the anchor text.

3.1.2 Links Built by Hackers

A high portion of text links had been built to pages on CLU that clearly promoted the sale of counterfeit goods and designer accessories. These pages were created by the hackers after they successfully breached the security of CLUonline’s CMS.

The counterfeit pages for this hack targeted well-known brands, such as:

  • Coach
  • Celine
  • Fitflop

The hackers had also cross linked existing internal pages within CLU back to the hacked pages, as well as building links from sites with a poor LRT Power*Trust back to the target pages.

This hack exploited CLUonline’s authority and passed sufficient link juice through the use of highly competitive Money keywords that would give the counterfeit site perceived legitimacy to consumers and help the site rank on Google.

The footprints for the hacked network were easy to find and included:

  • Oakley Sunglasses
  • Louis Vuitton
  • Mulberry Bags
  • Jeremy Scott

The team at CLUonline were quick to delete any pages created by the hackers, one example that no longer exists is:

Links were also created to legitimate CLUonline pages, presumably to boost the overall PageRank of the site. Unfortunately, this compromised the whole site.

A manual review of CLUonline’s 5,054 links revealed that there were just over 600 links from hacked sources making up 12% of CLUonline’s total backlink profile.

I believe these links were one of the reasons that CLUonline received a partial manual action from Google. This case shows that negative SEO is possible.

Though it has to be said that the hacked links were not the only bad links pointing at the site, they did exacerbate the issues that already existed.

Let’s now look at some examples of links that the hackers built to pages on CLUonline – you can see the pages all contain spun text content, highly targeted Money keywords from Comments, Forums and Web 2.0 articles / blogs:

Hacked Keyword Example 1

Hacked Keyword Example 2

Hacked Keyword Example 3

Hacked Keyword Example 4

Looking at the Competitive Link Velocity report shows the period when link growth increased significantly.

CLUonline was hacked around March 2013 and actions were taken in May to start deleting. This lines up perfectly with the link velocity chart:

Competitive link velocity hacked links

The Competitive Link Velocity shows the spike in internal links coming into the site, illustrated by the darker colored boxes.

It also shows that the number of links being created decreased quickly after the team took action on the hacked pages.

3.1.3 Fake Profile Links

A recurring footprint we uncovered while reviewing the hacked links to CLUonline were forum profiles with the name “tnairpress.”

These forum profiles were usually incomplete with very little content, except for a single link back to CLUonline. Another approach was to create a single post on the forum with commercial anchor text.

Forum profile links with no content on them (apart from a homepage link) are usually associated with auto-posting software like Xrumer, which was most likely used to help create links back to hacked pages.

A quick Google search for “tnairpress” in inverted commas reveals 8,050 forum profile pages created with the profile name of “tnairpress”:

Google Search of tnairpress showing profiles

Examples of Tnairpress forum profile links promoting a highly suspicious “brochure page” on CLUonline include:

Tnairpress Forum Profile Link Brochure Page 1

Tnairpress Forum Profile Link Brochure Page 2

Tnairpress Forum Profile Link Brochure Page 3

Now follows examples of the types of forum posts from Tnairpress obviously utilizing an automatic forum creation and posting tool such as Xrummer.

(Notice that these links were still being made to legitimate CLUonline pages in June, even after the CLU team took action on the pages created by the hackers.)

Tnairpress Forum Profile Link Brochure Page 4

Hacked Link In Forum Post

3.1.4 Blog Comment Spam

There was a high concentration of anchor texts using random names.

We initially suspected this was blog comment spam built by the hackers, but with further investigation we discovered these links had been built by an SEO company hired by CLUonline themselves….D’oh!

CLUonline outsourced their link building from January to March 2013 to a less than reputable SEO company, which resulted in a large number of random DoFollow comments being left on blogs loosely related to Christianity.

These random posts were often on sites that also featured other random topics such as “solar panels” or “pay day loans,” creating an obviously spammy footprint.

Our manual review found random posts by many fabricated authors:

  • Daniel Webster
  • Charles Thompson
  • Alfred Morris
  • Felicity Zimmerman

Blog spam is an obvious footprint that can be detected by search engines; it should be avoided.

Matt Cutts commented on the subject:

“If your primary link building strategy is to leave comments all over the web, to the degree that you have a huge fraction of your link portfolio comments, and no real people linking to you, then at some point that can be considered a link scheme. At a very high level we reserve the right to take action on any sort of deceptive or manipulative link schemes that we consider to be distorting or rankings.”

