Tracking Down Rogue Spam Links
-
In Feb, 2015 www.mommyupgrade.com site received the following notification in GWT:
http://www.mommyupgrade.com/: Suspected hackingFeb 4, 2015
Google has detected that some of your pages may contain hidden text or cloaking, techniques that are outside our Webmaster Guidelines.
Specifically, we detected that your site may have been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
Sample URLs:At that time, the site was checked by the host and site owner and any suspicious links removed. We thought the problem was resolved until a MOZ crawl on March 22 which highlighted a number of hack links again.This is the link format: http://www.mommyupgrade.com/?p=online-slots
All are related to gambling, casinos and slots.
To find the links, we downloaded the MOZ crawl report and found that all the links were referred from this page: http://www.mommyupgrade.com/how-to-make-rainbow-lollipop-cookies/
Searching that post shows no sign of links to the rogue pages.
I would really appreciate some advice on how to find the source of these links and delete them from this site once and for all. Also, please explain how it is possible for a post or page to refer to another page without that link showing up in the code? (Is this some black hat technique that I need to know about in order to protect my sites?)
Also... at the moment Google Webmaster Tools are not reporting any security issues for this site.
Any help appreciated.
-
You're welcome. I'm always amazed at the diversity of people that read and comment here. A lot of talented eyes are considering the questions for sure. Cheers!
-
@Ryan, that link is very useful and once we have the site clean we can use it regularly to check that no new issues presnt themselves.
@Richard, thank you for this information. It helps a lot.
Great community support. I wish I had asked this question days ago.Thank you MOZ.
-
There are some base 64 encoded URLs on the page. They show in the source code like below. That would be my guess as to what is creating the links, which are obfuscated for users. These types of attacks are usually called in your functions.php file or within a hacked plugin, or could actually be inserted into the css as well.
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGgAAABoCAYAAAAdHLWhAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACGRJREFUeNrsnb9rVEsUxyfrQ7AO+AOzAaPGqJhCTKFNSsXCvyBapRDhaZNCbR7pXvE6wcoqRFRiIqQIRlSIRRpBMMEkb/1RKGpUonZqRH3nu+9eifHu3jlzztydDXNgWAi5e89nPndu9s7OnLT8+PHDxAg3SrELoqAYUVAUFCMKihEFRUExtOMPzTd79uzZeno5RK2HWje1Tmplaq3JryxRe0GtQm2G2n1q0x0dHcuhdUwoLC0aD6oE00Uvx6gdpdbLPHyK2gS1cYJbCEBMUCwiQQSzmV5OUOujtk+Yyyy1YWpDBLfYADFBsjgLIqDD9HIqudo0Y5zaRQKbLFBOsCxOggion14GqO3y1Gf/UvuHwC4VICdoFrYgAvqTXv5a8cfSV+CP8CCBXfAoJ3gWlqCnT5/iavu7AKCVYGe3b9+uPpKahaXEADqc3ApEQO/evTPj4+O2v45zDSTn1pTDZkHOyF0QTixWgp48ebKZRtoparsw4lzb27dvzcjICPc4nPMUctCQI2FB7mAQ9AGbxUoQvekJasc05Hz+/Dl9T07DuU9oCHJlQSB3BUksllxBlUqli96wTyrn+vXr5suXLys7itv6kItEjoQlDTCARSjJmqVkccXB+D6JnNHR0V/kOApCDseEo8eZZWWABUwCSdYsdQUtLCyspzc6KpEzNjb2mxxHQWhHkZOLHCnL6gAT2ASSrFjyRtAhh/moaszPz5sbN25kyjlw4IDrIOhNcnIJZ5ZaOYMNjGD1xVLKuSX0uFwdc3Nz5vbt25lyjh8/bnbs2CG5f/c43t56JH9HkTNyz5IEVjD7YMkT1M09Ka6mO3fuZL4fANvb283Hjx8lgrodBXVLBCFn5J4lCQFmsGuz5N3iOpn3eSs5wugs+LifYSMJfaCZU94IKmuNnHK5bD58+CAZOWkrO46gssK5qwxgURpJZekIarUdOXfv3q0rR2HksHJSPC5zJNWThL6wHEmtUkFWMT09nfnznTt3assJJlJJYOT0CTfyBC3ZvMmZM2fMhg0bfvv548ePq88KHmaFizyuZoANjKsDfYE+0cgpT9ALm7N8/frVnD59OlNSvdufY7wo+DjWbQx9gL5An2jklCeoYnMWTCKmklpbW31LqhR8nLUcsKdy0klhaU55gmZsk04lDQwMmLa2Np+SZgo+zkoOmMHOkGOVU56g+5zkkdirV6/MyZMnfUq6X/BxVnLADHaGHKuc8gTho8gU54zfvn0zb9688SVpKsnJ6cMml4UjB8xg12apK2jv3r1YJTnBhcmTlDVHZxkTSU7scGWpl7NAjjWLzXMQFhDMakoqlZwev2aTXCThxJKVs1CONUvJ4srDuB52gcobScwYTnJxDgmLohwWi+2lPOR69SpJGk9y0IghyUhUkMNiKVleeVhffNH8v0qyaEk458UkB3FIWBTksFlYCxcfPXokWuy3bt06s2nTJjM1NVVzDitjKuQsAakvXOSyYEqnt7dXIseJhb30l8BEy2UhCU/c+C7fAmiQgLwt/eWwbNy40SwtLUnkOLE4LZ5Prj7vC859jJxmY3HefkJgXrdsEFBh209CZhFt4CIwL5uetD4QrAUWlS2QBKeybVD6nKMkKiiWFs1iSgTntPHWdfrGs6ggWFpitauwI9ZJiIJiREFRUIwoKEYUFAXFiIKioBhRUIwoaM2EasXFZNcye4Kxq6sruMnSUFhUJksJRmWKnuAWAhATFItIEMF4+ZKL4BYbICZIFmdBBOT1a2ICmyxQTrAsToIIqJCFFgR2qQA5QbOwBRFQoVUKCeyCRznBs7AEzc/PN6RK4e7du9VHUrOwlBhAKhUXFxcXzbVr12x/vVqlMDm3phw2C3JG7oJwYrESNDc3p1Jx8fXr12Z4eNipSiFy0JAjYUHuYJBWXOSwFFZxMZXT7BUXFSTpVlycnZ3t+v79ex8149qwd/Py5cu/7FJzeJ8+5CJ6OBGwpAEGsIBJ0CfWLN4rLuJqu3LlypqruAgmwUjSqbj48OFDUZVCAFy9elW14iJycpEjZVkdYAKbQJIVi7eKizMzM9VPPllyDh486DoIGlZxMStnsIERrL5YvFRcpCvD3Lx5M1NOf3+/oWeBpqu4iJyRe5YksIK5KSou4mqanMyeegJgR0eHef/+fdNVXETOyD1LEgLMYA+64iJ9MrGSI4yGVVy0kYQ+0MxJreJi3sjZtm1bdQths1dcBANYlEZSMRUXcdXcunWrrhyFkcPKSfG4zJFUTxL6wnIkFVNx8d69e9njt7NTW04wkUoCI6dPuKFScfH8+fOZxfwqlUp1asTDrHCRx9UMsIFxdaAv0CcaOalUXFxeXjbnzp3LlIQKuBMTE5r9EkTFRTBlVZxHH6Av0CcaOalUXPz06dNPSVkVF5UlNbziYi05YE/loE80clKruJhKGhwcrFbD9SipoRUXa8kBM9gZcqxyUq24iMSeP39eLQ3pUVLDKi7WkwNmsDPkWOXkpeLiy5cvfUlqWMXFPDlgLrzi4v79+50rLtaTJKm4mOTEDleWejkL5FizeK24WEvSWqi4KJSjV3GRLIsqLtYbSdzHjiQX55CwKMphsRRScVFBUjAVFxXk6FdcJNviiosCSdUqhUkO4pCwKMhhs7AWLj548EBccXHr1q3VL7j27NljOxVyloDUFy5yWfAv0I4cOSKR48TCXvpLYOKKi6heiO/yLYAGCcjb0l8Oy5YtW6pVIiUVF11YnBbPJ1ef9wXnPkZOs7E4bz8hMK9bNgiosO0nIbOINnARmJdNT1ofCNYCi8oWSIJT2TYofc5REhUUi2pBP4Jz2njrOn3jWVQQLLHiYuAR6yREQTGioCgoRhQUIwqKgmKox38CDACL7v6JnTZ+vgAAAABJRU5ErkJggg==)
-
You can also run a search like this to get at these pages: https://encrypted.google.com/search?hl=en&q=site%3Amommyupgrade.com inurl%3A%3F%3Dp
The root cause is a hack of your Wordpress installation, most likely a plugin. Here's a good discussion around how this takes place: https://wordpress.org/support/topic/someone-has-hacked-the-site-and-inserted-a-link
Recently a vulnerability was found in the Yoast plugin (see: http://thehackernews.com/2015/03/wordpress-seo-by-yoast-plugin.html ), so you'll certainly want to upgrade that and preferably set your updates to automatic.
Good luck!
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Is there an upper bound on the number of links an url might get in a day?
There are link spammers and programs like GSA and others, that automate linkbuilding, and I was wondering if anybody ever had a penalty because a page on his site is getting too many references (links). I am not talking about spamming here. So provided that the links are coming from relevant, unique sources, but you do an over excessive campaign, and you seem to be getting too many backlinks, can it negatively affect SEO? Alternatively: is there an upper bound on the number of links you try to build in a day when you are doing linkbuilding?
