What is SEO Spam and How to Fight It

Date aired: February 12, 2019

How does SEO spam get into a website and why? This webinar will discuss what attackers gain from it and how to deal with an attack effectively.

Krasimir Konov - Webinar Profile

Krasimir Konov

Security Analyst – Lead

Krasimir is a Remediation Team Lead at Sucuri. He enjoys researching malware and helping customers secure their websites. He spends most of his time reading and educating himself about security and new vulnerabilities. He was born in Bulgaria but currently lives in the US. Follow him on Twitter at @KrasimirSec.

Questions & Answers

Question #1: When I’m SEO spammed does that mean that I am hacked?

Answer: Yes, usually this means that the website was compromised/hacked unless the SEO spam exists only in the website comments. In that case, your website was most likely just abused and spammed. In order for SEO spam to get into your blog posts or other parts of your website, the website was compromised and files were modified to make those changes and inject the SEO spam.

Question #2: What do you think is the best protection against SEO spam?

Answer: Having a web application firewall is the best way to prevent your website from being compromised in the first place, especially one with virtual patching so that when new vulnerabilities are found in your software, the firewall can patch them before you have time to apply the software patch on the actual site. Keeping your site and any plugins and modules updated is also very important.

Question #3: Does my industry matter to an SEO spammer that tries to come after my domain?

Answer: I don’t think it matters what industry you are in or what your website is about. In most cases, attackers are after low-hanging fruit, they target vulnerable websites that are easy to exploit, no matter the domain or the industry it’s in.

Question #4: Is there a specific CMS more prone to SEO Spam?

Answer: Not really. Any CMS could be a target, but most attackers would go after what is popular. WordPress is one of the most popular content management systems out there so it gets targeted a lot more than others–not because it’s more susceptible to attacks but because it’s more widespread and more users are using it. So there is a higher chance for an attacker to find a vulnerable website and compromise it.

Question #5: From your daily activity cleaning sites, can you speak to which WordPress plugin is a common target for malware that generates SEO spam?

Answer: There is no common plugin or one that’s targeted specifically, it just depends on the most recent vulnerability found. New vulnerabilities are found all the time and attackers use those to compromise website. Obviously, if there is one in a super popular plugin then they will focus on it as it gives them a larger attack surface, more websites to compromise.

Question #6: Does Google always know when SEO spam attacks your site and what to do if not?

Answer: Google does not always know. If they are not aware of it then that’s good, you have time to clean the website, submit a sitemap to Google, and ask them to index the pages from the sitemap. Hopefully you did that before the attackers had a chance to submit their SEO spam pages to Google and by the time Google checks for those pages they would be already gone and will never get indexed by Google.

Question #7: Can you guys talk to Google after cleaning a site to have the SEO rankings restored?

Answer: We have no direct contact with Google in order to ask them to restore rankings or anything like that. We use the webmaster’s console just like a website owner would. We don’t have any special access or line of communication with Google.

Question #8: Thanks for this webinar. When I try to access my WordPress blog, it redirects to a Viagra website. I checked the .htaccess and plugins but could not find where the redirection is hidden. I used the unmaskparasites site you gave. It reported the 301 and 302 redirects but I can’t find them. Can you help me with this?

Answer: We can definitely help with that! It’s hard to say without being able to analyze the website but it’s possible that some core files were modified. This is easy to check and there are plenty of plugins that can help. If it’s not a core file then it’s either a plugin or a theme. I would recommend renaming the plugins directory which would disable all plugins. Then change your theme, or even uploading a new theme, and switch to it in order to determine if it’s a plugin/theme issue or perhaps something else.

Question #9: We recently added firewall through Sucuri to our WordPress website and were unable to make edits to our site within WordPress since the IP Address was changed. Is there a way to work around this so we can have the firewall and the ability to edit our site via WordPress CMS?

Answer: Yes, I would recommend creating a support ticket and one of our analysts will check what is causing this issue. Normally we are able to allowlist the path/file being blocked and this resolves everything. Alternatively, you can get a special URL from our API and bookmark it. This will allow you to allowlist your IP instantly without having to log in every time–you just click the bookmark and the IP is allowlisted.

