Original post by Dan Moen on Wordfence.com here.
During our research into what the WordPress community knows about hacked websites, we discovered that there is very little data available on the subject. We decided to conduct a survey, inviting a portion of our community to participate.
We received responses from 1,605 people who reported having a website they manage hacked in the last year. We learned a lot. Thank you to everyone who participated!
In a related effort, we also added an article to our Learning Center focused on recovering SEO after a hack.
How does a hacked website impact SEO
We approached this question from a number of angles. The first thing we asked was whether the website was flagged by Google as hacked or containing malicious content. Of the respondents who knew, 46.5% reported being flagged. We were surprised at how low this number was. With over half of the sites not being flagged by Google, we can’t rely on Google to alert us to a hack.
It also means that if you move quickly, you have a good chance of cleaning your site before Google discovers it, potentially avoiding a search engine traffic impact. This is a strong indicator of the value of having your own malware scanner like Wordfence installed that is checking your site regularly.
The next thing we looked at was the impact of a hacked website on traffic. The chart below shows good news and bad. The good news is that 55% of you said that a hack had no impact on search traffic.
The bad news is that 45% saw search traffic impacted by a hack and 9% saw a traffic drop of over 75%.
One thing that occurred to us as we analyzed the data was that websites that Google flagged as hacked might see a greater drop in search traffic. To test that hypothesis we looked at the same question, but just for people who reported being flagged by Google.
As expected, if your site is hacked and Google notices, you will see a much greater drop in search engine traffic: For people flagged by Google, 77% of them saw a drop in traffic compared to the average of 45%.
Based on this we can conclude that the impact on traffic is greater if Google flags your site as hacked. The lesson: Don’t get hacked and if you do, scramble to fix it before Google notices.
One of the unfortunate things we noticed is that 45% of respondents report that their traffic never returned to normal, even after cleaning.
We were curious to see whether search engine traffic improves over time after a site is cleaned. To do this we compared sites that were hacked longer ago and their search traffic now vs sites that were hacked more recently and their search traffic now.
What we was a little shocking: Sites that have had more time to recover their rankings did not show an improvement compared to sites that have had less time. This is really worrying because it indicates that sites that are hacked and penalized by Google suffer a long term penalty on their rankings.
How long does it take to recover from a hack?
In the survey we asked respondents to tell us how many days it took them to restore their websites to normal following a hack. 40.9% were able to restore their site to normal within a day. We’re guessing those lucky site owners had a recent backup available that the attacker had not compromised.
On the other end of the spectrum, 16.6% of respondents reported taking more than a week to recover. The average time to recover from a hacked site is 7.49 days.
We also asked what steps were taken to clean respondents’ websites. 85.6% were able to clean the site themselves. Only 3.7% turned to friends for help, while 14.4% paid a professional to do it for them. We hope that our page on how to clean a hacked site has helped contribute to the high percentage of people who are successfully cleaning their own sites.
We urge you to review your website backup approach. Ideally you should be taking automated backups frequently, storing them off site and retaining them for as long as is feasible. Nothing makes recovering from a hack easier than having a recent site backup available.
How much does a hacked website cost?
We knew going in that we would receive responses from a very diverse group of website owners, so we knew that the cost of hacked website would vary dramatically across sites.
For your reference, the question we asked was: “What was the total cost of your hacked site including downtime, lost revenue and any other costs incurred?”
To calculate this number we disqualified estimates that were clearly out of range. We also kept all the responses that said the hack cost them nothing and allowed those responses to bring down the average number. We determined that the average cost of a hacked website is $2,518.
Every site is different, but our universal take-away from this is that hacked websites are expensive. They can cost you a lot of money in downtime, lost revenue due to adverse SEO impact and repair costs. They can also impact your reputation with your customers. And cleaning a hacked website takes you away from what you would rather be doing.
Your best course of action is to do everything you can to avoid getting hacked in the first place, something we are very passionate about here at Wordfence.
We hope you found the data in this article as interesting as we did. The data provides a strong incentive to get serious about website security, doing everything you can to prevent attackers from compromising your site in the first place. The survey contained a lot more interesting data. Look for a related blog post where we share some of that data next week.
MyWordPress recommends WordFence Premium for every website. We assist with pre-installation testing, virus and trojan cleanup, WordFence installation and configuration setting for optimum security and live monitoring, plus we give your systems and processes a health check to ensure you’re following best practice as much as possible to keep your website protected.