Content Development | | snetface0 -
We used to sell links ...
We used to sell text links on our site WebDesign.org , I told about that via Twitter in public, Google penalized us and here’s the history of the issue in more detail. I write it here to ask if you guys know how to sort out this issue coz I’m not exactly sure at this point. Before I tackle the issue itself, here's some background. OUTBOUND LINKS ISSUE Jun 22, 2013 We received an Unnatural outbound links penalty (Manual spam action message in our Google Webmaster Tools account) from Google July 1, 2013 We nofollowed all homepage links and submitted a reconsideration request July 10, 2013 Google replied that we still violate their quality guidelines July 15, 2013 We removed links to low quality and irrelevant sites (such as Chinese stores, etc) and submitted another reconsideration request July 22, 2013 Manual Spam Action revoked INBOUND LINKS ISSUE November 8, 2013 We got a message from Google about Unnatural links to your site - impacts links (Message in our Google Webmaster Tools account) November 27, 2013 We Submitted a Disavow file with Deadly Risky links (found via generating a LinkDetox report) and submitted a reconsideration request December 15, 2013 Manual Action revoked (main keyword ranking got from 41 to 4) February 6, 014 And here's the actual issue: OUTBOUND LINKS ISSUE (Again) I told via Twitter in public that our site sells links. Matt Cutts noticed that and we got another Unnatural outbound links penalty (Manual action). Main keyword ranking decreased from 9 to 65. We removed all outbound links on the homepage and submitted a reconsideration request. April 15, 2014 Google replied that we still violate their quality guidelines. We nofollowd all outbound links with JavaScript (wrong move because Google did not take it as nofollowed) and submitted another reconsideration request. April 19, 2014 Google rejected our reconsideration request and said that we still violate their quality guidelines. April 23, 2014 We nofollowed properly this time (with PHP) and submitted another reconsideration request. May 4, 2014 Google replies that we still violate their quality guidelines. So, at this point I’m kinda lost in terms of what to do next because we've nofollowed all our outbound links (both paid and natural ones). What would you recommend?
Content Development | | VinceWicks0 -
How can I make a clickable header on Tumblr (with several links to click)
I would like to make a clickable header with several links to click, for example the possibility to click Facebook & Twitter icons to get redirected to my twitter and Facebook page. I know how to make the clickable image and get the html for it. But where in the HTML on tumblr should I insert it? Can I override the custom header with my HTML header somehow? Appreciate all the help I can get, Thanks.
Content Development | | Fisken0 -
My Guest Blog: Still A Good Link Building Resource?
In an effort to build some links, we want to really work on improving our blog content and exposure. We want to write two quality posts per week, and submit 1 quality guest post every 1-2 weeks. However, we're not sure how to go about submitting guest posts or who to submit them to? I found an all article from SEOmoz http://moz.com/blog/4-valuable-link-building-services but it's from 2010. Is myguestblog still a good source? Are there better ways of doing it? Also, is ever advisable to pay to submit a post? Some of the legal blogs (we're a law firm) have this option, but that strikes me as spammy or low quality links. Just to reiterate, we are striving to write high-quality useful content audiences will find beneficial, not just junk or salesmanship. If it takes longer than a week to write posts like that, that's fine. We just really need some specific advise on who we should be submitting our guest posts to and who we should avoid. Thank you all so much for any advice or suggestions, Ruben
Content Development | | KempRugeLawGroup0 -
Translated text: should I use canonical link?
Hello everybody, I'm writing an article in Danish, which I have translated into English on a Danish blog. But I'm not sure if I have to use the canonical link from the English version to the Danish, or whether I should just publish both without using canonical link. What is your recommendation for this? Looking forward to hearing from you. Thanks & regards, Jonathan
Content Development | | JoLinda910 -
Too many links on page?
Hello, Can my rankings suffer if some of my inner pages have too many links/anchor text? Or would link juice just stop being passed after X amount of links? I have content on these inner pages, and it all flows. Thanks!
Content Development | | TP_Marketing0 -
Does content have a shelf life for link building efforts?
Do you think that content (that doesn't have a date attached) has a shelf life? Especially content that is effectively timeless such as a quiz? I've noticed in my link building efforts that most links are achieved within the first couple of weeks, and that there seems to be a point of diminishing returns. Why do you think that may be?
Content Development | | nicole.healthline0 -
Blogging competition - risky link acquiring method?
We are planning to launch a competition where bloggers can blog about our products and about our company. One winner will be selected to win a gift card to our web shop. In order to participate the blogger has to put a link to the blog post that points to our front page or into one of our product pages. Does Google have a guideline against such "link acquiring" methods?
Content Development | | EuropeanSEOguy0