Every website on the Internet, no matter how small or large, is under some form of attack by a user-generated content spammer or a spambot.
Increasingly, many of the attacks are focused on hiding links because links are a high-value commodity, fetching hundreds of dollars each. The following solutions will help stop these attacks and keep your site safe from hidden links.
According to internet security company Barracuda, nearly 40% of all internet traffic is generated by bad bots.
If those bad bots are successful, the negative impact they can negatively impact the search visibility of a website through hidden links placed to malware and spam.
Many in the SEO community don’t think of website security as an SEO issue.
Consequently, many SEOs working in agencies and in-house don’t make security scanning a priority because it’s not traditionally thought of as part of SEO.
But security quickly becomes an SEO priority the moment a site loses ranking. So, it’s best to be proactive and not reactive.
The best SEO integrates security into their process, even if it’s to make sure that the developer team is keeping on top of it.
Here are three ways hidden links make it onto a site and the ways to keep it from happening.
1. Old And Out-Of-Date Plugins And Themes
SEO spammers purchase popular plugins and themes that have been abandoned or are not regularly updated.
The commerce in links is lucrative so it makes financial sense to purchase semi-abandoned themes and plugins in order to add backdoor access for the purpose of adding spam links to the sites.
WordFence published an article about plugin spammers a few years ago that detailed how the spammers paid $15,000 for just one plugin.
While that sounds like a decent amount of money it has to be put into context that links can be sold for $500 each.
So, gaining access to 20,000 sites through a single plugin creates a huge opportunity to illicitly sell scores of links on every site that uses that one plugin.
In that scenario, a spammer only needs to sell 30 links to recoup their investment, and the rest is pure profit.
The attack documented by WordFence describes that after the purchase of the plugin, the new owners updated the plugin to gain access to over 200,000 websites that used the plugin.
WordFence reported:
“On June 21st, the first release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included the malicious code… this code allowed the new plugin author… to publish spam content on any site running Display Widgets.
There were approximately 200,000 sites using Display Widgets at the time.”
How To Protect Yourself From Plugin And Theme Spam
Always conduct an audit of plugins and themes that are used on a site. Make sure that the plugin is regularly updated and has not been abandoned.
If the plugin or theme appears to have been abandoned then the safest course of action is to seek out another plugin that is still being actively updated and improved.
Additionally, many plugins need to be updated because the WordPress core, PHP (the software that WordPress runs on), and many popular JavaScript libraries that power themes and plugins are all constantly updated, which means that plugins and themes also need to be updated in order to preserve their functionality.
Most plugins are constantly evolving and improving their usefulness. It’s normal for plugins and themes to be regularly updated, so it can be a warning signal if a plugin has stopped being updated.
The most obvious way to protect yourself from becoming a victim to plugin and theme spam is to audit your themes and plugins at least once a year (twice a year is even better).
Check each plugin and your theme to see when was the last time it was updated.
I know this might sound harsh but another warning sign to look out for is if a theme or plugin isn’t particularly popular. A lack of popularity can sometimes mean that there’s a better software product out there that most people use.
Take some time to investigate if there are better options out there.
Tools To Use To Protect Against WordPress Plugin Spam
Wordfence is a leading security plugin.
One of the main differences between the free and the premium versions is that the premium version is constantly updated for new threats as they happen. The free version is updated for new threats every 30 days.
Both Wordfence free and premium are effective tools to protect against out-of-date or otherwise vulnerable plugins.
Wordfence features a security scanner that helps keep your WordPress site protected.
Wordfence describes the benefits of its security scanner:
“The security scanner included with Wordfence free alerts you when your site is running vulnerable or outdated plugins, themes, or core files.
Additionally, our scanner compares your core files, themes, and plugins with known clean versions in the WordPress.org repository, checking their integrity and allowing you to repair files that have changed by reverting them to a pristine, original version.
The Wordfence scanner also scans file contents for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections, and allows you to delete malicious files.”
Another excellent WordPress security plugin is Sucuri.
Sucuri has a malware scanner that can identify out-of-date software, as well as identify signatures of a compromised WordPress website.
Sucuri lists the benefits of its free plugin:
- Security Activity Auditing.
- File Integrity Monitoring.
- Remote Malware Scanning.
- Blocklist Monitoring.
- Effective Security Hardening.
- Post-Hack Security Actions.
- Security Notifications.
2. User-Generated Content Spam
There are multiple strategies employed by spammers to get their links onto websites, forums, and even on Facebook groups.
Blatant Promotion on Guest Posts, Comments, and Forums
There are multiple forms of user-generated content spam, but one of the most obvious ones is the Win-Win spam technique.
The way this method works is this: a spammer will submit a useful guest post to a website, add a useful post to a forum or Facebook group, or add a comment to a blog.
The spam part of this kind of technique is that they refer users back to their website for a more in-depth answer or they cite their site within the article.
Google frowns on using guest posts for link building. John Mueller is on record stating that guest posting for links results in unnatural links.
