One of the most worrying things about modern WordPress malware is that you probably don’t know it’s there. The best monetization strategies for online criminals rely on stealth. It’s in their interest that the malicious payloads they place on sites are never found. Site owners go about their business, creating and publishing great content, while in the background their infected sites dispense malware and display content about which the owners have no idea.
Your Reputation Is Valuable To Black Hats
SEO spam is content or links injected into web pages with the intention of hijacking a site’s good standing with the search engines to increase the ranking of another site, often a site peddling counterfeit good, pharmaceuticals, or pornography.
SEO spam malware will insert links to the criminal’s sites with keyword-rich anchor text, in the hope that Google will credit those links when ranking the target site. Of course, if a WordPress site owner sees that their site’s header or footer is full of these links, or that their site appears to contain pages of content that they have not created, they’ll be alerted that not all is as it should be. In fact, often it’s in the interest of the malware creators to hide their injected content from everyone except search engine crawlers, which is why much of the malware that infects WordPress sites is conditional.
A Secret Message For Googlebot
Conditional malware contains code that allows the content to be shown only under specific circumstances, the most obvious of which is when the user agent of the client in question matches that of a search engine crawler like Googlebot. Ordinary users don’t see the content, and the hackers are especially careful to make sure that no logged in user will see it.
There are lots of occasions where an attacker might use conditional payloads: perhaps they want to make sure that users only see the content once, or that online malware scanners aren’t able to see it, or that only people from specific geographic areas can see it. But in the case of SEO spam conditional malware, it’s the search engine crawlers who are the intended audience. And, once an infected site has been indexed by the crawlers, it’s going to look very different to the search engines and to searchers than it did before.
The most obvious change will be that the site may start ranking for queries that are unrelated to the genuine content. That can have a negative impact on search traffic, because anyone expecting to see a site covering butterfly migration patterns, for example, isn’t going to be encouraged when they see sitelinks related to viagra. Additionally, having potentially dozens of links to the worst parts of the Internet is going to give Google a bad impression, which will inevitably result in ranking reductions and possibly even penalties.
And, of course, if Google figures out that your site has been hacked, then it will drop it from the index altogether and display a warning to its users that your site isn’t a place they want to visit. All of which could happen before you have any idea that your site has a problem at all.
Uncloaking SEO Spam
Finding conditional malware can be tricky, but services like Sucuri’s WordPress Security increase the chances of malware being found. In the specific case of SEO spam malware, using Google’s Fetch As Googlebot, which is part of Google Webmaster Tools can also be of value.
However, prevention is better than cure, and the best way to avoid malware infection is to follow basic WordPress security best practices: use long and random passwords, make sure your site and its plugins are always up-to-date, and keep an eye on the WordPress security news.
About Graeme Caldwell: Graeme works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog, http://blog.nexcess.net/.