Webspam in WordPress Search Results

wave gradient

It was recently discovered that spammers have found a new way to link to their sites using search results on WordPress sites. This has affected many EDU sites.

The good news is that it has been patched in WordPress 5.7. If you haven’t updated yet, this is a great reason to do so. Thankfully, the affected sites were not hacked. This form of spamvertising was only in the search results but can affect your site and organization’s reputation.

How It Worked

By default, the search result page on any WordPress site was indexed by Google and other search engines. Spammers took advantage of this to craft spam links that looked like they were coming from legitimate sites. They posted these crafted links wherever they could. When Google indexed these links the results got added to valid sites’ results looking like they actually came from these sites. These sites now were advertising spam in their Google search results.

The Solution

The solution was to block search engines from indexing the search results page. It was reported to WordPress in February and a patch was created and implemented with version 5.7 which was released in March.

Details

If you’re interested in seeing how many education websites are affected, you can try the following Google search. It’s alarming.

site:edu inurl:s “buy”
Example of sites with spamvertising
Example of EDU sites affected by spamvertising

How it was reported and fixed

You can also view the ticket that was opened with WordPress to see the details of the issue and the solution in action. It’s great to see the open-source community coming up with solutions.

WordPress Ticket #52457

How can you check to see if your site is vulnerable?

You can verify if your site is blocking search engines from indexing your search results page by using the native search feature on your website.

  1. Search for any term using the native search widget.
  2. On the results page, View Source in your web browser. Make sure you are on the search results page ending in /?=
  3. Look for the following meta tag. This will show that your site is not allowing search engines to index your search results.
<meta name='robots' content='noindex,follow' />

The easiest way to make sure you are protected is to upgrade to WordPress 5.7.

2 thoughts on “Webspam in WordPress Search Results

  1. We experienced this issue recently.

    One extra step we did was to request removal of the spammy results on Google.

    Google allows webmasters to remove temporary removal of pages from their index using the Search Console.
    https://search.google.com/search-console

    About an hour after I submitted the request, we started to see the spammy results disappear. That gave us some breathing room until we could update to WP 5.7.1