Hacked type: Content injection
What does it mean to have pages marked with the hacked site type “Content injection” in Search Console?
This means that a hacker has added spammy links or text to your site’s pages. The injected content may contain pharmaceutical terms or other spam unrelated to the site’s content.
Typically, hackers modify your site in one of these ways:
- By gaining access to an insecure directory on your server. For example, you may have inadvertently left a directory with open permissions.
- By exploiting a vulnerability in software running on your site, such as a content management system. For example, you might be running an older, insecure version of WordPress.
- By hacking third-party plugins that you use on your site, such as visitor counters.
For more general information on sites compromised with spam, see Step 5: Assess the damage (spam) in the Help for Hacked Sites recovery process.
How can I confirm that my pages were modified to contain spam by a hacker?
Begin your investigation with the hacking examples shown in the message you received or the listing on the Security Issues page of Search Console. Keep detailed notes about what you find for each URL.
Unfortunately, what you see in a browser often doesn’t reveal what Google and/or users see, since hackers can hide the spammy content using cloaking techniques.
Instead of using the browser, you can confirm that the spam has been added to your site’s pages by using one of the following methods:
- Use “Fetch as Google” in Webmaster Tools:
Google’s free Search Console provides a feature called “Fetch as Google” that you can use to see a page on your site as Google machines see it. This is useful since many hackers make changes that are visible only to Google machines. For example, they might add links to their site from yours that are only rendered when the referrer is Google.
- Use cURL or Wget to fetch a page:
These freely available tools let you view the source of the page as seen by a search engine, and have the flexibility to include referrer or user-agent information. By serving spammy content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and anti-hacking algorithms used by search engines. (Your site will need to be online to use these tools.) For example:
$curl -v --referer "http://www.google.com/search?q=page" --user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" http://www.example.com/page.html
In the output from Wget or cURL, check for any suspicious content and links that you did not intend to be there. For examples, words like “viagra”, “cialis” etc.
How can I clean my site of “Content Injection” hacked type?
When you’re ready to clean up your site (Step 7 of the Help for Hacked Site recovery process), you can either replace affected files with the last good backup or you can remove the spammy content and links from each page. Make sure to fix all the hacking examples shown on the Security Issues page of Search Console. In addition, search for other pages on your site that may have been hacked by using “site:” search on Google (covered in the article Step 5: Assess the damage (spam)). You can also use the “Fetch as Google” feature again, this time to verify that your changes indeed fix the hacking
Please be aware that removing the spammy content doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be hacked again in the future. One useful thing, for instance, is to update any software running your site, such as an old WordPress installation. For more information on cleaning your entire site, not just this hacked type, see "Filesystem damage assessment" in Step 5: Assess the damage (spam) of the Help for Hacked Sites recovery process.