Search engine optimization is a long game. It takes time to build up your content, do your keyword research and win quality backlinks so you can rank organically for those keywords. But then you find your site falling victim to SEO spam, and all your hard work is undone.
Just like that…
So what is SEO spam? How can you tell if it’s happened to your site, and what can you do about it?
What is SEO Spam?
SEO spam is a black hat SEO technique, often carried out as a form of automated cyber attack. By accessing your website through various vulnerabilities, an SEO spam attack can be used to fill your site with strange content, malicious links and even spam malware.
The purpose of SEO spam is usually for the fraudulent party to inflate the search rankings on a website by building backlinks, in bulk, from compromised sites.
Anyone who has worked with SEO will be aware of the importance of backlinks to improve organic rankings. For hackers and spammers, taking a shortcut by creating spammy backlinks means they can see a huge improvement in their organic search engine rankings in a short period of time.
Again, anyone who has worked with SEO will also be aware that this is a very shady black hat SEO technique which will likely incur a number of penalties for the fraudster.
But these spammers are most likely selling their services as search engine marketers, and so all they need is to show quick results and they can get paid. Black hat tactics aren’t important to them in the short term (or at all).
Interestingly, a report from 2018 found that 51% of website hacks are used for, or related to, SEO spam.
Of these SEO hacking attacks, the vast majority affected WordPress sites. In fact, WordPress SEO spam is very much ‘a thing’, as evidenced by the amount of security plugins available on the platform to prevent and clean the aftermath of hacked websites.
How can you spot SEO spam?
In some cases, the effects of SEO spam can be quite subtle. Often a spammer will simply insert a few links into an existing article, or at worst, spoof a page (i.e; create a new page on your site copied from somewhere else) to create a contextual backlink to their target site.
As the website owner, you might not even notice these small infiltrations at first.
However, there are also more aggressive forms of SEO spam such as creating multiple pages and links to sites, ‘cloaking’ and hiding backlinks within the source code of a site.
Some common signs of SEO spam include:
- Links to sites that you don’t recall inserting
- New categories, pages and content that you didn’t post
- Redirects from your site
- Unusual ranking metrics in your research tools
- Content on your site in a different language
Often you will notice the signs of SEO spam if you use keyword research tools such as SEMRush or Ahrefs.
If you use a plugin like Akismet on WordPress (and if you don’t you should), then you’ll probably notice a lot of spam gets picked up.
Check out our article about how spambots damage your marketing and your website.
Common forms of SEO Spam
Although SEO spam tends to be performed for the same reason, by posting spam links and content on your site, there are different practices associated with it.
Cloaking
One of the main practices associated with SEO spam is cloaking. This is where the information presented to the search engine is different to that hosted on the site.
So the page might be about hotel bookings, but the search engine is presented with content about pharmaceutical products.
Cloaking is usually done by creating a new page and creating a redirect so that the search engines scan the hidden page instead of the original. As well as misleading the site visitor, who lands on a page different to the one they might have been expecting, cloaking can also result in Google penalties.
Banner spam
Another sneaky way of stealing some backlinks is by manipulating banners hosted on your site. Ad banners, such as those delivered by Google Adsense, can have code inserted so that the backlink points to the fraudulent site.
This form of banner spam can also be used by affiliate marketing fraudsters to inflate their referral traffic and subsequent payout.
Spammers can even hijack CTA buttons, download buttons and other non-advertising related features on your site for spam SEO purposes.
The Japanese keyword hack
An unusual but common method of SEO spam is to inject Japanese characters and content into a site using brute force. This is usually a method of generating backlinks to scam based sites and can be a bit of a shock when it happens to you.
The giveaway is usually when you notice that your site is ranking for Japanese search terms.
Fixing the Japanese keyword hack is a fiddly task, and usually requires the use of a software product.
Link injection and redirects
Using link injection or spam redirects, a hacker can insert a hidden link or mask a URL within an existing webpage.
A scary aspect of link injection is that there is usually an element of malware on your site. The code used for this malware element is usually embedded in the web page. This means that when a user clicks a link, the malware will insert a spammy link and redirect the user to a scam site.
Google Search Console often flags this up as a threat and messages the administrator. But, with the progression in cyber fraud technologies, you can’t take this for granted.
The damage: Negative SEO
For marketers who have spent their time building up organic search results, the impact of SEO spam can be incredibly damaging.
One of the most obvious results is the problem of negative SEO. This is when black hat techniques are applied to your site which damage your search engine rankings. In short, if you were ranking well for some search terms before, you may find yourself falling quickly off the first page.
And, as you probably already know, getting your organic results back onto page one can be a hard struggle.
The damage: Google penalties
With all this shady SEO on your website, another obvious problem is penalties from Google. If your respectable ecommerce site is suddenly linking to a porn site, scammy casino page or newly set up scam retail shop, you might find Google takes a dim view.
And, of course, Google aren’t weighing this up on a case by case basis. They simply see that your site is full of bugs and links to crappy sites, and… Oh dear. Penalties.
These types of penalties can take time (and a lot of effort) to recover from.
How does SEO spam work?
Like many forms of cyber attack, SEO spam exploits weaknesses and vulnerabilities on your site. This might be a weak password, outdated plugin, or lack of security on your site – for example no SSP.
By using bots to scan your site, hackers can highlight a weakness and compromise the database or CMS. Popular site builders such as WordPress or Shopify can be particularly vulnerable as they use many plugins and the users are often not technically minded.
By not updating security patches when they’re available, or failing to remove old or outdated plugins, website users are leaving an open back door for SEO spam and other types of hacking attack.
Methods to avoid SEO spam on your site
The best way to avoid SEO spam is to make it hard for bots and spammers to get into your site in the first place. In general this means:
- Using a strong and complex password for all your administration logins
- Regularly updating software, plugins and external elements
- Removing any old or outdated plugins
- Using software to prevent bot attacks on your site
Cyber attacks such as brute force logins are one of the easiest ways for attackers to access your site. So strong passwords are an absolute minimum requirement.
Blocking bots with software is also an increasingly essential part of online security. ClickCease’s new Bot Zapping blocks the kinds of bots that carry out SEO spam attacks, amongst other other bot related issues.
If you use a WordPress site, you can use Bot Zapping by ClickCease with your existing subscription, or use it as a standalone service.
How to check your site for SEO spam
Spotting SEO spam on your site isn’t always the easiest thing. As we’ve mentioned, the content can often be hidden.
There are several methods you can use to scan your website for SEO spam.
The manual method
If your site is relatively small, you may be able to easily go through and check on-page elements such as links and content.
Keep an eye out for:
- URLs that shouldn’t be there
- Content that looks like it may have corrupted or been tampered with
- New elements such as iframes (content boxes often used to host videos or ads)
- Forgeign language elements
- Spam comments (usually containing links)
- New footer or header links, or content within existing footers/headers
You can also use tools such as Ahrefs and SEMRush to see if you’re ranking for anything unusual. Most keyword research tools like this have an option to check outgoing links, so take a look through and check for any that don’t look right.
Another way to check manually is to search on Google using the following method:
- Go to Google
- In the search box, type in: “site:yourwebsitename.com intext:searchterm”
Be sure to use the exact formatting as above.
Where ‘searchterm’ is used, you can input one of the many common spammy keywords such as:
- Cialis
- Viagra
- Canadian pharma
- Erectile dysfunction
- Bitcoin
- Crypto
This will display any pages on your site which are ranking in Google for these spam keywords.
As we’ve mentioned though, much of the spamdexing done by these cyber attacks is invisible to us.
So, this means you might need to use the more technical method.
Using software
There are several software packages that are designed to scan for malware, viruses and the results of SEO spam attacks in general.
They’ll usually scan your site and do their thing, much like an antivirus. The best known are:
- Sucuri
- Defender
- Ninja Scanner
Each of these offers a WordPress plugin which can clean your site of damaging SEO spam.
If you’re trying to avoid WordPress SEO spam, make sure to also use software such as Akismet as standard.
The key is bot zapping
Like many forms of damaging attacks online, it all comes down to bots. Hackers target websites with weak security or obvious vulnerabilities, and the easiest way to do this is to deploy bots to find those weak links.
What this means is that any website owner needs to take site security seriously, especially if that website handles customer data or even if it’s your livelihood.
There are plenty of tools available to block bots on your website.
With ClickCease, you can protect bad traffic on your PPC ads. And now you can monitor and block bots and malicious visitors from organic sources too.
Bot zapping by ClickCease provides protection from exactly the kinds of bots that carry out SEO spam attacks before they even happen.
Find out more about Bot Zapping.