Magento & WordPress Search Function Hijacking for Link Spam

Introduction

Over the last couple of days, we noticed a new trend across a couple of sites with clients running WordPress and Magento

Either in the Crawl Stats section of Google Search Console or using a site: command, we’ve seen results like this

I’ve substituted our clients site with a fake site called demosite.co.uk which doesn’t exist

hacked site results in google

The link then goes to something like this

https://demosite.net/catalogsearch/result/index/?q=%E6%B4%A5%E5%B7%B4%E5%B8%83%E9%9F%A6%E5%93%88%E6%8B%89%E9%9B%B7%E5%AE%9A%E5%88%B6%E9%A9%BE%E7%85%A7-(%E2%98%80%EF%B8%8F%E5%88%B6%E4%BD%9C%E7%BD%91%E7%AB%99bbjjzz.com%E2%98%80%EF%B8%8F)-%E5%8D%B0%E5%BA%A6%E5%AD%9F%E4%B9%B0%E5%88%B6%E4%BD%9C%E9%A9%BE%E7%85%A7-%E5%8C%97%E9%A9%AC%E5%85%B6%E9%A1%BF%E6%96%AF%E7%A7%91%E6%99%AE%E9%87%8C-%E5%8A%9E%E5%81%87%E7%9A%84%E8%B6%8A%E5%8D%97%E9%A9%BE%E7%85%A7-(%E2%98%80%EF%B8%8F%E5%88%B6%E4%BD%9C%E7%BD%91%E5%9D%80%E2%9C%94%EF%B8%8Fbbjjzz.com%E2%98%80%EF%B8%8F)-%E6%96%B0%E8%A5%BF%E5%85%B0%E5%85%8B%E8%B5%96%E6%96%AF%E7%89%B9%E5%BD%BB%E5%A5%87%E9%A9%BE%E7%85%A7%E5%81%9A%E5%81%87-%E6%99%BA%E5%88%A9%E9%A9%BE%E7%85%A7%E5%88%B6%E4%BD%9C

This command will show you all the pages indexed in the last 7 days. Simply replace domainname.com with yours

https://www.google.co.uk/search?q=site:domainname.com&tbs=qdr:d7

How Are They Doing This

The spammers are taking advantage of two things

  1. A lot of sites don’t disable the search functionality in WordPress or Magento even if they are not using it
  2. Depending on the setup, the search results screen may return the original query entered
    1. This will depend on how customised your WordPress or Magento setup is

You’ll then get a page that looks something like this

hijacked search result

The spammers then create a list of links on their site to your site that look something like

  • https://www.demositexzy.com/catalogsearch/result/?q=this%20is%20my%20spammy%20content (Magento)
  • https://www.demositexzy.com/?s=this%20is%20my%20spammy%20content (WordPress)

We discovered the links via the URL Inspection tool in Google Search Console results froom Google inspection URL

Google and Bing follow these links to the site, crawls them and in some cases have indexed them

Why Are They Doing This?

We are assuming that they are doing to this to piggyback onto Magento and WordPress sites are already indexed in Google or Bing

No doubt they are hoping that Google will then pick up the spam content on the page and the mentions on the page will push it up the ranking

Steps You Can Take

While you can’t stop people from linking to the site, there are three practical steps you can take

1) Add a Disallow in the robots.txt
This will tell the search engines to ignore the search results and probably should be in there anyhow unless you have a very good reason why you want your site search results to be indexed

Adding Disallow: /*/catalogsearch/result/?q= (Magento)
Adding Disallow: /*s= (WordPress)

2) Add a Noindex Tag to the search results page
Adding a the no index meta tag to search results page will send a pretty clear message that you don’t want the page index
<meta name=”robots” content=”noindex”>

3) Use the Google Search Console Removal Tool

Google Search Console allows you to submit a request to remove all results if they follow a pattern.

Google search console removals

When adding a new request, use the remove all URLs with the prefix and then enter the URL for your sites search result page

ThGoogle Search Console removal pattern