Marketers call that a win-win because they say they’re adding a quality link where readers can get an answer.
But one should be very careful to not allow outbound links to any site that uses these tactics to build links.
These kinds of user-generated link building tactics are generally used to promote low-quality websites. Publishers should in general be highly skeptical of publishing guest posts from any unknown individuals.
The way to protect yourself from this kind of spam is to simply ignore unsolicited emails from individuals who are unknown to you.
There’s nothing wrong with guest posting, but when it is done as part of a link building tactic then it crosses the line.
At the very least, if you’re going to publish a guest post, be sure to put a nofollow link attribute on all outgoing links and never give publishing credentials to anyone you do not know well and trust.
Tools To Use To Spot Bad Links
Screaming Frog is a downloadable software program that crawls a website and extracts a variety of useful information.
It is an excellent tool for crawling a website and identifying all outbound links.
Using the tool one can inspect all outbound links on a website and verify if the link is one that you feel comfortable with and whether or not it has a nofollow attribute.
There is a free version that has a limit of 500 URLs and a reasonably priced premium version that will provide countless hours of SEO data to investigate.
Crawling Tip: Whichever version of Screaming Frog that you use, be sure to set the User Agent to emulate Googlebot. Sometimes hidden links (from hacked sites) are hidden to everyone except to Googlebot.
The WP External Links plugin was produced by the popular Web Factory plugin and theme developer that has been developing free and paid plugins for over 10 years.
Their relatively new external links WordPress plugin was published in June 2021 and was quickly embraced by over 100,000 WordPress publishers.
The WP External Links plugin will check all outbound links and produce a report of where they link to, if there is a nofollow on it, and provides the ability to add different kinds of nofollow link attributes to various links, like the specialized UGC nofollow link attribute.
This is a useful plugin for auditing all external links.
3. Sneaky Links
Some spammers operate with the assumption that new members are under scrutiny. So, their approach is to hide their links in order to keep the links from being removed.
Here are a few techniques used by sneaky link spammers.
Links Hidden In A Quote
This kind of spam can be hard to notice. What the spammer does is quote a previous post by a member in good standing and then answer that member with a link-free post.
However, what they are doing is altering the quoted post and adding a link to it so that it looks like the trusted member added the link.
A moderator will look at the post and overlook the link in the quoted post, see that the new member didn’t spam, and allow the link to remain since the link was embedded in the post quoted by a trusted member.
Link Hidden In A Punctuation Mark
Some spammers will post a huge comment and somewhere inside that post they will bury a link to the site they’re promoting within a punctuation mark or in one letter.
Link Hidden By Matching Text To Page Color
This technique is literally hiding a link, and it happens on user-generated content posts where the members can change the font colors.
So, if the page background is white, they will add style codes to their post to make the spam link white.
How To Protect Against Sneaky Links
Akismet Antispam is known as a WordPress spam management plugin.
However, Akismet can also be used for other content management systems, too.
In addition to WordPress, Akismet can protect sites built on:
- Joomla.
- Drupal.
- Perch.
- Mediawiki.
- Moodle.
- phpBB.
- SMF.
- VBulletin.
- Discourse.
- Elixir.
- Piwigo.
Akismet can be used to block spam user signups, protect email forms, as well as to block spam from comments. The Akismet module for Wikimedia can block spam edits to sites built with the Wikimedia CMS.
Cloudflare Web Application Firewall
The Pro, Business, and Enterprise levels of Cloudflare feature a web application firewall (WAF) that protects websites from many of the top intrusion techniques.
Cloudflare’s WAF will protect a site from a variety of attacks that can lead to a full site takeover where a malicious hacker can add hidden links throughout a website.
Use Better Security Challenge Questions
A popular built-in option for stopping spam links is security challenge questions.
One issue is that many spambots are able to answer most questions. The trick to a successful security challenge question is to craft questions that cannot be answered by Google or Bing.
Math questions like what is 1 + 1 are easily defeated.
Similarly, questions like who is the president of the United States are also easily defeated.
Think of questions that can’t be Googled for an answer.
For example, ask new registrations to spell a word but to spell it with the last letter capitalized. Use questions with a twist to fool automated spam software.
As long as it can’t be answered by Google then it’s likely to be impossible for a bot to defeat. The key is for the question to not be answerable by Google.
All Sites Are Under Attack
The bigger a site is, the harder it is to spot spam and the easier it is to hide it.
But even small sites are under heavy probing and attack at virtually any moment of the day.
It’s important to set up defenses to block spammers before they have a chance to hide their links on your webpages and quite possibly ruin your rankings.
It’s also important to be aware of the sneaky ways spammers try to add hidden links to a website.
Lastly, it is always a good idea to automatically apply the rel=nofollow link attribute to all user-generated content links which will signal to search engines that those links are not trustworthy and should not be considered.
That way, in the event a spam link does get in through user-generated content, the link itself will not be able to poison your rankings.
More Resources:
Featured Image: Khosro/Shutterstock