Tracking Down Rogue Spam Links
-
In Feb, 2015 www.mommyupgrade.com site received the following notification in GWT:
http://www.mommyupgrade.com/: Suspected hackingFeb 4, 2015
Google has detected that some of your pages may contain hidden text or cloaking, techniques that are outside our Webmaster Guidelines.
Specifically, we detected that your site may have been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
Sample URLs:At that time, the site was checked by the host and site owner and any suspicious links removed. We thought the problem was resolved until a MOZ crawl on March 22 which highlighted a number of hack links again.This is the link format: http://www.mommyupgrade.com/?p=online-slots
All are related to gambling, casinos and slots.
To find the links, we downloaded the MOZ crawl report and found that all the links were referred from this page: http://www.mommyupgrade.com/how-to-make-rainbow-lollipop-cookies/
Searching that post shows no sign of links to the rogue pages.
I would really appreciate some advice on how to find the source of these links and delete them from this site once and for all. Also, please explain how it is possible for a post or page to refer to another page without that link showing up in the code? (Is this some black hat technique that I need to know about in order to protect my sites?)
Also... at the moment Google Webmaster Tools are not reporting any security issues for this site.
Any help appreciated.
-
You're welcome. I'm always amazed at the diversity of people that read and comment here. A lot of talented eyes are considering the questions for sure. Cheers!
-
@Ryan, that link is very useful and once we have the site clean we can use it regularly to check that no new issues presnt themselves.
@Richard, thank you for this information. It helps a lot.
Great community support. I wish I had asked this question days ago.Thank you MOZ.
-
There are some base 64 encoded URLs on the page. They show in the source code like below. That would be my guess as to what is creating the links, which are obfuscated for users. These types of attacks are usually called in your functions.php file or within a hacked plugin, or could actually be inserted into the css as well.
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGgAAABoCAYAAAAdHLWhAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACGRJREFUeNrsnb9rVEsUxyfrQ7AO+AOzAaPGqJhCTKFNSsXCvyBapRDhaZNCbR7pXvE6wcoqRFRiIqQIRlSIRRpBMMEkb/1RKGpUonZqRH3nu+9eifHu3jlzztydDXNgWAi5e89nPndu9s7OnLT8+PHDxAg3SrELoqAYUVAUFCMKihEFRUExtOMPzTd79uzZeno5RK2HWje1Tmplaq3JryxRe0GtQm2G2n1q0x0dHcuhdUwoLC0aD6oE00Uvx6gdpdbLPHyK2gS1cYJbCEBMUCwiQQSzmV5OUOujtk+Yyyy1YWpDBLfYADFBsjgLIqDD9HIqudo0Y5zaRQKbLFBOsCxOggion14GqO3y1Gf/UvuHwC4VICdoFrYgAvqTXv5a8cfSV+CP8CCBXfAoJ3gWlqCnT5/iavu7AKCVYGe3b9+uPpKahaXEADqc3ApEQO/evTPj4+O2v45zDSTn1pTDZkHOyF0QTixWgp48ebKZRtoparsw4lzb27dvzcjICPc4nPMUctCQI2FB7mAQ9AGbxUoQvekJasc05Hz+/Dl9T07DuU9oCHJlQSB3BUksllxBlUqli96wTyrn+vXr5suXLys7itv6kItEjoQlDTCARSjJmqVkccXB+D6JnNHR0V/kOApCDseEo8eZZWWABUwCSdYsdQUtLCyspzc6KpEzNjb2mxxHQWhHkZOLHCnL6gAT2ASSrFjyRtAhh/moaszPz5sbN25kyjlw4IDrIOhNcnIJZ5ZaOYMNjGD1xVLKuSX0uFwdc3Nz5vbt25lyjh8/bnbs2CG5f/c43t56JH9HkTNyz5IEVjD7YMkT1M09Ka6mO3fuZL4fANvb283Hjx8lgrodBXVLBCFn5J4lCQFmsGuz5N3iOpn3eSs5wugs+LifYSMJfaCZU94IKmuNnHK5bD58+CAZOWkrO46gssK5qwxgURpJZekIarUdOXfv3q0rR2HksHJSPC5zJNWThL6wHEmtUkFWMT09nfnznTt3assJJlJJYOT0CTfyBC3ZvMmZM2fMhg0bfvv548ePq88KHmaFizyuZoANjKsDfYE+0cgpT9ALm7N8/frVnD59OlNSvdufY7wo+DjWbQx9gL5An2jklCeoYnMWTCKmklpbW31LqhR8nLUcsKdy0klhaU55gmZsk04lDQwMmLa2Np+SZgo+zkoOmMHOkGOVU56g+5zkkdirV6/MyZMnfUq6X/BxVnLADHaGHKuc8gTho8gU54zfvn0zb9688SVpKsnJ6cMml4UjB8xg12apK2jv3r1YJTnBhcmTlDVHZxkTSU7scGWpl7NAjjWLzXMQFhDMakoqlZwev2aTXCThxJKVs1CONUvJ4srDuB52gcobScwYTnJxDgmLohwWi+2lPOR69SpJGk9y0IghyUhUkMNiKVleeVhffNH8v0qyaEk458UkB3FIWBTksFlYCxcfPXokWuy3bt06s2nTJjM1NVVzDitjKuQsAakvXOSyYEqnt7dXIseJhb30l8BEy2UhCU/c+C7fAmiQgLwt/eWwbNy40SwtLUnkOLE4LZ5Prj7vC859jJxmY3HefkJgXrdsEFBh209CZhFt4CIwL5uetD4QrAUWlS2QBKeybVD6nKMkKiiWFs1iSgTntPHWdfrGs6ggWFpitauwI9ZJiIJiREFRUIwoKEYUFAXFiIKioBhRUIwoaM2EasXFZNcye4Kxq6sruMnSUFhUJksJRmWKnuAWAhATFItIEMF4+ZKL4BYbICZIFmdBBOT1a2ICmyxQTrAsToIIqJCFFgR2qQA5QbOwBRFQoVUKCeyCRznBs7AEzc/PN6RK4e7du9VHUrOwlBhAKhUXFxcXzbVr12x/vVqlMDm3phw2C3JG7oJwYrESNDc3p1Jx8fXr12Z4eNipSiFy0JAjYUHuYJBWXOSwFFZxMZXT7BUXFSTpVlycnZ3t+v79ex8149qwd/Py5cu/7FJzeJ8+5CJ6OBGwpAEGsIBJ0CfWLN4rLuJqu3LlypqruAgmwUjSqbj48OFDUZVCAFy9elW14iJycpEjZVkdYAKbQJIVi7eKizMzM9VPPllyDh486DoIGlZxMStnsIERrL5YvFRcpCvD3Lx5M1NOf3+/oWeBpqu4iJyRe5YksIK5KSou4mqanMyeegJgR0eHef/+fdNVXETOyD1LEgLMYA+64iJ9MrGSI4yGVVy0kYQ+0MxJreJi3sjZtm1bdQths1dcBANYlEZSMRUXcdXcunWrrhyFkcPKSfG4zJFUTxL6wnIkFVNx8d69e9njt7NTW04wkUoCI6dPuKFScfH8+fOZxfwqlUp1asTDrHCRx9UMsIFxdaAv0CcaOalUXFxeXjbnzp3LlIQKuBMTE5r9EkTFRTBlVZxHH6Av0CcaOalUXPz06dNPSVkVF5UlNbziYi05YE/loE80clKruJhKGhwcrFbD9SipoRUXa8kBM9gZcqxyUq24iMSeP39eLQ3pUVLDKi7WkwNmsDPkWOXkpeLiy5cvfUlqWMXFPDlgLrzi4v79+50rLtaTJKm4mOTEDleWejkL5FizeK24WEvSWqi4KJSjV3GRLIsqLtYbSdzHjiQX55CwKMphsRRScVFBUjAVFxXk6FdcJNviiosCSdUqhUkO4pCwKMhhs7AWLj548EBccXHr1q3VL7j27NljOxVyloDUFy5yWfAv0I4cOSKR48TCXvpLYOKKi6heiO/yLYAGCcjb0l8Oy5YtW6pVIiUVF11YnBbPJ1ef9wXnPkZOs7E4bz8hMK9bNgiosO0nIbOINnARmJdNT1ofCNYCi8oWSIJT2TYofc5REhUUi2pBP4Jz2njrOn3jWVQQLLHiYuAR6yREQTGioCgoRhQUIwqKgmKox38CDACL7v6JnTZ+vgAAAABJRU5ErkJggg==)
-
You can also run a search like this to get at these pages: https://encrypted.google.com/search?hl=en&q=site%3Amommyupgrade.com inurl%3A%3F%3Dp
The root cause is a hack of your Wordpress installation, most likely a plugin. Here's a good discussion around how this takes place: https://wordpress.org/support/topic/someone-has-hacked-the-site-and-inserted-a-link
Recently a vulnerability was found in the Yoast plugin (see: http://thehackernews.com/2015/03/wordpress-seo-by-yoast-plugin.html ), so you'll certainly want to upgrade that and preferably set your updates to automatic.
Good luck!
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Need advice on internal links
I run a couple of gadget/technology based blogs, which essentially has news based articles and long form articles such as reviews, tutorials, and tips. Looking for some advice on the strategy for internal links: We have been using internal links in the following ways in articles so far: Links to the category pages at the end of the article (we call it related topics) Links to category pages wherever relevant preferably in the first paragraph. The logic here was that if we can add the link to a category in the first paragraph, which appears on the home page and category page, it will pass the link juice to the category page. Link to relevant articles, mostly by using the full title of the post as we thought that it stands out. Issues with the current strategy: In the case of the 1st strategy, it doesn't seem that natural, so we are not sure if people actually end up clicking them. In case of the 2nd, we have couple of concerns: it could result in linking to a category page twice. One within the article, and the second at the end of the article because of strategy 1. Because the first paragraph also appears on the category pages, it would mean that in some cases we will be linking to the same category page (recursive). In the case of the 3rd strategy, the problem is it does not appear natural so we are sure if it increases the value of the content. I was wondering if we should adopt the following strategy: Get rid of category links at the end of the article. Avoid linking to the category pages in the first paragraph, instead link to the category pages after the first paragraph, so we don't end up with the issue mentioned in b. i. Alternatively, we could remove the excerpts from the category pages so we don't hit the issue of linking to the category page from the category page. Add links more naturally. So have a sentence which talks about the related article and link to it using partial match (keyword phrase) or exact match. Any advice would be greatly appreciated.
