Tracking Down Rogue Spam Links
-
In Feb, 2015 www.mommyupgrade.com site received the following notification in GWT:
http://www.mommyupgrade.com/: Suspected hackingFeb 4, 2015
Google has detected that some of your pages may contain hidden text or cloaking, techniques that are outside our Webmaster Guidelines.
Specifically, we detected that your site may have been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
Sample URLs:At that time, the site was checked by the host and site owner and any suspicious links removed. We thought the problem was resolved until a MOZ crawl on March 22 which highlighted a number of hack links again.This is the link format: http://www.mommyupgrade.com/?p=online-slots
All are related to gambling, casinos and slots.
To find the links, we downloaded the MOZ crawl report and found that all the links were referred from this page: http://www.mommyupgrade.com/how-to-make-rainbow-lollipop-cookies/
Searching that post shows no sign of links to the rogue pages.
I would really appreciate some advice on how to find the source of these links and delete them from this site once and for all. Also, please explain how it is possible for a post or page to refer to another page without that link showing up in the code? (Is this some black hat technique that I need to know about in order to protect my sites?)
Also... at the moment Google Webmaster Tools are not reporting any security issues for this site.
Any help appreciated.
-
You're welcome. I'm always amazed at the diversity of people that read and comment here. A lot of talented eyes are considering the questions for sure. Cheers!
-
@Ryan, that link is very useful and once we have the site clean we can use it regularly to check that no new issues presnt themselves.
@Richard, thank you for this information. It helps a lot.
Great community support. I wish I had asked this question days ago.Thank you MOZ.
-
There are some base 64 encoded URLs on the page. They show in the source code like below. That would be my guess as to what is creating the links, which are obfuscated for users. These types of attacks are usually called in your functions.php file or within a hacked plugin, or could actually be inserted into the css as well.
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGgAAABoCAYAAAAdHLWhAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACGRJREFUeNrsnb9rVEsUxyfrQ7AO+AOzAaPGqJhCTKFNSsXCvyBapRDhaZNCbR7pXvE6wcoqRFRiIqQIRlSIRRpBMMEkb/1RKGpUonZqRH3nu+9eifHu3jlzztydDXNgWAi5e89nPndu9s7OnLT8+PHDxAg3SrELoqAYUVAUFCMKihEFRUExtOMPzTd79uzZeno5RK2HWje1Tmplaq3JryxRe0GtQm2G2n1q0x0dHcuhdUwoLC0aD6oE00Uvx6gdpdbLPHyK2gS1cYJbCEBMUCwiQQSzmV5OUOujtk+Yyyy1YWpDBLfYADFBsjgLIqDD9HIqudo0Y5zaRQKbLFBOsCxOggion14GqO3y1Gf/UvuHwC4VICdoFrYgAvqTXv5a8cfSV+CP8CCBXfAoJ3gWlqCnT5/iavu7AKCVYGe3b9+uPpKahaXEADqc3ApEQO/evTPj4+O2v45zDSTn1pTDZkHOyF0QTixWgp48ebKZRtoparsw4lzb27dvzcjICPc4nPMUctCQI2FB7mAQ9AGbxUoQvekJasc05Hz+/Dl9T07DuU9oCHJlQSB3BUksllxBlUqli96wTyrn+vXr5suXLys7itv6kItEjoQlDTCARSjJmqVkccXB+D6JnNHR0V/kOApCDseEo8eZZWWABUwCSdYsdQUtLCyspzc6KpEzNjb2mxxHQWhHkZOLHCnL6gAT2ASSrFjyRtAhh/moaszPz5sbN25kyjlw4IDrIOhNcnIJZ5ZaOYMNjGD1xVLKuSX0uFwdc3Nz5vbt25lyjh8/bnbs2CG5f/c43t56JH9HkTNyz5IEVjD7YMkT1M09Ka6mO3fuZL4fANvb283Hjx8lgrodBXVLBCFn5J4lCQFmsGuz5N3iOpn3eSs5wugs+LifYSMJfaCZU94IKmuNnHK5bD58+CAZOWkrO46gssK5qwxgURpJZekIarUdOXfv3q0rR2HksHJSPC5zJNWThL6wHEmtUkFWMT09nfnznTt3assJJlJJYOT0CTfyBC3ZvMmZM2fMhg0bfvv548ePq88KHmaFizyuZoANjKsDfYE+0cgpT9ALm7N8/frVnD59OlNSvdufY7wo+DjWbQx9gL5An2jklCeoYnMWTCKmklpbW31LqhR8nLUcsKdy0klhaU55gmZsk04lDQwMmLa2Np+SZgo+zkoOmMHOkGOVU56g+5zkkdirV6/MyZMnfUq6X/BxVnLADHaGHKuc8gTho8gU54zfvn0zb9688SVpKsnJ6cMml4UjB8xg12apK2jv3r1YJTnBhcmTlDVHZxkTSU7scGWpl7NAjjWLzXMQFhDMakoqlZwev2aTXCThxJKVs1CONUvJ4srDuB52gcobScwYTnJxDgmLohwWi+2lPOR69SpJGk9y0IghyUhUkMNiKVleeVhffNH8v0qyaEk458UkB3FIWBTksFlYCxcfPXokWuy3bt06s2nTJjM1NVVzDitjKuQsAakvXOSyYEqnt7dXIseJhb30l8BEy2UhCU/c+C7fAmiQgLwt/eWwbNy40SwtLUnkOLE4LZ5Prj7vC859jJxmY3HefkJgXrdsEFBh209CZhFt4CIwL5uetD4QrAUWlS2QBKeybVD6nKMkKiiWFs1iSgTntPHWdfrGs6ggWFpitauwI9ZJiIJiREFRUIwoKEYUFAXFiIKioBhRUIwoaM2EasXFZNcye4Kxq6sruMnSUFhUJksJRmWKnuAWAhATFItIEMF4+ZKL4BYbICZIFmdBBOT1a2ICmyxQTrAsToIIqJCFFgR2qQA5QbOwBRFQoVUKCeyCRznBs7AEzc/PN6RK4e7du9VHUrOwlBhAKhUXFxcXzbVr12x/vVqlMDm3phw2C3JG7oJwYrESNDc3p1Jx8fXr12Z4eNipSiFy0JAjYUHuYJBWXOSwFFZxMZXT7BUXFSTpVlycnZ3t+v79ex8149qwd/Py5cu/7FJzeJ8+5CJ6OBGwpAEGsIBJ0CfWLN4rLuJqu3LlypqruAgmwUjSqbj48OFDUZVCAFy9elW14iJycpEjZVkdYAKbQJIVi7eKizMzM9VPPllyDh486DoIGlZxMStnsIERrL5YvFRcpCvD3Lx5M1NOf3+/oWeBpqu4iJyRe5YksIK5KSou4mqanMyeegJgR0eHef/+fdNVXETOyD1LEgLMYA+64iJ9MrGSI4yGVVy0kYQ+0MxJreJi3sjZtm1bdQths1dcBANYlEZSMRUXcdXcunWrrhyFkcPKSfG4zJFUTxL6wnIkFVNx8d69e9njt7NTW04wkUoCI6dPuKFScfH8+fOZxfwqlUp1asTDrHCRx9UMsIFxdaAv0CcaOalUXFxeXjbnzp3LlIQKuBMTE5r9EkTFRTBlVZxHH6Av0CcaOalUXPz06dNPSVkVF5UlNbziYi05YE/loE80clKruJhKGhwcrFbD9SipoRUXa8kBM9gZcqxyUq24iMSeP39eLQ3pUVLDKi7WkwNmsDPkWOXkpeLiy5cvfUlqWMXFPDlgLrzi4v79+50rLtaTJKm4mOTEDleWejkL5FizeK24WEvSWqi4KJSjV3GRLIsqLtYbSdzHjiQX55CwKMphsRRScVFBUjAVFxXk6FdcJNviiosCSdUqhUkO4pCwKMhhs7AWLj548EBccXHr1q3VL7j27NljOxVyloDUFy5yWfAv0I4cOSKR48TCXvpLYOKKi6heiO/yLYAGCcjb0l8Oy5YtW6pVIiUVF11YnBbPJ1ef9wXnPkZOs7E4bz8hMK9bNgiosO0nIbOINnARmJdNT1ofCNYCi8oWSIJT2TYofc5REhUUi2pBP4Jz2njrOn3jWVQQLLHiYuAR6yREQTGioCgoRhQUIwqKgmKox38CDACL7v6JnTZ+vgAAAABJRU5ErkJggg==)
-
You can also run a search like this to get at these pages: https://encrypted.google.com/search?hl=en&q=site%3Amommyupgrade.com inurl%3A%3F%3Dp
The root cause is a hack of your Wordpress installation, most likely a plugin. Here's a good discussion around how this takes place: https://wordpress.org/support/topic/someone-has-hacked-the-site-and-inserted-a-link
Recently a vulnerability was found in the Yoast plugin (see: http://thehackernews.com/2015/03/wordpress-seo-by-yoast-plugin.html ), so you'll certainly want to upgrade that and preferably set your updates to automatic.
