Ever had an uninvited guest crash your party, resulting in chaos, confusion, and some unhappy visitors? Well, SEO spam is that party crasher — just for websites.
Why should you care, you ask? Well, just imagine your meticulously crafted website content being replaced with unsolicited ads for services and products that would make your grandma blush. Or even worse, your loyal site visitors being redirected to shady third party websites. Not the picture of ideal user experience, right?
But that’s not all. Spamdexing can also wreak havoc with your search engine rankings. And we all know how that story ends: with your website sinking faster than the Titanic in search results, along with blocklisting warning by Google and other search authorities.
In this post, we’ll lift the veil on SEO spam, exploring its dark corners, revealing its impact on your website’s SEO and visitors, and most importantly, arming you with the knowledge to fight back against spammers.
Contents:
- What is SEO spam?
- What’s the purpose of SEO spam?
- What are the types of SEO spam?
- How to find and fix SEO spam
- How to protect your site from SEO spam
What is SEO spam?
If you’re wondering what SEO spam is, a good way to gain an understanding is finding this wily beast in the wild. In your favorite browser, search with the terms buy viagra cialis. (You might want to check over your shoulder first.)
Now, without clicking anything, scroll through the results. What you might encounter after the first couple of pages are a number of non-pharmaceutical websites advertising these medications.
You’ve just spotted a few likely examples of spamdexing, where innocent websites have been hacked and injected with keywords intended to lure traffic to bad actors’ domains and redirect to their web pages. These innocent sites aren’t actually in the male enhancement business, they’re infected websites and unwilling participants in the hackers’ dirty SEO scheme.
What’s the purpose of search engine spam?
Search engine spam is an attempt to manipulate search engine rankings, so traffic is lured to a bad actor’s domain. To do this, hackers gain access to a normal, healthy website, and then inject keywords and links to another web property they’ve set up for affiliate marketing, to monetize search traffic, or other malicious behavior.
This practice is known as spamdexing. Bad actors aim to manipulate search engine results to rank their web properties higher, providing zero value to searchers in the process. Spamdexing can include keyword or meta-tag stuffing, injected links, and even doorway pages.
So, why don’t hackers just create their own websites? Well, they don’t always have much success with this. Search engine algorithms are designed to ignore scammy websites to protect search visitors and website traffic. That’s why hackers manipulate search engines through spamdexing.
By gaining access to legitimate websites and injecting links and keywords, bad actors create a path to their scammy web properties. Rather than getting ranked the way most legit websites do, bad actors piggyback off a normal site’s credibility in the eyes of search engines.
What types of SEO spam are out there?
Turns out, search engine spam can appear even in the last places you’d imagine. We’ve even seen hackers get pretty creative with infecting WordPress websites. But let’s ignore the edge cases for now and instead focus on the most common places you might see spamdexing.
Spammy keywords
Keywords are central to spamdexing. When shady keywords appear in the content of a credible website, search engines assume it’s safe to index the site for those terms. And when people search online — say for male enhancement or other meds, sports gear, essay writing, loan services, (the list gets long…) — results often include scams where they’ll pay for something but never receive it.
Spammy links
Links are super important to scammers. Otherwise, there wouldn’t be a way to drive legitimate traffic to their shady web properties.
One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website. This way, humans won’t see the spam links, but crawling bots that read the HTML of the website will — and these SEO spam links will be attributed to your website.
You’d think Viagra shoppers would know better than trying to buy meds from a museum or floral shop, but our own research shows SEO spam remains the number-one type of website infection — and can seriously harm your website visitors (and rankings).
Spammy ads
If a hacked website displays banner ads or calls to action (CTAs), hackers can easily replace the content or create new elements in order to drive traffic to their scams. This can be particularly effective, often because these clicks happen once a shopper’s mind is made up. They might not even question why a CTA is displaying where it is.
Spammy posts & pages
For the nuclear option in spamdexing, hackers can create and optimize entire web pages or blog posts dedicated to getting ranked for a spammy search term. This is especially effective when a legit site already has a good search engine ranking, as much of a hacker’s work is already done.