See all Questions & Answers



Tony Perez – Sucuri Co-Founder

Name: Krasimir Konov – Title: Security Analyst – Lead

Krasimir Konov: All right. Hello everybody. My name is Krasimir. I’ve been working in security for a while now. I really enjoy vulnerabilities, exploits, just reading about and testing them. Anything about security really, is a passion of mine. I also like playing with hardware. I like playing with Raspberry Pi, other small computers, micro controllers, I have a lot of hobbies and projects. Another thing I love is traveling. I love to visit different countries. But, today we’re here to talk about SEO spam.

Krasimir Konov: In this webinar, you’ll learn about SEO spa and what attackers gain from SEO spam and how to deal with attacks effectively. We’ll go into more details about SEO spam, the different variations, and why your website might be targeted. How these attacks are facilitated and how you can determine if your website contains any SEO spam. Obviously, sometimes it’s not so easy. A lot of times, you just see it on the website when you visit one day, and it’s like oh, there’s a lot of spam. In some cases, it’s not so easy. So, we’ll discuss that, and we’ll see how we can determine … yeah. We also will obviously discuss some ways you can protect your website and how to prevent it from being compromised in the first place.

Krasimir Konov: Let’s start with SEO spam and what is SEO spam? SEO spam is usually a combination of links, keywords, and other phrases that are inserted into the website. It could be anything really. In many cases, it would include a link to another website. It could be … they could be doing it just to get people to visit their website, or it could be non-related. But, it most cases, they could include a link to their website, which contains more spam. They’re trying just to get visitors away from your website and into the website they want to promote. From there, it could be anything. It could be they just want traffic. It could be they have malware on their website, and they just want to compromise computers on there. It could be that they’re selling something. It could be some kind of scam or something, pertaining to their selling some product, or inputting their credit card and then it gets stolen or supposedly they bought something, but the product never gets shipped. Yeah, there’s so many.

Krasimir Konov: All right, so I refer to it as SEO spam, because it’s usually crafted in a way that targets specific keywords. These keywords are usually around the link they are promoting, which are attackers trying to push the search engines or sometimes they might not target a search engine and might just be for visitors going to your website. They might not really count on search engines in to index the site, or they may not care that the sight is visible in any search engines. It might not be indexed at all, but as long as they get visitors from compromised websites, they don’t really care, it still accomplishes their goal.

Krasimir Konov: In some cases they want their site to rank in Google, and want it to rank for specific keywords. That’s why they’ll push these specific keywords around the link. It depends on each case. Sometimes they do, sometimes they don’t care. Obviously, a lot of these sites don’t stay long in search engines. So, they might get indexed for a week or a day or something like that and gain a lot of rank. Then, eventually Google will notice that this site is not really legitimate, and some of these back links that they had start disappearing when website owners figure out their website is compromised and start removing them. Eventually, the site will just get de-indexed completely from the search engine, but I’m guessing they don’t care. They’ll just register another domain and just keep going. Just keep compromising more site. Just replace all the links with the ones that are still compromised.

Krasimir Konov: Here, you can see some examples. These are all from Google, but they all look the same. If you look at it through a different search engine. You can see at the top, which is search for site, then the domain, then we can search for a keyword. This is a way you can try and see if you can detect any spam on your website. But, you will have to try different keywords. It can be any key word really, that they’re targeting.

Krasimir Konov: You can see, at the top, this one is more like a Japanese spam advertising Louis Vuitton. You can see, on this one, the domain after the name, you can see that there’s a false/need.php. That need.php file is probably the one that was uploaded there by the attacker, and it’s the one responsible for generating all the spam content. So, they just use that file to just generate random content. That one is probably the file that gets also pushed to Google to index it, and Google starts calling in and that’s how the search results get on there.

Krasimir Konov: On the bottom left, you can see this one is targeting Nike shoes. You can see this one is a little bit different. There’s still spam, but you can see they just targeted random keywords. Sometimes, it will be a whole sentence. Sometimes it will just be like random keywords that don’t make really any sense. But, you can see even though we removed the eventual URL, you can see after that, where it has the I-R-I-K, that’ll be the actual URL on the website. You can see that it was just randomly generated. In that case, you’re not really looking for a particular URL, you might not see it.

Krasimir Konov: On the right side, you can see this one is more carefully crafted. You can see that this one is most likely a work first site. It was targeting Cialis and Viagra and just medical in general. You can see that all of the links there actually make sense, and they’re targeting the content from the article. Like, the Cialis alternatives, these are actually talking about Cialis alternatives. This one is most likely a work first site that was compromised, and literally blog posts were created, and they actually used the specific URL for each blog post, so they can generate these. This is all done automatic, but still, you can see that sometimes they go through a lot of trouble just to compromise a site and make sure that their content gets indexed.

Krasimir Konov: We’ll talk a little bit about how does SEO spam get on your website and why? This is really important. In many cases, it’s just then gets on the website through vulnerability. It could be a lot of things like it depends on your website, but in general, let’s take work first for example, it could be a vulnerability in one of the reportings, or it could be team that you had. You didn’t update it or maybe you didn’t update your workplace in general and there is a core vulnerability that the attacker was using, but you never updated.

Krasimir Konov: A lot of the attackers usually are looking for a low hanging fruit, so they’re not looking for big sites or anything like that. They’re just looking for sites that haven’t been updated in a while. They’ll just scam thousands of them. Yeah, they’ll just look for through like, let’s say you have a list of a million websites that they just got from a search engine or something, or maybe online somewhere, they found a list of word fair sites, and they’ll just go through the whole list with the bot, and the bot will just look for websites and look for does this website have this plugin? Okay, is it vulnerable? Okay. Is if it’s vulnerable, exploit it, if it’s not let’s check the next one. Does it also have this other plug in that’s also vulnerable? Can we exploit it? No. Okay, let’s check the next one. If it finds something, exploits it, moves on to the next website.

Krasimir Konov: There are many ways. Many reasons why attackers might want to distribute SEO spam. Like I said before, they could be trying to get a large number of users to their own website, which would be a scam or sell some kind of product. You know, just traffic. They could also be looking for vulnerable computers that might visit their own website that could say … let’s say you visit the computer, or access the website with your own computer, like your home computer, without knowing that this one is a compromised website. You can then be redirected to another website. It’s their own website, and all of a sudden, this website is scanning your computer, looking if you have an outdated version of windows, or maybe your flash plugin is outdated, or maybe you have some other software that’s running on your computer that’s might be vulnerable to attacks. They’ll look for that. They’ll do a quick scan. You probably won’t notice anything. There won’t be any prompt or anything, oh, do you want to scan your computer? Or something like that, it will just be doing it in the background.

Krasimir Konov: Then, it depends on the attack. Some might be silent. Others might be more obvious. They’ll just flash a window and be like, oh, you need to update your flash player. It’ll be convincing. It’ll look like the real window. You’ll click on it, and suddenly you’re infected. It depends on the attack.

Krasimir Konov: I’m sure everybody’s heard of ransomware. It might be that the attack is targeting your computer just for ransom. It will encrypt all your files and they’ll send you an email or changed your wallpaper or something. Just be like we want $600, let’s say. You just need to send 2 Bitcoins to this address, or we’re just not going to encrypt your file so that you can’t use any of your files. Some people have important things on their computer. Important files that they just can’t get away with not having. They don’t have any backups. So, they don’t really have an option. Some of them actually pay the ransom. Or it could be something else. They might just want your computer just to erase everything for their own.

Krasimir Konov: In some cases, they might just want to turn it into a part of a botnet. A botnet is usually a network of computers that are all compromised. In most cases, users don’t know that their computer is compromised or part of a botnet. There will be a commanding control center that controls all of the bots in the network. Their all the computers that are compromised in the botnet. They can do all kinds of attacks. For example, if your computer is part of a botnet, it can be used along with all the other computers to attack one website. Let’s say there’s a really popular website that makes a lot of sales and sells certain products, and the attacker knows that they’re making a lot of money, so they will contact the owner of the website and they will be like I want you to pay me $1000, otherwise, I’ll take your website down.

