Recently I set up my WordPress site as a “property” in Google Search Console. It was fun (and informative!) to watch the “position” feature in search analytics, listing what search terms found my page and what position each hit was in the search results (for a few results, the position of one of my posts was 10 or lower – first page of results, woohoo!).
But one day when I logged in to Google Search Console, none of my search statistics would display. Instead, there was this error message at the top of the analytics screen:
Verification failed for https://curiousprog.com/ using the HTML file method (8 days ago). Website verification has failed in a way that indicates that your site might have been hacked. You should examine and repair your site and then reverify it.
I have been keeping a close eye on web hits logged on my site since I first started it three months ago, watching for possible hacks. I chronicled some of the exploits hackers tried on my site in recent posts here and here. I saw a lot of attempts, but no clear indication that anyone had succeeded in compromising the security of the site.
What’s Causing the Problem?
So what problem did the Google web crawler or its associated tools identify as being a possible hack? By outward appearance, the site was in good shape, no spam in any of the posts, no extraneous text inserted or links to malware-laden sites. The Google Search Console didn’t give any more detail about what exactly was wrong, just some generic advice on how to search for malware and other possible issues.
History in the Search Console showed that verification problems started occurring about 10 days before I discovered them. But I had been in the Search Console 3 days earlier and saw no issues – I could still see the search analytics data with the position information.
So I started looking for issues on my site. I did a general security audit of the site with GravityScan (from Wordfence – no longer available, May, 2018) and also Sucuri – nothing found.
I ran some quick MySQL queries to look for “<script>” or “<img>” tags (things that hackers might insert into content in order to spread malware) – nothing was found, no rows returned.
I browsed to some of the blog posts on my site in both the Google Chrome and Firefox browsers. Either of these should have flagged a page as a security risk if there was any issue – nothing, the pages displayed without problems.
The Fix: Delete and Recreate
In the end, I really didn’t find any issues with the site. So I decided to start over, removing the properties in Search Console and recreating them. I then set up a UA (“Unique Account”) number in Google Analytics and used this to verify each of the properties rather than relying on the default uploaded HTML file method. After I finished this, Google Search Console indicated that the properties were verified again, and I even got back the click and position data from the last two weeks that I thought would be lost when I removed the old properties.
Not sure what caused this issue in the first place. The hosting company did regenerate a new SSL certificate for my site – the old one expired the same day that Google started complaining about verification problems. Perhaps Google found the change in certificate to be suspicious?
Update: May, 2018
In May 2018 I lost access to the Google Search Console statistics for my site with a different error message than before:
No search stats are available
Instead of removing and rebuilding the search console “property” for my site as I did the first time, I simply reverified the site using the same HTML verification file that I used when first creating the property. There was an option available to verify the property in the Search console (once the site has been verified, this option to reverify is no longer there).
As you may recall, the HTML verification file is the one that is named like “google6bfae0b8c1c8799d.html” (“google” followed by 16 alphanumeric characters and a “.html” extension). Upload this to the root of your website then verify in the Search console. A copy of this can be downloaded from the Search Console verification page if you don’t have it.
After successfully verifying the property again, a message like this should be displayed in the Search Console window:
Congratulations, you have successfully verified your ownership of https://yoursite.com/
After reverifying the site, I had access again to my current search statistics. This was far better than recreating the property, losing all previous data and waiting days for data to be accumulated again.
A mysterious “verification failed” error in the Google Search Console prevented viewing search analytics there. The error message suggested that the site might have been hacked, but no sign of a hack was found. Removing and recreating the properties for the site made the data viewable again.
A less destructive alternative would be to reverify the site with the HTML verification file (looks like “google6bfae0b8c1c8799d.html”) that’s downloadable from the Site Verification page in the Google Search Console. This retains data accumulated for the site’s property in the Search Console, while deleting and recreating the property discards all existing data.
Seeing search position: log in to Google Webmasters tools and browse to the Google Search Console. Click on a property; Search Traffic > Search Analytics. By default “Clicks” is checked; check “Position” to see a list of queries and their page position (scroll down below the chart to see the table). Click on the “Position” column heading sort the entries by position values (lowest positions on top).
MySQL queries to find posts with “<script>” or “<img>” tags:
SELECT id, post_name, post_title
FROM wp_posts WHERE post_type='post' AND post_content LIKE '%<script %'
ORDER BY id;
SELECT id, post_name, post_title
FROM wp_posts WHERE post_type='post' AND post_content LIKE '%<img %'
ORDER BY id;
I also searched for tags using HTML entity variants of the angle brackets (like ‘%<script %’ or ‘%\%3cscript %’).
Gravity Scan (no longer available – May, 2018)
Using Google Search Console to Diagnose Hacks
WordPress Version 4.8.3 (also 4.9.6, May 2018)
Google Chrome Version 62.0.3202.94
Firefox Version 57.0