Granted, there was a spike in WordPress installation SEO “poisoning” attacks in 2014, but should website owners be concerned? These attacks have targeted a number of content management systems, not just WordPress, but of course WordPress is the most popular CRM in the US (and pretty much any other country). Hackers were grabbing a bunch of headlines last year, and there’s no sign of that slowing down this year. However, one multi-IP hosting company (ASEOHosting) is taking a proactive approach by posting advisories to increase SEO poisoning awareness.
So, how does it work? CMS vulnerabilities are exploited via malicious codes that change what’s lurking on your web pages. They can post just about anything and make it look like the website owner did it—including illegal content! However, there’s a common approach hackers seem to love: Jamming a bunch of links into sites in order to up the search ranking of those hacker-preferred site. Proper link building, when done well and legally, is a great part of search engine optimization (SEO).
In the hands of hackers, it’s black hat trickery at its worst.
Hackers Up Their Game
This kind of link jamming is just the start—if a hacker is especially savvy or dedicated, they’ll pepper in “doorway pages” that send your visitors to affiliate marketing sites, malware pages, advertising that isn’t anywhere near relevant, or just about any site that has potential to make money. However, here’s the catch: You and your website visitors might not see anything wrong at all.
These links are tucked deep into your website so only search engine bots (like Google’s) can “see” it. It’ll flag your website as a subpar one, ruining your SEO rankings and maybe even getting you kicked off a search engine entirely. Once you get a penalty from the likes of Google, it’s really difficult to get back in their good graces.
New Dogs, New Tricks?
According to the VP of Customer Relations for ASEOHosting, “SEO poisoning is an old black hat SEO technique that has seen something of a resurgence in recent months. We’re aware that thousands of sites that have been victim to SEO poisoning attacks, and we feel that it’s important the web community is educated about the technique and its implications.” If not caught and addressed quickly, it lets other hackers know that a third-party with malicious intentions has secured admin access. Of course, it’ll also ding your ranking and ultimately trickle down to destroy your reputation.
At the tail end of 2015, Jay Wine (webmaster) found 174 websites in under 15 minutes that were victims of SEO poisoning. He reported the problems to each website owner, noting every single one of them had no clue about the issue. However, even as he was taking care of a smidge of the issue, he estimates that more URLs were being added to other sites, attacking them, and there were probably around 10,000 sites that are dying of SEO poisoning.
In order to decrease your risk of becoming a victim, follow your CMS’ best security practices. This means keeping up with password management and upgrades are always implemented.