Krasimir Konov: Obviously the owner of the website won’t pay them. At least, at first, so they’ll just attack the website. They’ll make so many requests to their website using all of these computers, that the server won’t be able to handle it and the website will just die, just hang, and just nobody will be able to access it. Then, they’ll just keep sending emails and be like, “We want this amount of money, otherwise we will continue attacking the website.” Some users have no choice but to pay the ransom just so they’ll stop attacking their website and leave them alone so they can make sales and sell their product. Yeah, there is a lot of reasons … there’s a lot more reasons. It’s hard to say exactly why they do it. But yeah, it’s never a good reason.

Krasimir Konov: A lot of people are like, “Well, I have a small website. Why would I care of my website is …,” or, “Why would somebody care about my website. It’s so small. I don’t really have a lot of traffic,” or, “I don’t make any money off of it.” Like a personal blog or something. “It’s only my family that visits my site or something. There’s no reason for them to comprise my website. I shouldn’t worry about security and stuff like that.”

Krasimir Konov: But that’s not true. Mostly these attacks are done automatic, so it will be some kind of software. We call it a bot. So they’re not really targeting specific sites. It’s not like your website is more valuable, it might be, but for the most part they don’t really look at that. They’re not going to look into your page ranks or how many visitors you get a month. They’ll just get a list of new websites, and they’ll just keep going and in a matter of a few hours the bot will probably be able to go through all the sites on that list.

Krasimir Konov: If you’re vulnerable, don’t compromise. It doesn’t matter what kind of site it is, it doesn’t matter what kind of content, you have a lot of visitors, not a lot of visitors. Yeah, they’ll just look for something to compromise. Yeah, if it’s vulnerable the bot can exploit it then it will be infected.

Krasimir Konov: So let’s talk a little bit about detecting SEO Spam. This one is a little more tricky. Let’s say you’re not sure if your website was infected. A lot of the times you might see it. It might be related to something else. Let’s say your website was compromised and then it was sending spam emails. Or maybe pages got [inaudible 00:14:45], it was more severe and then one of the symptoms of the compromise was the SEO Spam you noticed, that they also injected SEO Spam into your website.

Krasimir Konov: But in some case you might not see that at all. The website might have been compromised, but the attacker doesn’t want you to know that they compromised the site. Otherwise, you’ll erase the content, right? Or you restore backup or something.

Krasimir Konov: Some of these cases they might just keep silent and just create new pages, like completely new pages that you might not even be able to see in your WordPress. That’s for if you’re using WordPress. Or they’ll just hide them in some subdirectory, just like creating a HTML file and some hidden subdirectory or maybe a directory inside a directory inside a directory. And then they’ll just fill it with spam and links and what not and they’ll just keep it there. Then there’s not going to be any sign on the actual website. If you go to your main website, there’s not going to be a link to that specific page that has the spam. But they still give the link to Google, so Google starts indexing these pages and well, technically they’re still on your website. You might not know that they’re there, but they’re still indexing as part of your website.

Krasimir Konov: And we see that a lot with online essay sites. They do that a lot. I guess trying to get more visitors and trying to rank these essay sites that apparently create real essays for people that don’t want to write them in college and what not. But we see that a lot.

Krasimir Konov: Especially recently there’s been an ongoing trend with online essay sites. Apparently they hire people to just spread their website everywhere. And a lot of the times they’ll just create random pages and just put links to their own site, and you won’t know it unless you search for something specifically like an online essay in then your domain or something then you’ll find it.

Krasimir Konov: So what I recommend is checking this website called Unmask Parasites. It’s a really good website to detect things like that. It can detect a lot of things, but in this case we’re looking for finding hidden links. And you can go to their main website and you can look into their security tools and you’ll find the hidden links to find hidden links. It’s a really nice tool and basically what it does is … I’ll show you.

Krasimir Konov: This is what it looks like when you go to the page. Then you can see it will search for like “Powered by WordPress” and then you’ll search for like “cheap Viagra”, “cheap visas”, or search for like “secret to increase your credit score” or “Viagra strip poker”. All kinds of spam words and any kind of keywords that might be targeted.

Krasimir Konov: Obviously you don’t have to use the same exact ones. You can always click on one that can open in a new window and then move the keywords, insert your own keywords if you want. Don’t use “powered by WordPress” if you have a different site. You can use the technique that you saw before where you do a site and then call in your domain in that space. Then you can put some keywords in there and see if anything pops up if you suspect that something might be injected into your site.