Content Development | | Gautam0 -
Paid Guest Post Links - Value?
Hey guys, Just wanted to put the question out there about guest blogging opportunities that are paid for. It's not something we ever go for but a client has the resources to get a few quality paid backlinks. What are people's general thoughts on guest blogging - for a nominal fee - to do so? Pros and cons of the whole process? Cheers!
Content Development | | wearehappymedia0 -
Is there a quick and easy way to check a website to see which outbound links open in the browser window and not in a new window?
I have just come across a few blogs on a website that have outbound links that open in the browser window (and therefore direct people off site to these links) (there are also other outbound links that open in a new window)- is there a quick and easy way to check which outbounds links open in a new window and which open in the browser window? Much obliged Liam
Content Development | | ZaddleMarketing0 -
Is there an upper bound on the number of links an url might get in a day?
There are link spammers and programs like GSA and others, that automate linkbuilding, and I was wondering if anybody ever had a penalty because a page on his site is getting too many references (links). I am not talking about spamming here. So provided that the links are coming from relevant, unique sources, but you do an over excessive campaign, and you seem to be getting too many backlinks, can it negatively affect SEO? Alternatively: is there an upper bound on the number of links you try to build in a day when you are doing linkbuilding?
Content Development | | snetface0 -
We used to sell links ...
We used to sell text links on our site WebDesign.org , I told about that via Twitter in public, Google penalized us and here’s the history of the issue in more detail. I write it here to ask if you guys know how to sort out this issue coz I’m not exactly sure at this point. Before I tackle the issue itself, here's some background. OUTBOUND LINKS ISSUE Jun 22, 2013 We received an Unnatural outbound links penalty (Manual spam action message in our Google Webmaster Tools account) from Google July 1, 2013 We nofollowed all homepage links and submitted a reconsideration request July 10, 2013 Google replied that we still violate their quality guidelines July 15, 2013 We removed links to low quality and irrelevant sites (such as Chinese stores, etc) and submitted another reconsideration request July 22, 2013 Manual Spam Action revoked INBOUND LINKS ISSUE November 8, 2013 We got a message from Google about Unnatural links to your site - impacts links (Message in our Google Webmaster Tools account) November 27, 2013 We Submitted a Disavow file with Deadly Risky links (found via generating a LinkDetox report) and submitted a reconsideration request December 15, 2013 Manual Action revoked (main keyword ranking got from 41 to 4) February 6, 014 And here's the actual issue: OUTBOUND LINKS ISSUE (Again) I told via Twitter in public that our site sells links. Matt Cutts noticed that and we got another Unnatural outbound links penalty (Manual action). Main keyword ranking decreased from 9 to 65. We removed all outbound links on the homepage and submitted a reconsideration request. April 15, 2014 Google replied that we still violate their quality guidelines. We nofollowd all outbound links with JavaScript (wrong move because Google did not take it as nofollowed) and submitted another reconsideration request. April 19, 2014 Google rejected our reconsideration request and said that we still violate their quality guidelines. April 23, 2014 We nofollowed properly this time (with PHP) and submitted another reconsideration request. May 4, 2014 Google replies that we still violate their quality guidelines. So, at this point I’m kinda lost in terms of what to do next because we've nofollowed all our outbound links (both paid and natural ones). What would you recommend?
Content Development | | VinceWicks0 -
What is the Best Practice for External Links?
We are currently in the process of reviewing our site on a number of fronts, and part of that involves adding quality content to our product category pages where necessary. Our practice so far has been to add relevant content, and in this content externally link to a couple of relevant, related sites for that category (avoiding the use of keywords we are trying to rank for). Should we be doing this (externally linking)? And, if so, should these external links be NoFollow? So far, we have seen mixed results for our efforts.
Content Development | | Robdps0 -
Does content have a shelf life for link building efforts?
Do you think that content (that doesn't have a date attached) has a shelf life? Especially content that is effectively timeless such as a quiz? I've noticed in my link building efforts that most links are achieved within the first couple of weeks, and that there seems to be a point of diminishing returns. Why do you think that may be?
Content Development | | nicole.healthline0 -
Blogging competition - risky link acquiring method?
We are planning to launch a competition where bloggers can blog about our products and about our company. One winner will be selected to win a gift card to our web shop. In order to participate the blogger has to put a link to the blog post that points to our front page or into one of our product pages. Does Google have a guideline against such "link acquiring" methods?
Content Development | | EuropeanSEOguy0
