How would I know if my client`s site has been penalized?

Selected answers from the Dumb SEO Questions Facebook & G+ community.

• 
  Rotimi Orimoloye: Hi everyone.
  I very recently got a client who has a website that was developed/designed sometime in 2012 using Dotnetnuke by some American company who seem to claim to have done some seo with the site. (a few title & description tags here and there)
  
  However, I suddenly discovered that there are 2 pages buried somewhere within the site that are talking about payday loans (the site has absolutely nothing to do with loans in America because it is about training in Africa). Anyway, I discovered those pages through Google Webmasters Tools so I am concerned that Google could penalize the site for that reason.
  
  But I discovered something even more bizarre: The website has an xml sitemap alright, but the sitemap is for a completely different website. ;
  
  I have chosen to give the benefit of the doubt and assume that these guys uploaded the wrong sitemap by mistake. But my question to the experts is, assuming such a thing were to be deliberate, what would you say they were trying to achieve by submitting another site's sitemap to Googlebot? And how would I know if my client's site has been penalized for either the Loan pages or this bizarre sitemap?
  
  It doesn't rank for any of its industry keywords yet. But it ranks fine for its branded keywords. So should I assume there is no penalty?
  
  Thanks in advance +Jim Munro ;and the panel. :)
• 
  Jim Munro: I would check the site via the free scan at ;http://sucuri.net/ , Rotimi. I'm not sure how good they are with .NET but on most sites they are able to return a list of the pages that have been hacked and the type of hack it was. If you are not into security, usually this is a good time to seek outside help.
  
  If it turns out that this is not a hack, then it is likely that someone there has gone into business for themselves. Either way, the site will be penalised for it.
• 
  Lisa Parmley: Checking is great. Usually if it ranks in the top spot for it's branded keywords then it's not penalized. I'm not sure this would be noticed by an algorithm, but definitely from a manual review. Since it wasn't ever ranking high for anything it probably never had a manual review. I think if you fix things and then move forward you'll be OK. ; Someone else was using the site to build links back to these other websites. It may not have been the previous developers, but there may have been a hack into the site. Either way, change all the passwords (FTP, CMS, etc...). Cleaning it up and moving forward would be my advice.
• 
  Rotimi Orimoloye: Yes. I'll definitely do that.
  
  I've used the Sucuri.net scan, and everything seems to be ok. It doesn't look like the site has been hacked, and there are no outbound links in those pages.
  
  Nevertheless, I am thinking of some form of security, and I am considering Cloudflare. Do you have any suggestions? 
• 
  Dave Elliott: I use dnn a lot. Securinet works fine. The only times I have had security problems is with people on cheap hosting usually due to script injections into the database tables that store the content. If you have decent hosting and decent passwords on everything dnn 6/7 is secure. If it is an old site then upgrade now! We don't run cloud flare on any of oursites but we own our own dnn server so know exactly what is going on at all times!
• 
  Jim Munro: Sucuri does not get them all although it finds most. I would not rely on their statement as a clean bill of health particularly with the presence of the PayDay Loans pages.
  
  For example these two links show a pharma-hacked site with a tick from Sucuri.
  http://sitecheck.sucuri.net/results/darrenwoodson.com/
  http://web-sniffer.net/?url=http://www.darrenwoodson.com/&submit=Submit&http=1.1&gzip=yes&type=GET&uak=9
  
  The absence of outbound links should not convince you that you are safe, either. I've seen them doing that on their own sites too lately. I don't know why they do that but maybe the aim is to rank first and strike later.
  
  If you cannot get to the bottom of it, I would recommend that you hire in a specialist.
• 
  Rotimi Orimoloye: Thanks +Jim Munro ;and +Dave Elliott ;
  I've found the links. They were very well hidden, but I finally found them. They are pointing to a site in the UK which a google search showed me was a blacklisted site.
  I even discovered there are more than 8 of these payday loans pages.
  
  I tried to delete them from the DNN Edit Page interface, but I can't seem to edit or delete them.
  Whereas the REAL pages of the website can be deleted. Imagine that?
  
  Internet Security is not something that is big in my country, and my client is extremely unfamiliar with any of the things I say when I start talking about their site.
  They are soo uninterested that I am a little bit tempted to leave everything as I found it. But I know that that won't be possible for me to do anymore because I have already dug up this problem.
  
