Unfortunately too many business owners ignore their websites to the point that they do not even realize when their sites are hacked. That level of ignorance and/or apathy is hard to address.

Some hacks are very subtle; I've seen single words and short phrases sparingly inserted into body text on large, busy sites, and on these occasions it only stood out because the links were off-topic.

How many of the links we see every day on sites could be hacked but just is highly sophisticated - enough to pass for normal?

It is a bit happy-clappyish and misses an important point. Many hacked sites tend to have links inserted that are only visible to search engines (not human visitors) to ramp up the PR of the spammer's sites. Most website owners use a web developer to build their sites and the site might even have remained hacked for over a year because the owner considers the site just brochureware. And based on working on monthly websurveys that detect this kind of thing, the spammers sometimes update the links they use. Perhaps the people behind Google's webmaster blog should really talk to the people in Google's spam department.

Regards...jmcc

How many of the links we see every day on sites could be hacked but just is highly sophisticated - enough to pass for normal?

But you don't see the injected links - they are hidden "off page" with CSS. Some of the out of place spam/hacked keywords I've seen in pages tend to be possible evidence of a failed hack or a crude attempt at clickbait SEO. The iffy links might be IDN versions of legitimate sites but most of the injected links tend to use the luxury product name or designer in the domain name. Then there are the injected links to problem ccTLDs that should not exist in most sites outside those countries.

Regards...jmcc

I'm gonna test these new forum rules and point out (as I have repeatedly pointed out to Google/Matt) that all you have to do is search for "fast shipping" and you'll find a boatload of hacked sites - page after page of them.

netmeg - IMO, that's an excellent example. I don't think we should dwell on example searches here, but, yes, this one is OK. It makes a strong point.

In the serps I see, after about the first three results, the results become very spotty, as you say, for page after page.

It's sad that poorly funded and not very sophisticated non-profits seem to get hacked most often. I've contacted a few hacked sites just to alert them, and many of them don't have staff or resources to address the problem... probably don't have a clue what Webmaster Tools is... and it's very hard to explain that these are hacks that Google sees but the webmasters won't, unless they come in via Google.

It's also very unlikely that they'd look for their sites via the hacked target phrases. FWIW, in the example search above, I'm not seeing the "This site may be hacked" message on some very obviously hacked sites.

Exactly.

It's also very unlikely that they'd look for their sites via the hacked target phrases. FWIW, in the example search above, I'm not seeing the "This site may be hacked" message on some very obviously hacked sites.

The problem is that Google cannot tell a good link from a bad one.

Regards...jmcc

all you have to do is search for "fast shipping" and you'll find a boatload of hacked sites

That's the mystery with G. Any fool can see "boatloads" of hacked sites but G seems intent on using complicated methods to find them. Possibly the sheer volume means that it has to be an automated process but automated processes will only find a tiny fraction of them.

But you don't see the injected links - they are hidden "off page" with CSS.

But they still stand out like a sore thumb when you view source. I'm talking about hack links that might pass a manual review - and on big sites with more than one person responsible for content management, no-one knows who put them there.

The problem is that Google cannot tell a good link from a bad one.

Yup. But can you blame them when some might fool humans too?

The point is, not only are they obviously hacked, and not marked as hacked, but that they actually *rank* for hack-related stuff.

Google needs to do better. Not because it is their responsibility. IMHO I place most of the responsibility on the business owner to monitor & protect their own website or outsource this vital process.

Google needs to do a better job to protect their search results to keep their users happy. Of course it is much easier to blame Google then actually implement a change that can screen through billions of pages while quickly serving billions of search results that are as relevant as possible to a worldwide audience while there is a small army of hackers that have networks of spambots exploiting the non-stop flow of newly discovered security holes.

A few times I have contacted small business owners that had their sites hacked to tell them about it so they could clean it up and secure their site. Hackers had used these off-topic sites with strong trust & quality signals to rank in profitable serps that I was working in. Most of the time the business owner was clueless and thought I was part of the problem and not someone trying to educate them about their hacked site.

There is no easy solution to this. IMHO there will always be business owners that do not fix their security holes. There will also be smart hackers that will keep evolving and staying one step ahead of Google. Thus making it very hard for to erase the hackers without high levels of innocent casualties.

The education aspect for all the webmasters out there is immense. But who reads it other than a few (like us here at WW)? And because of this the hackers will continue to find fertile opportunities. G, on the other hand, has millions, if not billions, of examples of such harm being done that it would not be that dang difficult for them to send a notice of same to these clueless "webmasters".

That will NOT happen, however. G (or any other search engine) cannot be the "hacker police", though they can, and do, indicate in the serps "this site may be dangerous"... and that's after the fact... and the site owner may not even know it.

So, thanks for the article. Of course. No thanks for not stemming the tide of ugly. And what hubris to think that ALL the webmasters will even know this article exists?

A rant with no solution, freely admitted. Just needed to get it off my chest.