Examples of some blog comment spam, which were pointing at CLUonline’s homepage, include:

Blog Comment Spam Example 1

Blog Comment Spam Example 2

Blog Comment Spam Example 3

What is notable about these comments is that they are obviously half-hearted but there’s some attempt to make them look natural.

A recurring theme with these posts was the author was often called Backlink04 and the title was usually the same. It’s obvious these blog comment posts are spam and part of a link scheme designed to pass PageRank.

3.1.5 Article Directories

We manually checked each link of CLUonline’s backlink profile.

In addition to the hacked links and the blog comment spam, we uncovered a number of other tactics that were in violation of the Google’s Webmaster Guidelines on Link Schemes.

A tactic adopted by the CLUonline team was submitting articles to article directories. These articles were then syndicated to other sites with poor LRT Power*Trust.

All of the articles identified follow a similar footprint:

  • Contains a bio author link stating it was written by Mark Virkler or Joshua Virkler.
  • Contains a number of highly commercial DoFollow footer links.

We traced some articles back to 2011 when this approach was commonplace so it would not be fair to point the finger at the guys from CLU. In 2011, this tactic worked! These days, though, these types of links need to be disavowed.

Matt Cutts advised not to use article directories as a SEO tactic in this video. He states that Google is filtering and even penalizing articles following the footprint identified above and distributed en masse to article directories:

“We certainly have some algorithmic things that would mean it is probably a little less likely to be successful now compared to a few years ago, for example. So my personal recommendation would be probably to not upload an article like that.”

Examples of articles submitted by CLUonline to article directories include:

Press Release Website Example 1

Press Release Website Example 2

Press Release Website Example 3

Examples of articles that were originally submitted to article directories, which were then syndicated to weak, low LRT Power*Trust sites include:

Syndicated Article Example 1

Syndicated Article Example 2

3.2 Step 2 – Link Removal Outreach

Once we completed my deep-dive audit of CLUonline’s backlinks and identified all links that violated the Google Webmaster Guidelines, we undertook a link removal campaign.

At this point we were using Rmoov for link removal outreach. However, we are now using Pitchbox for all link removal, since it is more tightly integrated with DTOX.

Here’s the email we used for CLUonline link removal outreach:

Link Outreach Email Template

We contacted each Webmaster three times with each email documented in a separate Google Doc.

If we fail to hear back from the webmasters after the third attempt, or they demand a fee for removal, then we just disavow at domain or URL level depending on the overall trust of the site linking.

50% of the links were successfully cleaned up:

Rmoov Clean Up

3.3 Step 3 – Disavow File and Reconsideration

Having identified all of the bad links, the final step to revoking CLUonline’s penalty was to submit the disavow file and reconsideration request to Google.

We have successfully removed penalties since the first unnatural link warnings were sent out. Since then, we have created a blacklist of spam domains and URLs that we add to the site’s disavow file. These are sites we have checked by hand and know to be complete spam.

Here’s a snapshot of our blacklist:

Search Engine Spam


Want a copy of our blacklist?

Please feel free to link to this case study from your blog/website – anyone who does so can contact us for a copy of our blacklist built up over the last two years. ☺


After uploading the disavow file to Google Webmaster Tools, we use DTOX Boost to get all the disavowed domains re-crawled and to ensure Google knows we have taken action on the unnatural links pointing at the site.

When it comes to the reconsideration request, we have found the best way to have a penalty revoked is to explain:

  • That you understand why you have received the penalty and accept the decision;
  • Why you received the penalty (highlight that it was external SEO companies that you used, and you were ignorant to their exact tactics of link building and the rules in place, or that it was your own ignorance when link building);
  • Document any violations you have found (Google Document 1);
  • Document steps you have taken to rectify the situation with link outreach (Google Document 2) and disavowing domains;
  • Clearly state the steps you have taken to make sure this never happens again.

Here is the reconsideration request we used for CLUonline:

Reconsideration Request 1

Reconsideration Request 2

4.0 Success – Penalty Revoked First Time!

After we submitted the reconsideration request at the end of June 2014, we heard back from the Google Webmaster team on the 8th of July informing us that the reconsideration request was successful:

Webmaster Tools Success

When originally commissioned to conduct a penalty removal for CLUonline, we were working under the premise that the partial action had been caused by hackers building a significant volume of dubious Money anchor text links. However, it appears it was the accumulation of legacy link building techniques combined with the hackers’ links that tipped the site over the edge. Rankings and SERP visibility started to drop well before the hacking occurred.

The links built by hackers undoubtedly contributed to CLU’s partial action, but it’s unlikely they were solely to blame. The link profile revealed many common old school link building tactics that in 2014 are clearly against the Google Webmaster guidelines.

