As you can probably tell from the statement, this news is unsurprising. With millions of websites already in existence and new ones popping up every day, the internet is an endless feeding ground for hackers. Even as website security continues to advance, malware and hacking strategies also shapeshift and evolve to exploit weak spots.

This presents a number of problems for both users and webmasters. First and foremost, the potential leaking, theft, and abuse of user information puts online consumers at risk. But what’s also concerning, namely for webmasters, is that when website security is compromised it can result in hefty penalties, which can significantly set back search engine rankings. In response to this problem, this is what Google wants you to know.

Top Ways Websites Get Hacked by Spammers

While specific malware and hacking spam varies, there is some consistency in how websites are typically hacked. They are:

1. Compromised Passwords: Hackers have different techniques for guessing passwords until they guess correctly, like trying common passwords or rapidly testing random combinations of letters and numbers. Google recommends creating a strong password, never reusing passwords across services, and taking advantage of two-factor authentication (2FA) to make it as difficult as possible for hackers to compromise passwords.

2. Missing Security Updates: Put simply, old software has vulnerabilities that new software doesn’t, so webmasters should periodically check for and run updates on their web server software, content management system, and any plugins or add-ons your website uses.

3. Insecure Themes & Plugins: While themes and plugins can enhance the functionality of a website, they’re not always maintained by their developers. If a theme or plugin is in use but isn’t actively maintained, it opens a door for hackers to add malicious code. Check to see that your themes and plugins are secure, and if you remove a plugin, make sure you remove all files completely from the server as opposed to just disabling it.

4. Social Engineering: This method is about exploiting human nature to bypass sophisticated security infrastructure. Phishing is a common example of this; an attacker will send an email posing as a legitimate organization and request security information. Websites that are managed by multiple people are more susceptible to this kind of attack, so Google recommends security training to educate webmasters on basic phishing protection tips.

5. Security Policy Holes: General security weak spots can put an entire website at risk. If you’re a website administrator, try to avoid: allowing users to create weak passwords; giving administrative access to users who don’t require it; not enabling HTTPS on your site; allowing file uploads from unauthenticated users, or with no type checking.

6. Data Leaks: This happens when confidential data is uploaded and a misconfiguration makes it publicly available. You can avoid this by periodically checking and restricting confidential data to trusted entities through security policies.


Despite the damaging effects that hacking can have on a website, webmasters do have an avenue for recovery. If a website has been penalized for problems resulting from hacking, webmasters can apply for reconsideration and potentially remedy the consequences. According to Google, 84% of webmasters who apply are successful in cleaning up their sites, so there’s no reason a hacking incident has to tank your site forever.


What’s important to remember is that prevention is easier than correction. Taking the extra steps necessary to protect your website can and will ultimately save you the hassle and the headache of having to deal with a breach in security later and dip in rankings later on.

To practice adequate prevention methods, all webmasters should be registered for Google Search Console. Google found that 61% of webmasters who were hacked never received a notification from Google that their site was infected because their sites weren’t verified in Search Console. If your website is being attacked or experiencing issues from hacking and/or spamming, Search Console is the first place you’ll be notified about it. If your website isn’t registered and verified in Search Console not only will you not receive that notification, but your website will continue to suffer and be penalized.

In addition to Google Search Console, there are steps you can take to secure your content management system. The majority of websites are powered by WordPress, Joomla, Magento, or Drupal, all of which have their own security recommendations and resources specific to their system. If your website is powered by one of these, you can learn more about the best practices for securing your CMS and keep your site protected from hackers.

Source: Small Biz Trends