Ever had an uninvited guest crash your party, resulting in chaos, confusion, and some unhappy visitors? Well, SEO spam is that party crasher — just for websites.
Why should you care, you ask? Well, just imagine your meticulously crafted website content being replaced with unsolicited ads for services and products that would make your grandma blush. Or even worse, your loyal site visitors being redirected to shady third party websites. Not the picture of ideal user experience, right?
But that’s not all. Spamdexing can also wreak havoc with your search engine rankings. And we all know how that story ends: with your website sinking faster than the Titanic in search results, along with blocklisting warning by Google and other search authorities.
In this post, we’ll lift the veil on SEO spam, exploring its dark corners, revealing its impact on your website’s SEO and visitors, and most importantly, arming you with the knowledge to fight back against spammers.
Contents:
If you’re wondering what SEO spam is, a good way to gain an understanding is finding this wily beast in the wild. In your favorite browser, search with the terms buy viagra cialis. (You might want to check over your shoulder first.)
Now, without clicking anything, scroll through the results. What you might encounter after the first couple of pages are a number of non-pharmaceutical websites advertising these medications.
You’ve just spotted a few likely examples of spamdexing, where innocent websites have been hacked and injected with keywords intended to lure traffic to bad actors’ domains and redirect to their web pages. These innocent sites aren’t actually in the male enhancement business, they’re infected websites and unwilling participants in the hackers’ dirty SEO scheme.
Search engine spam is an attempt to manipulate search engine rankings, so traffic is lured to a bad actor’s domain. To do this, hackers gain access to a normal, healthy website, and then inject keywords and links to another web property they’ve set up for affiliate marketing, to monetize search traffic, or other malicious behavior.
This practice is known as spamdexing. Bad actors aim to manipulate search engine results to rank their web properties higher, providing zero value to searchers in the process. Spamdexing can include keyword or meta-tag stuffing, injected links, and even doorway pages.
So, why don’t hackers just create their own websites? Well, they don’t always have much success with this. Search engine algorithms are designed to ignore scammy websites to protect search visitors and website traffic. That’s why hackers manipulate search engines through spamdexing.
By gaining access to legitimate websites and injecting links and keywords, bad actors create a path to their scammy web properties. Rather than getting ranked the way most legit websites do, bad actors piggyback off a normal site’s credibility in the eyes of search engines.
Turns out, search engine spam can appear even in the last places you’d imagine. We’ve even seen hackers get pretty creative with infecting WordPress websites. But let’s ignore the edge cases for now and instead focus on the most common places you might see spamdexing.
Keywords are central to spamdexing. When shady keywords appear in the content of a credible website, search engines assume it’s safe to index the site for those terms. And when people search online — say for male enhancement or other meds, sports gear, essay writing, loan services, (the list gets long…) — results often include scams where they’ll pay for something but never receive it.
Links are super important to scammers. Otherwise, there wouldn’t be a way to drive legitimate traffic to their shady web properties.
One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website. This way, humans won’t see the spam links, but crawling bots that read the HTML of the website will — and these SEO spam links will be attributed to your website.
You’d think Viagra shoppers would know better than trying to buy meds from a museum or floral shop, but our own research shows SEO spam remains the number-one type of website infection — and can seriously harm your website visitors (and rankings).
If a hacked website displays banner ads or calls to action (CTAs), hackers can easily replace the content or create new elements in order to drive traffic to their scams. This can be particularly effective, often because these clicks happen once a shopper’s mind is made up. They might not even question why a CTA is displaying where it is.
For the nuclear option in spamdexing, hackers can create and optimize entire web pages or blog posts dedicated to getting ranked for a spammy search term. This is especially effective when a legit site already has a good search engine ranking, as much of a hacker’s work is already done.
If your site has been infected with search engine spam, it’s critical to act quickly. This isn’t something that’ll eventually fix itself. It isn’t a task you can put off until the time for handling it magically appears.
Every second your website remains infected with SEO spam, you risk serious penalties. You could get blacklisted by search engines, so you don’t show up in their results. Or visitors could go to your site to do business, see the SEO spam, and then leave never to return.
Removing SEO spam can take time, so be proactive with it. Follow these instructions to find and fix SEO spam on your site.
Having a functional backup that you can restore from can be a lifesaver. Before you make any changes to your website, backup your website files and database.
If you have WP-CLI installed on your server, you can connect to your website’s root via SSH and easily backup your WordPress database and files for free.
After backups have been made for your posts table and other website files, survey your website files and pinpoint the date of the infection. Then, run these SQL commands to remove spam posts found after a certain date.
UPDATE `wp_posts` SET `post_status` = 'trash' WHERE `post_status` = 'publish' AND `post_type` = 'post' AND `post_date` > '2022/03/08';
Be sure to edit the date so that it corresponds to when the spam posts first started appearing on your website, otherwise you risk deleting legitimate content!
Now that you’ve gotten rid of the spam posts, you’ll want to clean up your meta tables. Use the following SQL command to remove any post_meta where post_id has been removed.
DELETE FROM `wp_postmeta` WHERE `post_id` NOT IN ( SELECT ID FROM `wp_posts` );
If your site has no use for comments or has been littered with spam comments and you want to delete all the comments from your database, this simple query will do the trick:
TRUNCATE TABLE `wp_comments`; TRUNCATE TABLE `wp_commentmeta`;
You can also opt for our professionals to clean up SEO spam for you. Either way, don’t endure downtime or blocklisting because of hackers. Help make the internet a safer place for everyone.
Spamdexing is always a threat for website owners, but, fortunately, fending off these hackers is mostly a matter of adhering to a few best practices:
If you believe your website has already fallen victim to spamdexing, we can help! Our analysts have extensive experience removing seo spam from hacked websites.
For more information on SEO Spam, check out our webinar by Krasimir Konov: