If your website has been hacked, you may find that strange or malicious pages have been indexed by Google. Once the site is cleaned up, one of your next steps should be to get those pages removed from search results.
One of the quickest and clearest ways to do this is by using your .htaccess file to return a 410 Gone status for any URLs that shouldn’t exist anymore.
Here’s how it works and why it’s better than simply returning a 404.
What is a 410 Gone Status?
A ‘410 Gone’ is a type of HTTP response code. It tells search engines and browsers that a page used to exist, but it has now been permanently removed and it’s not coming back.
This is different from a ‘404 Not Found’, which just says “we can’t find this page right now” without making it clear whether the page is gone for good or just missing temporarily.
Why Use a 410 Instead of a 404?
In the context of cleaning up after a hack, a 410 is the better choice for a few reasons:
- It speeds up deindexing: Google is more likely to remove a URL from its search results quickly when it sees a 410.
- It’s an intentional signal: A 410 clearly says, “This page is gone on purpose,” whereas a 404 is more ambiguous.
- It helps your SEO recovery: Getting rid of bad or spammy URLs from search results faster helps restore your site’s reputation with Google.
How to Return a 410 Status Using .htaccess
Follow these steps to edit your .htaccess file on your DomainsFoundry web hosting to return a 410 response for specific URLs.
Step 1: Open your .htaccess File
See How-to edit your .htaccess file to open your site’s .htaccess file in File Manager or via FTP.
Step 2: Add 410 Rules
To mark specific URLs as ‘gone’, add lines like these below to your .htaccess file:
Redirect 410 /old-hacked-page.html Redirect 410 /spam-folder/ Redirect 410 /malicious-script.php
Each line tells the server to respond with a 410 status for that URL. The paths are relative to your domain so /old-hacked-page.html would apply to https://yourdomain.com/old-hacked-page.html.
If you’ve got a long list of hacked or unwanted URLs, adding them one by one with individual Redirect 410 lines can get messy fast. Fortunately, you can also set bulk 410 ‘gones’ using .htaccess.
Use a RedirectMatch Rule with Patterns
If the hacked URLs follow a pattern,for example, they’re all in a specific folder or share a naming convention, you can use a RedirectMatch rule with a regular expression:
RedirectMatch 410 ^/spam-folder/ RedirectMatch 410 ^/wp-content/uploads/2023/06/.*\.php$ RedirectMatch 410 ^/hacked-[0-9]+\.html$
Explanation of the rules:
- ^/spam-folder/ — removes everything inside /spam-folder/
- ^/wp-content/uploads/2023/06/.*.php$ — removes all PHP files uploaded in June 2023
- ^/hacked-[0-9]+.html$ — removes any page with names like hacked-1.html, hacked-123.html, etc.
Step 3: Save the File and Upload
If you edited your .htaccess file via FTP, upload it back to your DomainsFoundry web hosting. Otherwise, if you’re using File Manager, just save the changes.
Step 4: Check It’s Working
You can confirm that a page is returning a 410 by opening the link in your web browser. You should see a 410 Gone response.
Extra Tips
- Use Google Search Console: You can also request temporary removal of URLs through the Removals tool in Search Console. This is useful for getting results taken down even faster.
- Double-check your clean-up: Make sure the rest of your site is free of malware and that no malicious files have been missed.
- Monitor crawl errors: Keep an eye on your Search Console reports to make sure nothing new pops up
Final Advice
- Test your rules to make sure they’re working properly. A small typo in a RedirectMatch rule can accidentally block valid pages.
- If you’re unsure about the patterns, start with a few lines and expand once confirmed.
- If you’re a DomainsFoundry web hosting customer, contact our support team and we can provide further help and advice.