Krasimir Konov: If you have a WordPress obviously, I believe there’s some for Joomla as well, but there’s a lot of plugins that can monitor for file changes and changes to blog posts and things like that. So that’s obviously one way you can monitor.

Krasimir Konov: I mean, these plugins are not bulletproof. They’re not going to detect everything all the time. If a smart attacker goes in, they might disable that particular plugin before it can report to you and tell you that there’s some something, some changes made.

Krasimir Konov: I mean, these are obviously not running constantly, they’re not loading all the time. Let’s say a plugin is on a 15-minute schedule, every 15 minutes it will check for file changes. Well, if your website was attacked and the attacker disabled that plugin within that 15-minute timeframe, the plugin is never going to scan again. So you just won’t receive any alerts or nothing. Yeah, by the time you noticed that the plugin was actually disabled and your website was compromised, then it’s too late.

Krasimir Konov: So I wouldn’t rely on that as a bulletproof way to protect your website, but it’s good to have one just in case something goes in and changes your blog post or plugs into your file. That’s really nice to have that. When it works it’ll alert you right away and then you can then make some changes. Yeah, if you’re in front of the computer or something you can access your website, you can try to suspend the site or limit access to it right away so the malware doesn’t spread and Google doesn’t detect it and it doesn’t get even worse than it already is.

Krasimir Konov: All right. And we should also talk about protecting your website. Obviously keeping your website up to date is the best way. If you have vulnerable plugins or even your WordPress you didn’t update it or you have some other software maybe that’s not related to your WordPress but some third party software that you put on there. A lot of the times we see people they have an old version of their website. They will keep a backup of their old version, maybe they updated to Manual WordPress, or maybe they migrated from Joomla to WordPress, or something like that. Then they just keep this old installation in a folder called backup or something. Then that’s really easy to guess.

Krasimir Konov: Some of these bots will do that. They will look for directories that might be like backup, or maybe like admin, or old, or something like that. You know, different directories that might contain another website and try to compromise it through there.

Krasimir Konov: So we always recommend if you’re not using something, just get rid of it. You can have a plugin that you never use you just disabled it, there’s always threat if it just sits there. Remove it. If you have an old installation that you have in there, if you want to keep it, zip it, use your hosting file manager, zip the directory and then keep the zip file but remove the actual directory with all the files.

Krasimir Konov: Obviously backup is always great to have. It depends on the infection. You can have a backup, but if your website has been infected for months and months, you might have a backup to restore from. So then in that case you might have to clean it and try to salvage as much as possible.

Krasimir Konov: But yeah, having a backup is always a good idea, especially if your database gets infected and things like that, and there’s like thousands and thousands of keywords injected everywhere, it could be almost impossible to replace all of them and to find them. So having the backups just restored into that database is a lot easier than trying to just randomly go through articles and look for any kind of keyword that might be spammed to remove it.

Krasimir Konov: Another thing is obviously having a web application firewall. We recommend having one that does virtual patching. A firewall is always going to be a really good idea. You can protect your website obviously by blocking different attack methods, different exploits. It will scan traffic, so when this traffic passes through it will scan it and it will look for what requests people are doing and things like that, so it can prevent some attacks before they even happen. Like let’s say plugins were updated and if you have a web application firewall, the firewall hopefully will block that attack before it even gets there. Somebody will try to access like a file directly in the plugins directory and give it some random query or something like that, the firewall will detect it and be like, “Why are they trying to access this plugin file directly? I will block it.”

Krasimir Konov: Virtual patching is also really good. For example, our firewall has virtual patching so if we detect any new exploit or maybe a vulnerability in a plugin that was made public, we’ll create a virtual patch for that vulnerability and we’ll put it on the firewall. So even if you weren’t able to update your plugin right away, let’s say you have a big site, and the site was attacked or the site is vulnerable, but you can’t really push a new update because you’re not sure what’s going to happen. What if the site goes down or maybe you have this big plugin that you’re depending on, but you’re not sure what’s going to happen when you push this new update. Maybe it’s not compatible with your version of your PHP, or your server or something, or [inaudible 00:23:47], or you’ve got to make more changes.

