Hacked Sites Suffer Long Term Search Ranking Penalties

During our research into what the WordPress community knows about hacked websites, we discovered that there is very little data available on the subject. We decided to conduct a survey, inviting a portion of our community to participate.

We received responses from 1,605 people who reported having a website they manage hacked in the last year. We learned a lot. Thank you to everyone who participated!

In a related effort, we also added an article to our Learning Center focused on recovering SEO after a hack.

How does a hacked website impact SEO

We approached this question from a number of angles. The first thing we asked was whether the website was flagged by Google as hacked or containing malicious content. Of the respondents who knew, 46.5% reported being flagged. We were surprised at how low this number was. With over half of the sites not being flagged by Google, we can’t rely on Google to alert us to a hack.

It also means that if you move quickly, you have a good chance of cleaning your site before Google discovers it, potentially avoiding a search engine traffic impact. This is a strong indicator of the value of having your own malware scanner like Wordfence installed that is checking your site regularly.

The next thing we looked at was the impact of a hacked website on traffic. The chart below shows good news and bad. The good news is that 55% of you said that a hack had no impact on search traffic.

The bad news is that 45% saw search traffic impacted by a hack and 9% saw a traffic drop of over 75%.


One thing that occurred to us as we analyzed the data was that websites that Google flagged as hacked might see a greater drop in search traffic. To test that hypothesis we looked at the same question, but just for people who reported being flagged by Google.

As expected, if your site is hacked and Google notices, you will see a much greater drop in search engine traffic: For people flagged by Google, 77% of them saw a drop in traffic compared to the average of 45%.

Based on this we can conclude that the impact on traffic is greater if Google flags your site as hacked. The lesson: Don’t get hacked and if you do, scramble to fix it before Google notices.


One of the unfortunate things we noticed is that 45% of respondents report that their traffic never returned to normal, even after cleaning.


We were curious to see whether search engine traffic improves over time after a site is cleaned. To do this we compared sites that were hacked longer ago and their search traffic now vs sites that were hacked more recently and their search traffic now.

What we was a little shocking: Sites that have had more time to recover their rankings did not show an improvement compared to sites that have had less time. This is really worrying because it indicates that sites that are hacked and penalized by Google suffer a long term penalty on their rankings.

How long does it take to recover from a hack?

In the survey we asked respondents to tell us how many days it took them to restore their websites to normal following a hack. 40.9% were able to restore their site to normal within a day. We’re guessing those lucky site owners had a recent backup available that the attacker had not compromised.

On the other end of the spectrum, 16.6% of respondents reported taking more than a week to recover. The average time to recover from a hacked site is 7.49 days.

We also asked what steps were taken to clean respondents’ websites. 85.6% were able to clean the site themselves. Only 3.7% turned to friends for help, while 14.4% paid a professional to do it for them. We hope that our page on how to clean a hacked site has helped contribute to the high percentage of people who are successfully cleaning their own sites.

We urge you to review your website backup approach. Ideally you should be taking automated backups frequently, storing them off site and retaining them for as long as is feasible. Nothing makes recovering from a hack easier than having a recent site backup available.

How much does a hacked website cost?

We knew going in that we would receive responses from a very diverse group of website owners, so we knew that the cost of hacked website would vary dramatically across sites.

For your reference, the question we asked was: “What was the total cost of your hacked site including downtime, lost revenue and any other costs incurred?”

To calculate this number we disqualified estimates that were clearly out of range. We also kept all the responses that said the hack cost them nothing and allowed those responses to bring down the average number. We determined that the average cost of a hacked website is $2,518. 

Every site is different, but our universal take-away from this is that hacked websites are expensive. They can cost you a lot of money in downtime, lost revenue due to adverse SEO impact and repair costs. They can also impact your reputation with your customers. And cleaning a hacked website takes you away from what you would rather be doing.

Your best course of action is to do everything you can to avoid getting hacked in the first place, something we are very passionate about here at Wordfence.


