Welcome to WebmasterWorld Guest from

Message Too Old, No Replies

How to recover from link injection attack triggering penguin



9:58 am on Jun 9, 2013 (gmt 0)

Hi guys, since we where hit by penguin 2.0 Ive been doing some serious digging.

Seems a plugin we use was compromised. It showed only to search engines links to an adult site. We have been using this plugin for a year at least.

We have never had any messages in WMT but now with penguin 2.0 looging at all pages I believe this was the reason we were hit.

My question is, has anyone had any experiance of recovering from this? all traces are now 100% gone and a reconsideration request has gone it.

Im concerned that google will only run penguin once a year or every 6 months so it may take a while for it to notice.

Any advice would be great.



Robert Charlton

7:05 pm on Jun 9, 2013 (gmt 0)

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Hi chalkywhite - The reconsideration request might do it. It sounds like the "compromised" plug-in (I assume you mean it was hacked) could be an example of a kind of link spam which could be hard for search engines to keep on top of without reports.

Though it sounds like you've already done so, you should also check your site carefully using view as Googlebot to look for anything else that might look spammy.

Sorry, I can't comment on the time frame for you. Please report back about how this turns out. Good luck.


7:19 pm on Jun 9, 2013 (gmt 0)

Hi Robert, actually it was not hacked, it simply had some code in a PHP file that hid links from users and not search bots. I checked over a years monthly backups and the code was always there :(.

Research into the plugin found that it was indeed well known for it. Silly me.

Google feth looks good, 500 pages have been spidered today and the cache looks clean :).

Ill update the thread accordingly as if I recover this could mean penguin 2.0 looks at outbound links.. I was running this plugin during penguin 1.0 updates.


7:28 pm on Jun 9, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

If it is the recent Wordpress social media plugin/widget, then approximately 900K Wordpress installations could, potentially, be compromised. The majority of compromised Wordpress sites in the latest web usage/classification surveys I run on the Irish webscape (>330K websites in each monthly survey) had loan type links injected. The older Joomla compromises tend to be the classic warez/drugs/pron link injections. Google, for all its much vaunted spam fighting, hasn't been able to deal with these compromises in any way that could be considered efficient. I checked a sample of compromised sites (they've been compromised since at least April 2013) on Google and they all show problem SERPS. Many of the compromised Joomla sites were using an older version (1.5).

If you've cleared the problem, then the most immediate issue would be to remove the cached pages from Google (if it is caching pages) and get Google to reindex the site. One possible way would be to build a clean sitemap and then use WMT to force Google to read the sitemap and then respider the site. I don't know about the efficiency of using a no-cache directive in each page's metada but the sitemap approach might be the best thing to prioritise.



7:36 pm on Jun 9, 2013 (gmt 0)

Not naming but its a plugin that auto links posts, Seo xxxxxxxxx. For instance if you have a post on widgets it will auto link to a widget category in the post if you enter they keyword.

Thanks, ill look into the sitemap , GMT indicates they spider around 800 pages per day so, if they are as efficient as I hope they are then in a week I should be good. Then its a case of waiting and hopefully not for a penguin update.

Note : the main hit was 9th may before penguin 2`s "official" announcement.


8:01 pm on Jun 9, 2013 (gmt 0)

Jmc, how do you check if your site is compromised by that plugin? I use it on my site and I didn't know it did this?!


8:15 pm on Jun 9, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

If you are keeping it updated, n00b1, there should be no problem.
The simplest way is to look at the source code of the index page of the site in a browser (with Javascript turned off). If you see loan terms and loan site links, then there is a problem. The injected links are not visible to people just browsing the website (they are positioned off page using CSS) but the search engines do pick them up. Checking the site name and the keyword 'loan' in Google might show if any compromised pages were indexed.

The details of the compromise are here:

This is the discussion on the Wordpress forum:



8:49 pm on Jun 9, 2013 (gmt 0)

Thanks for the information. I have kept the plugin updated and this issue doesn't seem to have affected my site (phew).

Featured Threads

Hot Threads This Week

Hot Threads This Month