Krasimir Konov: A lot of people use a staging environment where they stage the update, test it to see if everything works fine, and then push it through the live website. And that’s a really good strategy that works really well. But it depends on how fast you can do that. I mean, what if you just learned about a vulnerability in one of your plugins, but it was released ten days ago and it’s going to take you a few days maybe to contact your developer, have them go through update it on the staging site and then push it in a few days after some testing. By the time you do that your website might already be compromised.

Krasimir Konov: Yeah, attackers are really fast to pick up on these things. Especially if it’s a vulnerability that was released to the public and even worse if there’s a proof of concept like something that can go on. A lot of times when the new vulnerability is found and released to the public, the person that found it will do a proof of concept. So there will be a simple script that shows the vulnerability. It might not do anything like inject malware, but it will show how the vulnerability works and what not and then super easy for attackers to just pick up on that, just change it a little bit for like half an hour. Make it so it injects some kind of malware or something and just incorporate it into their arsenal they used to compromise websites.

Krasimir Konov: So yeah, by the time you get it updated, your website might already have been scammed and hacked. So yeah, that’s why we always recommend keeping everything up to date, having a backup, and hopefully having a firewall is all that can keep you protected if you can’t act fast enough.

Krasimir Konov: You can see this is a little graphic, the firewall and how it actually works. But yeah, you can see injections, spam, hackers, even Brute-force attacks and bad bots. They go through the firewall which we made in the middle, that will be the network or the firewall, not notes, and then traffic gets discarded. Good traffic goes to the website, so that’s the best way really to protect a website.

Krasimir Konov: So this is the end of the webinar. Yeah, we’ll take some questions.

Valentin Vesa: So, with that said, thank you so much Krasimir, I’m gonna go through some of the questions now. Apparently SEO and specifically SEO spam is a big pain in the we know where, so a lot of the people have questions.

Valentin Vesa: First off, when I’m SEO spammed, does that mean that I’m also hacked or can we say that there’s an equal sign between being hacked and having SEO spam on the site?

Krasimir Konov: Yeah, in most cases, yeah, if you see SEO spam on your website, it’s most likely you’ve been compromised as well. For the SEO spam to get on the website they must have found a vulnerability somewhere. It’s very rare that we see SEO spam that gets through like from the comments. Like let’s say your website accepts comments and somebody just keeps spamming comments on your blog or something like that. Yeah, that’s one way that you can see SEO spam when it’s on your comments, but they’ll be only on particular articles and only in the comment section, so that’s easy. You can just get a plug-in to clean up the comments.

Krasimir Konov: But yeah, if you see like new pages created, or like the spam that gets injected in between your articles words and whatnot, like on the bottom of your articles, not just in the comments, then yes, the website was compromised at some point and yeah, these contacts were injected.

Valentin Vesa: Thank you Krasimir. That’s good to know. What do you think- the next question coming up here, what do you think is the best protection if any, against SEO spam?

Krasimir Konov: I mean the best protection obviously, it’s great to have data read plug-ins, that’s the best way to keep everything secure, but like I said, if you can’t really keep up with that or it takes you a few days, the best protection will be to get a website firewall. But there’s so many out there, you’ll have to evaluate which one works best for you. I recommend one that also does virtual patching, so that when your vulnerabilities get released, these can be patched through the firewall and then you don’t have to worry about them specifically. I mean obviously the firewall blocks attacks, but in most cases it’s generic attacks that they target certain behavior and things like that, so having virtual patching, that’s a lot more targeted so you don’t have to do a firewall database.

Valentin Vesa: And it’s worth mentioning that Sucuri Firewall does virtual patching as well.

Krasimir Konov: Right, right.

Valentin Vesa: Next question, this is actually a very interesting one, does my industry matter to an SEO spammer who tries to come off the micro main?