We hope you found the data in this article as interesting as we did. The data provides a strong incentive to get serious about website security, doing everything you can to prevent attackers from compromising your site in the first place. The survey contained a lot more interesting data. Look for a related blog post where we share some of that data next week.

Did you enjoy this post? Share it!


  • A factor you haven't referred to, that may be a consideration, is that the sites that were hacked may have been seeing "higher than average" traffic prior to the hack, due to numerous distributed brute-force attempts to comprimise the site.

    Having been hacked and then (presumably) patched/updated the WordPress during the clean-up, those vulnerabilities that were being targetted would have no longer been present, meaning that at least some of the "bad actors" would have turned their attention elsewhere.

    Solution? - install WordFence and update the core, plugin code and themes as soon as new versions become available !

    Thanks for your efforts to make WordPress a safer CMS!


    • Hi John. Most people use Google Analytics to track their traffic which doesn't count bots - so they would not have been counting brute force attack traffic or any other kind of attack traffic. That's one of the benefits of Wordfence live traffic - you can actually see bot traffic that javascript based logging systems like Google Analytics doesn't log.

    • Yes and I actually saw a Youtube of someone who was very proud of the growing traffic to her site until she discovered that most visits had to do with spam located on the website. So you always need detailed traffic information to start with. Actually that's how I discovered my site was hacked because from the outside all looked fine.

  • Great article! Having Wordfence installed saved me. I saw an email alert from Wordfence (administrator login) within minutes of being hacked and so was able to react and minimize damage. I do daily backups, so was able to delete the hacked site and restore to a fresh installation of WordPress from the previous day's backup.

  • I've been really enjoying your blog the last few months. So much good information!

    Thanks for sharing the results of the survey. That number, $2,518, is a rude awakening to a lot of people.

  • I believe the most damming thing is the lost of confidence in WordPress as a viable platform to publish your web page on. Products like Wordfence are so important to the long term value of using Wordpress. I had stopped using wordpress because of the constant attacks and hack attempts and I always hold my breath when new Updates/ Plugin are needed, because more often than not, my pages crash for one reason or another and it take time to find out why.

    I must admit since turning over all my current sites to Wordfence I have now not experienced further hacked pages and I am more actively involved in daily monitoring of traffic and bulk force attacks. Good Job and thank you for giving me confidence in the future.

  • Long after I fixed my Wordpress site after it was hacked, I noticed that Google was still sending the malware message. So I'm not surprised that this has been an issue for search.

  • I love WordFence and was about to share this post, but I'm seeing a disconnect with the first chart. You lead in by saying "The bad news is that 66% saw search traffic impacted by a hack and 14% saw a traffic drop of over 75%." Yet the chart suggests that 55% saw no impact - wouldn't that leave 45% who did? Further, the bar for down more than 75% in the chart is showing less than 10%, not 14%.

    • Thanks Randy, nice catch. Working to a deadline has that effect - we actually decided to present the numbers differently at the last minute and it tripped us up. Fixed it in the post.

  • A hacked site is such a pain, not knowing who to go to and who is trying to pull a fast one on you. Site lock those guys have crazy prices for stuff wordfence does as a free version. I believe you when you say it could cost between 2-3 thousand dollars. They wanted a few hundred a month and keep that subscription plan while using scare tactics to sign you up. Thanks wordfence.

  • Hi Mark, great article!

    Do you have any numbers on the cost to fix a hacked site excluding the free and lost revenue?

  • What should be pointed up is that if your website was hacked and flagged by Google, just cleaning/restoring the webisite is nof sufficient. After the cleaning is done, you must let Google know that the website is clean. You do so from Google Webmasters console. If you don't do this, Google will continue to presume your website is still hacked.

    • Full description how to do this in our Learning Center: https://www.wordfence.com/learn/recovering-website-seo-after-a-hack/

  • Great article!