Beware Of Canonical Redirect Hacking

May 16, 2011 - 8:54 am 3 by
Filed Under Spam

Google SEO Canonical Tags HackingA year and a half ago Google began supporting the cross domain canonical tag and some people were concerned there would be ways to abuse the system. Well, even Google was concerned, which is why they waited ten months to introduce the cross domain version of the canonical tag.

I've haven't heard much of people complaining that their site was negatively impacted by the tag.

But now, it seems like hackers who focus on SEO hacking, have been recently targeting vulnerable sites and stealing (or hijacking) their traffic with this tag.

A WebmasterWorld thread has well-known moderator, goodroi, reporting he is seeing hackers exploit this tag now.

It isn't an issue with the canonical tag specifically, but rather hackers gaining access to a server and the site's code and basically redirecting the domain name to a third-party site. goodroi said:

I came across a website with canonical tags setup on all of their pages and they were pointing to a spam site. I suspect someone hacked in and changed the canonical tags to siphon link juice. Now that cross cross-domain canonical tags are supported I would not be surprised if this becomes more common.

The canonical tag is a small line of code that is easy to overlook despite its large implications.

It is so important to stay on top of your security patches and make sure your sites are hacker-free - if there is such a thing. The canonical tag is almost as strong and setting up a 301-redirect from a domain to a different domain. So be careful!

Forum discussion at WebmasterWorld.

Update: Matt Cutts of Google wrote a blog post just now on the topic, without referencing either the thread or this post directly, saying:

Another example where we might not go with your rel=canonical preference: if we think your website has been hacked and the hacker added a malicious rel=canonical. I recently tweeted about that case. On the “bright” side, if a hacker can control your website enough to insert a rel=canonical tag, they usually do far more malicious things like insert malware, hidden or malicious links/text, etc.

How would Google know if it is hacked? Well, they are pretty good at knowing that. But also, if the rel=canonical is not in the header, i.e. rather in the body - Google won't trust it. In fact, if you want the rel=canonical to work, Matt recommends you "make sure that the rel=canonical is the first or one of the first things in the HEAD section."

Got that?


Popular Categories

The Pulse of the search community


Search Video Recaps

Video Details More Videos Subscribe to Videos

Most Recent Articles

Search Forum Recap

Daily Search Forum Recap: May 24, 2024

May 24, 2024 - 10:00 am
Search Video Recaps

Search News Buzz Video Recap: Google Ranking Volatility, Ads In Google AI Overviews, Sundar Pichai Interview, Heartfelt Helpful Content & More Ad News

May 24, 2024 - 8:01 am
Google Search Engine Optimization

Google: The Site Reputation Abuse Policy Enforcement Not Yet Algorithmic

May 24, 2024 - 7:51 am
Google Search Engine Optimization

Google Search Can Now Index Electronic Publication (EPUB)

May 24, 2024 - 7:41 am

Directory Of Embarrassing Google AI Overviews

May 24, 2024 - 7:31 am
Web Analytics

Google Analytics Real-Time Reports Adds Users In Last 5 Minutes

May 24, 2024 - 7:21 am
Previous Story: Google Panda Kick Online Forums?