In 2017, TM Blast got hit by spam bot attacks that caused a significant loss in organic traffic. As an SEO, I began diagnosing the site after a few months trying to figure out what the issue was. After calling up GoDaddy (my hosting provider), I became aware that my site was under a bot attack. In this blog post, I want to share how to identify and block spam attacks that are hitting your domain.
Identifying WordPress Spam
Below are the steps that I took when I began seeing a decline in the organic traffic for my WordPress website. If you would like to follow along with a video, I recorded my steps below here.
Check Your Analytics
A continuous drop in organic traffic is your first sign something fishy is happening. The best case scenario is that it’s a simple technical fix that will drive more organic traffic once you implement it. Maybe it’s your current strategy that needs a refresh because Google Trends says that the topic has lost search interest. Finally, your site could be under attack which was what was happening with my domain.
In this picture above, TM Blast had two years of consistent growth with organic traffic. When my site got hit hard with spam bot attacks in 2017, my website traffic in red began declining each month for the rest of the year. I diagnosed the issue around late May, but this problem lasted one year in total.
You can’t Log Into Your Site, and Your Site Goes Down
With the slide of organic traffic on TM Blast, I knew things were becoming an issue. When I could not log into my WP admin page, I knew something was wrong. Navigating to my homepage on Google Chrome kept showing a down message, so I had to take immediate action.
I called up GoDaddy to explain the issue, and they walked me through my awstats to see if I was under attack. It turns out bot networks were attacking my entire domain by infusing content to promote their products on my domain. It’s not on GoDaddy to alert webmasters about these problems, but they can offer solutions which I will get into later on in the post.
Review Your Stats
Reviewing your website health is an overlooked aspect of SEO in my opinion. As a New York SEO Expert, I spend my time performing keyword research, auditing client site’s for errors, and writing new content. Checking the health of my site was not on my radar, but I learned the hard way.
When you are in your stats section (I am in awstat), I saw some odd behavior. Russia was showing a lot of interest towards my login page which raised two red flags. First, why is Russia trying to get into my site as I am a U.S business? Second, why is Russia hitting my login page thousands of times each month? The answer is pretty clear that it is spam, so I had to find a solution to this problem.
If you need help finding your web logs, you can contact your hosting provider.
Solution to Fix Spam Bots and Block Spammers
Here are the four steps that I took to fix this bot attack on TM Blast. First, I had to identify where the bots were trying to get into my site. Since my website is WordPress, my admin page was the target. A screenshot like this below that shows bots hitting an admin page is a sign you are under a bot attack.
Second, I had to reverse all of the IP Addresses that were hitting my site. You can use any tool on the web to look up these addresses. As an easy rule of thumb, I knew Russia bots were going to be blacklisted on my site. Bot networks are sophisticated, so they might hide their true path from your view. A redirect path from an IP address tells me it’s spam and it’s actively trying to protect its location.
Third, I made the switch from HTTP to HTTPS. My site is encrypted on every page today. As a note, I did not make this change for Google, but it became a bonus when Google said they would show a warning message to users if a site does not have HTTPS. Considering that Google Chrome is the most popular web browser in the United States, I was able to kill two birds with one stone.
The final step was paying for security for three years via a firewall. Paying for a security system is critical to being successful on the web. I spent over $800 for an SSL certificate, website security, and using GoDaddy to migrate all the HTTP content to HTTPS. Paying for all of these services has kept my website protected from future bot attacks.
Having a firewall that protects my domain from future spam attacks is necessary for 2018 and beyond. A sophisticated hacker could still get into my site, but regular attacks that took down my site are not getting through anymore. By having my site protected today, I was able to focus on my site again and grow it from the attack.
Conclusion
My advice to any webmaster reading this to get website security and HTTPS. Paying a few hundred dollars today to save the headache of a site being down for hours is a no-brainer. The stress of not being able to get into my site was hard for me. Not to mention how far I fell in organic traffic within Google and Bing for an entire year was awful.
My second piece of advice is to check the health of your site routinely. Even with a security system in place, you should always review your stats to look for attacks. Reviewing your log files can allow you to spot any spoofed bots with their IP address too.