Krasimir Konov: Yeah, I don’t think the industry really matters. I mean, maybe at some point there might be attackers that targeted a specific industry, or maybe because the website or the product they’re promoting, or let’s say if they’re promoting like essays and they’re trying to convince college students to get free essays from this website or paid essays for somebody else to write an essay for them, then it might target like college websites or something like that or websites that students might go to, but for the most part these bots, these attacks are automated and bots are doing all the work or scripts. It’s all automated, so no, they don’t really care what industry you’re in or anything like that, they just take a large list of sites and just go through them and try to compromise as many as possible.

Valentin Vesa: Yeah, Ruben is asking a question right now that he actually just sent us. I’m gonna skip to it. Apparently, he says thanks for the webinar, so thank you Krasimir.

Krasimir Konov: Yeah.

Valentin Vesa: When I tried to access my WordPress blog, it redirects to a Viagra website. I check the HD axis and plug-ins, but could not find where the redirection was hidden. I used the MS Fireside site you just presented, and it reported a 301 and 302 redirects but I can’t find them.

Krasimir Konov: Right. It can be also a mixed file, some of the core files might have been changed, it doesn’t have to be HD axis file, it can be just the index of HP, or it could be something else hidden. I mean you can see that it’s redirecting, but is it redirecting right away before it loads any content? Or maybe it’s trying to load some kind of maybe let’s say it’s floating the headers section of your team, and as soon as it tries to load it, then there’s a random redirecting there. It’s hard to say exactly what it is.

Valentin Vesa: Well this is something we can definitely fix for him, right?

Krasimir Konov: Right, right. Yeah we can do it.

Valentin Vesa: He can either reach out directly to us via chat or just buy any of the plans and maybe even Krasimir will get to it on the forum on the site, right?

Krasimir Konov: Yeah.

Valentin Vesa: Talking about WordPress, actually Ruben just kind of made the lead in here, and the next question that I have is, is there a specific CMS more prone to SEO spam?

Krasimir Konov: There isn’t really one that’s more prone, like a lot of people mistake… like let’s say they’re looking at statistics and they’re like oh my God, look WordPress has been compromised by this vulnerability or look how many times WordPress has been compromised. But when you look at the whole picture and it’s like well how many sites actually use WordPress? And it will be like some huge number like millions of sites that use WordPress and how many use like Drupal or something? It’s like, well there aren’t that many, so obviously WordPress will be a bigger target because it’s more broadly used. So yeah, for the most part, you see WordPress a lot, but that’s not because it’s more prone. It’s more because it’s so popular and people are using it. There’s always gonna be third party plugins that somebody else wrote, not the core WordPress team. I mean there’s obviously some people that go through them and they try to make them secure, but it’s never like bulletproof. You know you’re installing a third party plug-in on your WordPress site and you hope that it’s secure, but it’s not always possible.

Valentin Vesa: Another question regarding plug-ins, so we’re still in the, let’s say, WordPress universe. From your daily activity cleaning sites, can you speak to which WordPress plug-in is a common target for malware to generate SEO spam?

Krasimir Konov: I don’t think there’s a common plug-in. At one point we had some like a Red Slider that was really popular, and there was a big vulnerability, and then we saw a large rate of websites getting compromised. A few years back we had Tim Thumb that was also being targeted. I wouldn’t say it was specifically for SEO spam. It was more like a really popular plug-in that a lot of people were using and a huge vulnerability was found on it and so we had thousands of websites that were just compromised. Yeah, we were dealing with that for months and months just cleaning thousands of websites. So I can’t say there’s a specific plane that’s targeted right now. We’re doing on this one that’s like a wave right now off of one specific plug-in that’s causing problems. I mean there’s so many sites that publish vulnerabilities and different plug-ins. A lot of them get patched really fast, so no, it’s not really one particular plug-in or anything like that. It’s usually a range of different plug-ins that are just easy to exploit and there’s already a vulnerability public.

Valentin Vesa: Another question regarding plug-ins, so we’re still in the, let’s say, WordPress universe. From your daily activity cleaning sites, can you speak to which WordPress plug-in is a common target for malware to generate SEO spam?

Krasimir Konov: I would recommend yeah, make a ticket and I’m sure one of our guys can figure out what’s blocking, what’s being blocked on the site so you can make regular edits. There’s also another solution, you can use the API that’s integrated into the firewall, so you can literally get a link and then put it on your browser like a bookmark, that link, and every time you click the link it will check your IP, wipe list your IP and then you can make all the edits you want.