How to fix SEO spam
If your site has been infected with search engine spam, it’s critical to act quickly. This isn’t something that’ll eventually fix itself. It isn’t a task you can put off until the time for handling it magically appears.
Every second your website remains infected with SEO spam, you risk serious penalties. You could get blacklisted by search engines, so you don’t show up in their results. Or visitors could go to your site to do business, see the SEO spam, and then leave never to return.
Removing SEO spam can take time, so be proactive with it. Follow these instructions to find and fix SEO spam on your site.
1 – Make a website backup
Having a functional backup that you can restore from can be a lifesaver. Before you make any changes to your website, backup your website files and database.
If you have WP-CLI installed on your server, you can connect to your website’s root via SSH and easily backup your WordPress database and files for free.
2 – Run SQL commands to remove unwanted spam posts
After backups have been made for your posts table and other website files, survey your website files and pinpoint the date of the infection. Then, run these SQL commands to remove spam posts found after a certain date.
- Log in to WordPress and view your posts.
- Determine the common spam content theme.
- Open Adminer or phpMyAdmin and take note of your database prefix. (It’s often wp_ unless you have a custom prefix.)
- Enter the following SQL command to move spam posts to the trash after a certain date:
UPDATE `wp_posts` SET `post_status` = 'trash' WHERE `post_status` = 'publish' AND `post_type` = 'post' AND `post_date` > '2022/03/08';
Be sure to edit the date so that it corresponds to when the spam posts first started appearing on your website, otherwise you risk deleting legitimate content!
3 – Run SQL commands to tidy up postmeta and commentmeta
Now that you’ve gotten rid of the spam posts, you’ll want to clean up your meta tables. Use the following SQL command to remove any post_meta where post_id has been removed.
DELETE FROM `wp_postmeta` WHERE `post_id` NOT IN ( SELECT ID FROM `wp_posts` );
4 – Remove spam comments
If your site has no use for comments or has been littered with spam comments and you want to delete all the comments from your database, this simple query will do the trick:
TRUNCATE TABLE `wp_comments`; TRUNCATE TABLE `wp_commentmeta`;
You can also opt for our professionals to clean up SEO spam for you. Either way, don’t endure downtime or blocklisting because of hackers. Help make the internet a safer place for everyone.
How can I protect my site from SEO spam?
Spamdexing is always a threat for website owners, but, fortunately, fending off these hackers is mostly a matter of adhering to a few best practices:
- Run updates: Your website software, plugins, and themes need updates to protect from known vulnerabilities. Don’t ignore them. Updates often include security patches to keep hackers out. If you fail to patch an important vulnerability for your website, you may be providing attackers with a wide-open backdoor for an SEO spam infection.
- Create strong passwords: A password like admin123 might be really easy to remember, but, unfortunately, it’s also pretty easy to guess. Make sure you’re using strong passwords, especially when they’re protecting access to sensitive areas of your site.
- Scan regularly for malware: Fixing an SEO spam infection starts with being aware of it. Too often, website owners have no idea they’ve been hacked until penalties happen, such as search engine blacklisting or lost credibility. Just like a medical checkup, it’s smart to run scans on a regular basis.
- Secure your admin panels: Secure your wp-admin panel by performing basic website hardening. This makes it harder for an attacker to gain access to your dashboard.
- Get behind a firewall: If you’re serious about preventing a search engine spam infection, a web application firewall (WAF) is an absolute must-have. It protects you by constantly updating definitions of known threats, kind of like a bouncer turning away neighborhood creepers. A WAF will even significantly speed up load times for your site.
If you believe your website has already fallen victim to spamdexing, we can help! Our analysts have extensive experience removing seo spam from hacked websites.
For more information on SEO Spam, check out our webinar by Krasimir Konov:
Luke Leal
Jeff Channell
Krasimir Konov
John Castro
Ben Martin
Eli Lopez
Cesar Anjos
Northon Torga
Marc Kranat