Recovering from a Major Traffic Drop: Reflections on SSL Redirects and Hacked Content Issues

— April 11, 2017

Being in the SEO world, you’re bound to run into a traffic drop at some point in your career. We’re in a volatile industry with differing opinions and, unfortunately, lots of misinformation. There are disagreements ranging from what defines “duplicate content” to what the latest update was all about, and Google tends to let the community duke it out rather than providing concrete guidelines. When an organic traffic drop occurs, you need to wade through all the crap put out by Google and SEOs alike to determine the root cause and correct it.

While I’d love to say there’s a definitive process you need to follow to correct organic traffic drops, a cookie cutter answer doesn’t exist. You need to use your knowledge and experience (or hire someone with that knowledge and experience) and assess your particular problem. Luckily, the answer to your problem exists out there; you just need to look in the right places to find it.

The drop

traffic drop

The only way you’ll notice a drop in traffic without a notification from Google is by monitoring your site’s traffic semi-religiously, or by setting up tracking tools to help you monitor changes in traffic. I obsessively check our rankings and set up rank tracking in Moz Analytics to monitor rankings. Moz also sends a handy rankings report each week that shows any fluctuations that occurred. I noticed drop-offs in a few major keywords, but I didn’t think much of it at first – ranking fluctuation happens all the time. However, after digging into Google Analytics, I realized something was very wrong.

Looking at the graph above, you might not realize how serious the drop was. Month over month, we lost over 50% of our organic traffic, and all of our non-branded, money keywords had fallen off the charts. Key pages, like our blog, were nowhere to be found. My initial reaction, of course, was to freak out.

Was the new SSL set up improperly? New update? Thin/duplicate content? *Gulp,* bad links?

Before I could formulate exact theories for what had happened I needed to dig deeper into the data and audit the situation.

The SEO audit

We’re often inclined to think Google is penalizing us for some nefarious SEO work when we see an initial drop in traffic. But that’s not always the case: bad technical SEO can be just as damaging as harmful external links. First things first, I needed data.

You can grab traffic and ranking data from a plethora of tools, but I find Google Analytics to be a tried and true source for learning about specific pages on your site. I grabbed the top 25 organic landing pages and compared the first 15 days after the initial drop with the previous 15 days. Then I exported the data to Excel, looking for the percent change between dates. Here’s what that process looks like:

  1. Log into Google Analytics
  2. Click on the Behavior tab, then Landing Pages
  3. Change the All Users segment to the Organic Traffic segment
  4. Compare your date ranges
  5. Export to Excel
  6. Move the sessions of your two date ranges side by side (copy and paste or use VLOOKUP to pull sessions from date range B next to date range A)
  7. Create a percent change formula in the cells next to your two sets of data (post-drop sessions – pre-drop sessions / pre-drop sessions)
  8. Throw a conditional filter on the percent change column to easily visualize the data

google analytics data

Using this data, I was able to identify what pages had seen the most serious drops in traffic. Unfortunately, it looked like almost every page, particularly our high traffic, keyword-targeted pages, had seen some significant drops.

This indicated that there was something wrong with the site on the whole, rather than a key page or two losing rankings.

The next step was to do a simple “” search in Google to see whether our site was being indexed properly. I wish I had a screenshot, because this was the moment that confirmed Google had deindexed a large portion of our site. The homepage (which should almost always be the first link) was nowhere to be found. Our core pages, the ones linked to throughout the site via our main navigation and externally, were nowhere to be found. The only thing that was showing were old Tumblr blog posts that had been converted into blog posts back in 2014 when Gorilla had revamped the site.

This was a bad moment in the investigation. There’s something personal about your own company’s website dropping off the face of the earth, and being the appointed “SEO guy” in your office results in a lot of sleepless nights.

Assessing the cause

Identifying what type of traffic drop (site-wide, deindexation) had occurred was the first step. The next step involved theorizing what could have caused the drop. This required me to look at what had happened around the time of the drop, both in terms of Google’s algorithmic updates and changes to our site. This is where storing major website updates in Google Analytics, keeping track of links you’ve built and staying up to date on Google’s algorithmic changes comes in handy. Moz has an incredibly useful list of Google’s major algorithmic updates that you should bookmark now if you haven’t already. More than anything, you need to keep track of what’s going on with your site to try to look for correlations.

After looking through our Google Analytics annotations, I noticed two distinct events happening around the time of the drop: 1. We’d purchased and moved the site over to an SSL 2. Hacked content had been URL injected into our site.


