News · SEO

Hackers Forcing Sites to Cloak Search Engines with Link Spam

David Jones from PR Works is probably wondering why he gets no love from Google. Maybe he even did a site: search on the Big G and discovered that his site has been banned. If so, he’s probably wondering why.

I don’t know Mr. Jones. He seems like a nice enough guy with some smart things to say about PR in Canada. I hope he finds this article and sorts out this rather nasty situation he has. If not, at least we can use it as a learning tool later on in this article.

Let’s pretend I do SEO for Twitter and am trying to talk management into letting me nofollow the profile links. Management says “NO, we’ve checked hundreds of profile links and none of them were spammy” so I do what any logical SEO would do and perform a linkfromdomain search on MSN so I can prove that, indeed, there are over 2,000 links FROM Twitter pointing TO pages about Viagra.

viagra 1 Hackers Forcing Sites to Cloak Search Engines with Link Spam

But then management comes back to me and says that the information is wrong.

They checked the results and didn’t see anything about Viagra those pages.

I then do the next logical thing, which would be looking in the source code for hidden text, such as off-page positioning with CSS, hidden divs, or the classic white text on a white background trick. Perhaps I find my proof: http://www.mattselznick.com . Poor Matt Selznick. Maybe his site got hacked months ago and he still doesn’t know about it. Either way, someone is doing the dirty on Mr. Selznick.

viagra 2 Hackers Forcing Sites to Cloak Search Engines with Link Spam

But let’s say you check the source code and DON’T find anything about Viagra. What next? Go back to that MSN search. Now click on the result that says PRWorks.ca. You know, the one with the description that has Viagra in bold a half-dozen times. View source. Search for Viagra. Don’t see anything?

Ahh, now we’re getting somewhere. Maybe this is where Mr. Jones stopped when trying to find out why he was banned on Google. He should have kept going…

What do you think is going on here?

If you said “cloaking” give yourself a pat on the back. How do you know this? Simply click on the “Cached page” link in that search result and view the source code there.

Although you won’t see the text on the page, you can clearly see in the source of the cached result that MSN has indexed a whole slew of invisible Viagra links.

viagra 3 Hackers Forcing Sites to Cloak Search Engines with Link Spam

If you’re name is David Jones and you are reading this, congratulations – now you know why your site is banned on Google. Get rid of the offending links and cloaking, update your wordpress to the current version, use best-practices to protect your WP installation, verify your site in Google Webmaster Tools – if you haven’t already – and apply for a reinclusion request. Let them know what has happened and how you’ve fixed it.

What if the page doesn’t have a cached link in the search results? In that case, check your source code on the actual site. Do you have a nochache meta tag? If so, take it off. If not, maybe the cloaked version of the page does. In fact, I’d say that it is very likely.

OK, so you don’t own a site like Twitter and you don’t have any social media profiles from which people can link. Well neither did poor old Mr. Jones or Mr. Selznick. But maybe you were paying attention to your Adsense box and noticed that Viagra or Porn ads keep showing up. Or maybe you were paying attention to your Analytics and noticed some referrals for searches on ‘swollen erect nipples’.

Either way, you can learn three very important lessons here:

  1. Always be on the lookout for something fishy. As SEO gets more competitive, these tactics will be used for more than just Viagra. A strange search result; an odd referral keyword; off-topic adsense ads; being banned… these are all things that may tip you off.
  2. Even if you trust the sites that you are linking to; can you trust that they haven’t been hacked? Better safe than sorry… check first.
  3. WordPress is one of the best things that has happened to the internet since Google, IMHO, but it is also vulnerable to attack if you do not protect yourself by keeping the version up to date, locking your wp-admin directory, and renaming wp-login.php, wp-comments-post.php and wp-trackback.php.

Just to drive that last point home, remember those spammy viagra links that were cloaked and hidden on PR Works? They all go to WordPress include files on a .edu domain.

Everett Sizemore works for several large ecommerce and community sites, and runs a few donzen of his own websites on the side. He prefers not to share his domains with the public, but hopes the information above has been helpful. Everett on Twitter: http://twitter.com/balibones .

750fc60c5851bd00b5199b4d45ace207 64 Hackers Forcing Sites to Cloak Search Engines with Link Spam

Everett Sizemore

750fc60c5851bd00b5199b4d45ace207 64 Hackers Forcing Sites to Cloak Search Engines with Link Spam

Latest posts by Everett Sizemore (see all)

You Might Also Like

Comments are closed.

16 thoughts on “Hackers Forcing Sites to Cloak Search Engines with Link Spam

  1. That is still no reason to ban him.

    If the information on his site is valid- it can still be helpful to many others.

    Google can simply program away the link juice and thus taking away his ability to offer link love

    Banning is never the answer. That is censorship.

    When one REALLY thinks about it – what difference does it make whether you show or hide your links??????

    It does not really change the usefulness of the important information on your site

  2. Ken,

    Thanks for the compliment. This stuff is not going to be news to anyone who has been following spam tactics over the last year or two. I mainly just wanted the average webmaster and blog owner to be aware that just because they don’t SEE any spam on a page that their site links to, doesn’t mean the search engines don’t see any.

    To be clear, I doubt you’re going to get banned for just linking to a couple sites with hidden or cloaked links. But it probably does put a ding in your reputation, and if it happens often enough… who knows.

  3. “Gee, is my face red.”

    Thanks for the blog post, and thanks to your reader Kray who was kind enough to e-mail me. This was apparently the result of a WordPress vulnerability that has been (they tell me) rectified. I cut out the nastiness from the footer.php file; bye bye piggyback spam!

    Thanks again.

  4. Hey Mathew,

    Glad to see you’ve got of under control now. I was planning to email both sites that I used as examples but wanted to give it 24 hours so readers could still see the examples as they were. I hope you understand my delay; and I’m glad it all got sorted out for you.

    Better late than never!

  5. Great example for others to ensure its not happening to them. And im sure Mr. Selznick is very grateful for your post.. It could happen to anyone using an older wordpress instillation.

  6. ineedhits – you’re absolutely correct. It could happen to anyone. I have a few blogs myself with outdated WP installations that I’ve been too busy to update. I’ll be updating them today, but sometimes we play that game of chance where we know it needs to be done but hope nothing happens while we’re trying to find the time to do it.

    In the meantime, let’s all look out for each other and let the site owner know if you find anything. I have contacted Mr. Jones, and Mr. Selznick has already taken care of his site.

  7. Everett,

    Thanks for the info…I’ll be sure and put it to good use!! You’re smarter than you look and as usual, I’m luckier to be surrounded by those that do than I realize…

  8. Thanks for this. I noticed this issue a while back and thought I had deleted it all. I even had my host upgrade my WordPress installation at the time.

    I’ve since removed what I hope is the last of the cloaked links and asked Google for reinstatement.

    I appreciate the tips and the head’s up from you and your reader Kyle.