Good luck!
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
How to reduce Spam score
hello guys recently i buy a expire domain rowlyrics but i dont know the spam score of this domain. now its spam score is 46. how m reduce the spam score pls help me guys
Content Development | | msingh90401 -
Paid Guest Post Links - Value?
Hey guys, Just wanted to put the question out there about guest blogging opportunities that are paid for. It's not something we ever go for but a client has the resources to get a few quality paid backlinks. What are people's general thoughts on guest blogging - for a nominal fee - to do so? Pros and cons of the whole process? Cheers!
Content Development | | wearehappymedia0 -
Are press releases that could end up being published with duplicate content links point back to you bad for your site ?
With all the changes to the seo landscape in the resent years im a little unsure as to how a press release work looks in the eyes of Google (and others). For instance, you write up a 500 word press release and it gets featured on the following sites : Forbes Techcrunch BBC CNN NY Times etc ... If each of these cover your story but only rewrite 50% of the article (not saying these sites wouldn't re write the entire artcile, but for this purpose lets presume only 50% is rewritten) could it be negative to your backlink profile, ? Im thinking not, as these sites will have high authority, but what if once your press release is published on these sites 10 other smaller sites re publish the stories with almost no re writing, either straight from the press release or straight from the article in the mainstream news sites. (For clarification this Press release would be done in the fashion of a article suggestion to relevant journalists, rather than a blanket press release, via PR Newswire, mass mail out etc. Although i guess the effect with duplicate content backlinks is the same.) You now have c. 50 articles online all with very similar content with links pointing back at you, would this have a negative effect or would each link just not carry as much value as it normally would. By now we all understand publishing duplicate content on our own sites is a terrible idea, but dose have links pointing back to your self from duplicate (or similar) content hosted on other sites (some being highly authoritative) effect your site 's seo ?
Content Development | | Sam-P1 -
Spam reviews
We would like to see any tips or experience with filtering out spam reviews. We operate a website where consumers can post their reviews on / experience with certain companies. We do receive a fair share of fake reviews (the "to good be true reviews" about certain companies and also sometimes negative review about their competitors).We filter these as good as we can. For some companies, we receive a large number of reviews which individually seem to be ok (text-wise but also when checking IP addresses and e-mail addresses), but if you read all these reviews in sequence then there is something off, i.e. they seem to lack the linguistic variance that is normally present in consumer written reviews. We feel someone is trying to manipulate here but this someone is covering his tracks. Do you have experience in this regard or can you provide us with additional data points to look at?
Content Development | | NewBuilder0 -
Keep or remove a link directory with 700 entries?
Hi, I've a site which has a link directory included. About 700 entries. Each entry has an own page with a title, description and of course a link to the extern site. The link is not marked as "nofollow". The site is only linking to similar / relevent other sites. Now the seo question: Keep the link directory as is? Add a nofollow to the links? Remove the link directory? (and about 700 pages) Best wishes, Georg.
Content Development | | GeorgFranz0 -
What are the advantages/disadvantages of a blog residing on a website as opposed to free-standing and linked to site
I have a cleint with a web site and with 3 freestanding wordpress blogs - should we be housing those blogs on the site? should we combine them (its an insurance compnay with several business units). thanks
Content Development | | thirsty30 -
Deleting a Wordpress Blog Page with no inbound links?
What are the concerns I should have in deleting a WordPress Page that is no longer relevant or a duplicate? Note: This would be a page that does not have any inbound links to it.
Content Development | | CMCD0 -
Blogging competition - risky link acquiring method?
We are planning to launch a competition where bloggers can blog about our products and about our company. One winner will be selected to win a gift card to our web shop. In order to participate the blogger has to put a link to the blog post that points to our front page or into one of our product pages. Does Google have a guideline against such "link acquiring" methods?
Content Development | | EuropeanSEOguy0