Valentin Vesa: I have another one question, there’s too many questions coming in, so we’re really sorry, we’re kind of out of time, but I still want to go through one. It says, does Google always know when SEO spam attacks your site? And what to do if my ranking is still dropped after an attack? So I’m assuming this gentleman’s website is already under attack. So their SEO ranking are down now.

Krasimir Konov: Yeah, Google doesn’t always know, or at least not initially, sometimes it will take some time. Sometimes the attackers will intentionally not want the content to be fixed by Google and they’ll try to block bots. A lot of times Google will find a way to use- they have so many IPs and so many services in different regions that eventually they’ll index the content. But it can take them weeks, it can take them months, you never know. So, no, Google doesn’t always know if there is a SEO spam. Once the problem is fixed, there’s multiple methods that you can try, it depends on how many pages were actually indexed that would have the spam. If it’s only a few, then you can always go through the Google webmaster’s console and try to just de-list those pages. There’s a tool there that you can use to like tell it to remove those pages from the index.

Krasimir Konov: And then you can also submit a site map. The site map, you have to generate it somewhere else, and there’s plug-ins that you can use to generate a site map if you have WordPress. But a site map is just like a map of all your links, that they’ll actually go to pages that are part of your website so then when you submit the site map, you’re telling Google that these are all my pages and outside of that is not on my website. So that also helps, but there is no way to like instantly recover the ranking or something like that. It will still take Google some time to remove some of the links and index the ones that valid and then your rank will go up eventually.

Valentin Vesa: Awesome, that’s good to know. Thank you so much Krasimir. Thank you to everyone who registered, participated today, sent questions in. If you think of questions that you didn’t have time to ask now, or you think you have more advanced or complicated questions, feel free to Tweet us. You see our Twitter handle on the screen right now. Use the hashtag, #AskSucuri, it will get to us. We’ll make sure you get your answers. Again, this recording will be available on our website within a few days and you’ll get an email with slides and everything you followed here. We’ll make sure to have all the links, especially to Greg and everybody that asked how they can access their sites even if they are on the all firewall. Thank you again Krasimir. For those of you who didn’t know, this was Krasimir’s first webinar and I would just want to say, thank you that was really well done. And most likely we’re gonna be back with Krasimir, so stay tuned. Thank you everyone, I’m gonna let Krasimir say goodbye to you and then we’ll see you in about two weeks for another webinar. Thank you.

Krasimir Konov: All right. Bye guys, I can’t wait to see you on the next webinar.

I want to thank everyone for joining us. This is a really exciting period for us to sit down and chat with you on a number of security topics. I want to specifically start on what happens once an attacker is successful, and I think this is an important way to start. I think often we focus too much energy on what are the things we should be doing, but we don’t necessarily know what it is we’re trying to achieve. So a common theme you hear in my conversation – it’s all about mindset.

See Full Transcript


Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.


Picture of presenter of 2022 Website Threat Report Webinar

Webinar – 2022 Website Threat Report Webinar

Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.

Picture of presenter of Virtual Patching Webinar

Webinar – Virtual Patching Webinar

All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.

Picture of presenter of Hacked Website Threat Report 2021

Webinar – Hacked Website Threat Report 2021

The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.

Picture of presenter of Logs: Understanding Them to Better Manage Your  WordPress Site

Webinar – Logs: Understanding Them to Better Manage Your WordPress Site

In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.

Picture of presenter of Personal Online Privacy

Webinar – Personal Online Privacy

In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.

Picture of presenter of Why Do Hackers Hack?

Webinar – Why Do Hackers Hack?

Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.

Picture of presenter of WAF (Firewall) and CDN Feature Benefit Guide

Webinar – WAF (Firewall) and CDN Feature Benefit Guide

A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..

Picture of presenter of Preventing Cross-Site Contamination for Beginners

Webinar – Preventing Cross-Site Contamination for Beginners

Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..

Picture of presenter of Getting Started with Sucuri!

Webinar – Getting Started with Sucuri!

If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..

Picture of presenter of How to Account for Security with Customer Projects

Webinar – How to Account for Security with Customer Projects

Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..