Beware Of Canonical Redirect Hacking

May 16, 2011 - 8:54 am 3 by
Filed Under Spam

Google SEO Canonical Tags HackingA year and a half ago Google began supporting the cross domain canonical tag and some people were concerned there would be ways to abuse the system. Well, even Google was concerned, which is why they waited ten months to introduce the cross domain version of the canonical tag.

I've haven't heard much of people complaining that their site was negatively impacted by the tag.

But now, it seems like hackers who focus on SEO hacking, have been recently targeting vulnerable sites and stealing (or hijacking) their traffic with this tag.

A WebmasterWorld thread has well-known moderator, goodroi, reporting he is seeing hackers exploit this tag now.

It isn't an issue with the canonical tag specifically, but rather hackers gaining access to a server and the site's code and basically redirecting the domain name to a third-party site. goodroi said:

I came across a website with canonical tags setup on all of their pages and they were pointing to a spam site. I suspect someone hacked in and changed the canonical tags to siphon link juice. Now that cross cross-domain canonical tags are supported I would not be surprised if this becomes more common.

The canonical tag is a small line of code that is easy to overlook despite its large implications.

It is so important to stay on top of your security patches and make sure your sites are hacker-free - if there is such a thing. The canonical tag is almost as strong and setting up a 301-redirect from a domain to a different domain. So be careful!

Forum discussion at WebmasterWorld.

Update: Matt Cutts of Google wrote a blog post just now on the topic, without referencing either the thread or this post directly, saying:

Another example where we might not go with your rel=canonical preference: if we think your website has been hacked and the hacker added a malicious rel=canonical. I recently tweeted about that case. On the “bright” side, if a hacker can control your website enough to insert a rel=canonical tag, they usually do far more malicious things like insert malware, hidden or malicious links/text, etc.

How would Google know if it is hacked? Well, they are pretty good at knowing that. But also, if the rel=canonical is not in the header, i.e. rather in the body - Google won't trust it. In fact, if you want the rel=canonical to work, Matt recommends you "make sure that the rel=canonical is the first or one of the first things in the HEAD section."

Got that?

 

Popular Categories

The Pulse of the search community

Follow

Search Video Recaps

 
Google Core Update Rumbling, Manual Actions FAQs, Core Web Vitals Updates, AI, Bing, Ads & More - YouTube
Video Details More Videos Subscribe to Videos

Most Recent Articles

Search Forum Recap

Daily Search Forum Recap: March 18, 2024

Mar 18, 2024 - 4:00 pm
Google Updates

Google Urges Patience As The March 2024 Core Update Continues To Rollout

Mar 18, 2024 - 7:51 am
Google

Official: Google Replaces Perspective Filter With Forums Filter

Mar 18, 2024 - 7:41 am
Google Maps

Google Business Profiles Now Offers Additional Review After Appeal Is Denied

Mar 18, 2024 - 7:31 am
Google Maps

EU Searchers Complaining About Google Maps Features Changes Related To DMA

Mar 18, 2024 - 7:21 am
Google

Google Showing Fewer Sitelinks Within Search

Mar 18, 2024 - 7:11 am
Previous Story: Google Panda Kick Online Forums?