There are many reasons a hacker might want to gain access to a WordPress site, but one that seems particularly topical at the moment is the SEO poisoning attack — a black hat SEO technique to improve the search ranking of sites associated with the attacker or to use a site’s existing search engine optimization to introduce false results into search engine result pages.
A number of high-profile SEO poisoning attacks have been discovered over the last few months, involving thousands of WordPress sites, so it’s a good time to familiarize yourself with what an SEO poisoning attack is, what it looks like to webmasters, and what you can do to reduce the risk.
What Is An SEO Poisoning Attack?
The more links a site has pointing to it, higher its search engine ranking will be. That’s a massive generalization, but for our purposes it’s accurate enough. One of the aims of SEO is to get as many incoming links to a site as possible, which can be achieved by creating and promoting great content, or it can be done in a more underhanded way.
A basic SEO poisoning attack involves infecting sites with code that will create dozens or hundreds of links to the attacker’s site with relevant anchor text. When Googlebot comes visiting, it will see the links and follow them. They will cause Google to consider the site in question to be much more popular than it really is and give it a higher position in the search rankings.
A more complex attack involves injecting code into a site that will create doorway pages that contain content the attacker wants to appear in search engine results, but which when clicked will redirect the visitor to another page altogether — one that often contains malware or other undesirable material.
Both of these attacks are harmful to your site’s SEO, its reputation, and its revenue. Your site will start to rank for irrelevant search terms, and in the most successful attacks, the sitelinks of a popular site will contain content that benefits the attacker, rather than the site owner. They also indicate that your site is vulnerable to other forms of attack.
What’s worse, your site can be full of SEO poisoning links and pages and you and legitimate visitors will be totally unaware. The attackers include code in the scripts they inject that will only display their content to search engine crawlers like Googlebot: to ordinary visitors it will look perfectly normal.
How Are SEO Poisoning Attacks Carried Out?
To initiate an SEO poisoning attack, the attacker has to be able to add code to your site, which usually means exploiting an existing vulnerability.
Common causes of vulnerability include:
- Not updating your site. Updates remove bugs and security vulnerabilities.
- Installing free or pirated themes and plugins. Online criminals love nothing more than site owners infecting themselves. They include malicious code in free themes and plugins and wait for users to install them. Avoid getting free themes and plugins from anywhere but reputable repositories, and avoid installing pirated premium themes altogether.
- Brute force attacks. If your site has insecure, easily guessed passwords then a bot can brute force it to gain administrative access.
Following basic security precautions such as updating your WordPress installation and adhering to password best practices will remove most security vulnerabilities.
Are You The Victim Of An SEO Poisoning Attack?
You won’t be able to tell if you have been targeted by simply loading your site in a browser: hackers are sneaky. If you are worried that your site may have been compromised, take a look at this Sucuri post that explains how to discover if you’ve been targeted.