I spoke with our developer, ran a Screaming Frog crawl, looked for broken links, but couldn’t come up with anything wrong with how the SSL had been set up. We’d 301-redirected every non-SSL page to its corresponding SSL page and submitted a new SSL sitemap to Google.

Regardless, the SSL going live correlated perfectly with the traffic drop, so we decided to undo the hard 301s, and instead set up a canonical link from the non-SSL to the SSL pages. The idea was that since our old pages were ranking before the move, maybe Google needed to recrawl the HTTP version of our site to associate those rankings with the identical HTTPS version.

I’d read about other webmasters seeing drops after the initial redirects, and it was a simple fix, so worth trying before looking elsewhere. Moz had a similar issue where they lost around 10% of their traffic after launching the SSL, but this seemed more severe and an almost complete deindexation of the site.

The next move was to revisit the hacked content.

URL-injected content

If you’ve made it this far you might be hitting your head against your keyboard and wondering why I hadn’t dipped into Google Search Console yet. This should almost always be your first stop in assessing a penalty, but usually you’ll receive a notification from Google if they’ve levied a manual action against your site. The truth is I’d been there several times, but I hadn’t found anything that would indicate a site-wide issue. Our site had been hacked earlier in the year, but we quickly addressed the hack (404’d all hacked URLs) and didn’t receive any notification from Google that we’d receive a manual penalty.

URL injection essays

However, I did discover a lingering partial match penalty, but, per Google’s guidelines, partial match penalties should only affect the individual pages or sections that have been hacked. In other words, the injected URLs above (anyone want essay writing tips from an industrial marketing agency?) within the /wp-content/ subfolder should be the only ones deindexed or penalized. This didn’t match with the site-wide penalty that I’d confirmed above, but I decided to submit a reconsideration request and request that Google remove all of the 404’d pages from their index. Looking back, I should have done this much sooner.

The recovery

Shortly after undoing the 301 redirects to the SSL version of the site and submitting our reconsideration request for the partial match penalty, we saw positive fluctuations in our sites indexation. Checking in Google Search Console, the HTTPS version of the site was almost completely indexed by mid-December, just in time for me to actually enjoy my winter break instead of agonizing over the sour state of our poor site.


You’ll notice no indexation before November 15th, a result of the SSL going live that day. It took another month before our site was being fully indexed. The question is—and I’m still not sure of the answer—did the slow indexation occur because of the hacked content or the SSL being immediately redirected? Other webmasters encountered similar issues when moving their sites to SSL, and it’s possible Google is still working on the kinks in reindexing sites redirected to their SSL counterpart. It’s also possible that partial match penalty caused a full deindexation of the HTTP site and the HTTPS version suffered as a result. It’s tough to say because we were throwing spaghetti against the wall in a frenzy to reindex our site and recover our rankings. Regardless, I think there are a few key takeaways here:

  • When moving your site over to SSL, canonical from the non-SSL to the SSL before doing a hard redirect. Register your SSL site with Google Webmaster Tools, set it as the preferred version and submit a sitemap. Check your indexation frequently, and only hard redirect once you’ve seen most of your SSL pages indexed.
  • Take, don’t ignore, partial match manual action penalties. It’s possible they can have a greater impact on your site than Google implies in their guidelines, so go the extra mile to scrub your site clean and report back to Google. Google won’t always send you notifications that there’s still an active penalty (and they didn’t even send me a notification that the penalty had been removed), so be vigilant.
  • When assessing the damage, look for correlation and tackle the most obvious issues first. I could have ended up damaging my site’s rankings if I’d gone straight to disavowing links or removed the SSL all together. Make a list of the potential issues, and prioritize the easy fixes and obvious issues first. Don’t overreact.
  • Ask for help. I’m lucky to have consulted with a few friends and my former mentor during this ordeal. They provided sound advice and helped me identify problems.

Organic traffic drops are not-so-fun rollercoasters of anxiety, but it’s important that you keep a level head throughout the ride! For more reading on auditing your site when a drop occurs, read Geoff Kenyon’s technical site audit checklist. Even though it was written in 2015, this was a guiding light for me during this process.

Let me know in the comments below if you’ve encountered similar issues with partial match hacked content penalties or SSL redirects.

Digital & Social Articles on Business 2 Community

Author: Thomas O’Shaughnessy

View full profile ›