Blog comment spam and article directories made up a vast proportion of CLUonline’s backlink profile, and although CLUonline ceased these tactics some time ago, they did not take appropriate action to manage the risk of their link profile over time.

It now makes perfect sense to be proactive in your link auditing and carry out regular link risk management in order to monitor your link graph and pre-emptively disavow any unnatural links before they impact the integrity of your site.

Our advice to all webmasters is to implement Link Alerts on your site. This simple measure will serve as a watchdog keeping guard over your site. You are able to review new links that LRT finds weekly, which makes spotting new suspicious incoming links very easy. We suggest building this into your weekly routine and looking out for anchor texts that you don’t recognize; you might just have been hacked and not even realize it!

We are pleased to report that lifting the partial action has seen a positive increase in the site’s impressions:

Impression Increase Webmaster Tools

Keyword rankings are also up:

Impression Increase 2

Some keywords that CLUonline previously had ranked for - but had dropped - also returned to the SERPS:

Keyword Increase

These results are all encouraging. However, there is still a lot of work to be done. The site is undoubtedly still being algorithmically suppressed by Penguin, which means we need another Penguin update in order to get out of full suppression. It’s clear to us there are also some issues onsite that need to be fixed.

We are sure the CLU team will keep this momentum going. Their focus is now to try and leverage their loyal fan base to earn new high Power*Trust natural links to replace the poor quality links that were removed and disavowed.

All in all, this case study highlights the importance of carrying out regular link risk management in order to keep a close eye on what is happening with your link profile. The hackers here showed no mercy and were able to compromise the integrity of the site, resulting in a manual action from Google unbeknownst to the site owners.

Weekly monitoring of your link profile is a great way of ensuring that any suspicious linking activity and hacking is identified and can be dealt with quickly. So, if you haven’t already, go and set up link alerts now.

We hope you have found this case study insightful and look forward to any comments from the community.



Christoph C. Cemper

Christoph C. Cemper is the CEO and Founder of LinkResearchTools and Link Detox. A well-known and distinguished expert in SEO who started link building for clients in 2003, building LinkResearchTools since 2006 and marketing it as SaaS product since 2009. When the famous Google Penguin update changed the rules of SEO in 2012, Christoph started Link Detox, software for finding and disavowing toxic links. 


  1. @utahsites on August 30, 2014 at 14:44

    Google’s First Commandment – Thou Sha…

  2. @cemper on March 5, 2015 at 20:35

    Google’s First Commandment – Thou Shalt Not Hack #SEO

  3. @linkmyseoworld on March 5, 2015 at 22:12

    50% of links removed by using this link removal outreach email #SEO

  4. @WebsiteValueOT on March 7, 2015 at 20:00

    RT @linkmyseoworld: Anchor text cloud reveals evidence of hackers #SEO

  5. @cemper on March 10, 2015 at 14:35

    FREE blacklist of spam domains and URLs for your disavow file #SEO

  6. @amednikov on March 10, 2015 at 14:51

    RT @cemper: FREE blacklist of spam domains and URLs for your disavow file #SEO

  7. If it fits your macros on January 2, 2017 at 04:21

    Thanks foor finally talking about >Hacking Causes Manual Penalty
    – Negative SEO is Possible <Liked it!

  8. gta 5 money hack on May 15, 2017 at 02:09

    Hi there! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very
    good success. If you know of any please share.

Leave a Comment

Clients speak for LinkResearchTools

William Sears - Growth & SEO at LinkedIn

William Sears

"A huge part of SEO success is your backlink portfolio.

 Not only do you need to understand where your links are coming from, you need to be able to take action to manage those links. LinkResearchTools is an indispensable collection of powerful tools to do just that. I’m a long-time customer of LinkResearchTools and highly recommend it to anyone who is serious about crushing it with links."

Kenneth Chan, Founder and CEO - Tobi


"Your tools are the best in the industry.

 The service is great.

Christoph, your passion is contagious."

Larry Markovitz -  Sr. Director of Organic Search at GroupM 


"Continuous improvement of our client's results

LinkResearchTools and specifically Link Detox gives us actionable insights that continuously improve our clients results in the search engines."


Read what other happy users of LRT say and see all the companies that licensed LRT.

Recover - Protect - Learn - Grow your SEO - Learn how LRT can help you.

Have you seen enough to make a decision?

Want to test with real data? Discounted trial for small websites. Just the export doesn't work.

LinkResearchTools is SEO Software for Link Analysis and Link Building

Trusted by the world’s most respected brands.

victoria' secret