  Anyway I don't know how I'm going to get them to commit to paying for a security expert (especially if he has to be someone in the US or UK) to fix this problem. But I would really love to hear what +Dave Elliott ;knows about deleting webpages on DNN sites.
  
  If i manage somehow to delete those pages, upload a new sitemap, change the website's admin login, and then register with Cloudflare (or someother security outfit) shouldn't that be enough?
  
  Thank you again.
   ;
• 
  Dave Elliott: i would have thought the page links have been added via a javascript or iframe into the skin(.ascx) files on the website. Tends to be how it normally happens anyway. These will probably be in ;/Portals/0/Skins (best to access via ftp)
  
  If not you go in via  ;/admin/pages (might be page management depending on which version of DNN you are using) to delete pages normally.
  
  one thing you might want to consider is blocking the pages via your robots.txt file and get them delisted using webmaster tools as an interim measure until you find a way of deleting them properly
  
  If you have database access you can normally also find all the generated code in the ;HtmlText table and might be able to delete the links/iframe/js from there., but this is bit of a pain and it is easy to break things! (and with .net a little break tends to take down the entire site, it isn't the most forgiving of languages, so make sure you have a .bak file of the site so you can restore if needs be!)
  
  Seriously though, move hosting! It is always down to cheap hosting companies being crap on security that we have had any problems with this kind of thing in the past. If they are on our server we have only had sites hacked because the client changed their admin password to something like password123 and they have brute forced it.
• 
  Rotimi Orimoloye: Thanks for your suggestion Dave.
  The only problem is that, just like with Wordpress, I have not yet discovered how to get to the robots.txt files with this DNN format.
  I am used to easily accessing such files using the website Cpanel login in older, non-CMS websites.
  
  With this DNN, I only seem to have access to the CMS Admin login, not the real backend Cpanel. ;
  
  Would I have to contact the original web developer for that kind of access?
  I am being extra careful not to "break" anything as you've said.
  
  By the way, for what it's worth, those fake pages with the spam links all have URIs that look something like this: ;/UserProfile/tabid/637/userId/2895/pageno/1/Default.aspx
• 
  Dave Elliott: ahh okay. This is spammers heaven and something we do get from time to time.  ;Basically, people are creating user profiles and spamming those.
  
  This is easy to sort and is not really a security issue!
  
  First of all go into. ;/admin/site-settings  ;and find the 'user accounts' section and set 'User Registration' to none. ;
  
  This will prevent anyone else signing up as a user on the site. (unless the site needs people to sign up in which case set it to verified so an admin has to approve the account, which should ward off potential spammers). ;You could also set up a captcha in this section if you wanted to.
  
  If this doesn't work for the client(cause they need people to instantly register) then another little trick is to create an exact replica of the registration page(its just a standard module) but call it something a bit weird (eg sign.aspx rather than register.aspx) and then set the registration page to this page in ;/admin/site-settings 'advanced' tab. Doing this will prevent spammers from finding the page using a programme/script which just uses a Google search query to find the sign up page and auto populates the fields, with their spammy links.
  
  Then go into ;/admin/user-accounts and delete any account  ;that looks dodgy by hitting the bin icon, you can have a quick look at the profile to make sure it is silly by clicking the pencil icon.
  
  As for the robots.txt we alsways do this via ftp but if they haven't placed it in the root, then you might be able to find it through either the admin/host menus in 'file management'.
• 
  Rotimi Orimoloye: I am being denied access to any things that has /admin after the domain.
  :(
  
  By the way, I still don't know how to get to the ftp files or anything in the backend for that matter. All I currently have access to with the "Admin password" I was given is access to change tags and update headers. So would you say I should contact the web developers directly ;+Dave Elliott? Since the clients don't seem the least bit concerned.
• 
  Dave Elliott: yeah, you will need proper admin or super user access to sort out the fake profile stuff, sounds like you have page editor permissions rather than full access. Either request full access or get the devs to do it(it is a 5 minute job, so dont let them charge you any real ammount of money!!). 
• 
  Rotimi Orimoloye: thanks a lot. ;