Use Search Console

You'll need

  • The ability to verify ownership of your site using a technique such as adding a file in the root directory, authoring of meta tags, or owning a Google Analytics administrative account for the site.

What you'll do

In this section, you'll perform the following actions:

  1. Check that the hacker didn't already verify ownership in Search Console and make unwanted settings changes.
  2. Determine the nature of the attack.

Check that the hacker didn't already verify ownership

Once you verified ownership of your site, check that the hacker didn't already verify ownership in Search Console and make unwanted settings changes.

  1. Open the Users and permissions setting in Search Console.
  2. Be sure that all users and owners listed are authorized.
  3. Document the email address of any unauthorized user (in case it's helpful in the future), then delete the user from your site. For unauthorized owners, you'll need to both delete the owner and any possible verification tokens, such as a verification meta tag on your homepage or a HTML file on your server. (More information.)
  4. Look for any unwanted settings changes in Search Console. Open the Settings page and check for possible undesirable changes by the hacker such as a lower Crawl rate (perhaps with the goal to avoid search engine spiders). Also, check that nothing unusual is listed in the removals tool or > Change of Address tool.

Determine the nature of the attack

The information in the Message panel and Security Issues report in Search Console can help you determine whether your site was compromised in any of the following ways:

  • With spammy content that could reduce the quality and relevance of search results.
  • For phishing purposes.
  • To distribute malware.

To investigate hacking or malware using Search Console, complete the following steps:

  1. Open the Message panel in Search Console.
  2. Check if there is are any critical messages from Google regarding whether your site was used for 1) serving spammy pages, text or links, 2) phishing, 3) distributing malware. If you have a phishing notification, don't delete this message until you have completed the entire recovery process.
  3. Navigate to Security Issues in Search Console.
    • Sites affected with malware will show a top-level heading of "Malware," and then categories of malware types, such as "Modified server configuration" or "Error template injection." In these cases, the hacker may be using your site to infect your visitors with software designed to access confidential information or harm their computers. To find out how to fix this, continue to Hacked with malware.
    • Sites that were hacked to serve spam may display a top-level heading of "Hacked" and then categories hack types, such as "Content injection." It’s likely the hacker has placed spammy pages, text, or links on your site. To find out how to fix this, continue to Assess spam damage.
    • Sites with a "phishing notification" in Search Console Message Center may not show any information within Security Issues. By creating phishing pages on your site, the hacker is using your site to obtain users' login, password, or financial details, often by masquerading as a trustworthy site. Because the cleanup for phishing is similar to spam, continue to Assess spam damage.