Spammers have found a new way to get high rankings on Google.
The new trick involves hacked websites and the canonical tag. Is your website at risk? What can you do to avoid this?
What exactly has happened?
In an online forum, webmasters reported a new spam method. Hackers inserted the canonical tag on websites of other people:
“I came across a website with canonical tags setup on all of their pages and they were pointing to a spam site. I suspect someone hacked in and changed the canonical tags to siphon link juice.
The original purpose of the rel=canonical tag is to help website owners eliminate self-created duplicate content. The canonical tag tells search engine spiders the original source of a file.
For example, a search engine robot might visit the web page “www.example.com/page4.htm”. If that page contains the tag <link rel=”canonical” href=”http://www.originalpage.com/”> then search engines will show originalpage.com in the search results instead of example.com.
If hackers add the canonical tag to your web pages and point it to another website then your website content will help another website to get high rankings while your own website will lose all of its rankings.
Matt Cutts: a rel=canonical corner case
“We take rel=canonical urls as a strong hint, but in some cases we won’t use them:
For example, if we think you’re shooting yourself in the foot by accident (pointing a rel=canonical toward a non-existent/404 page), we’d reserve the right not to use the destination url you specify with rel=canonical.
Another example where we might not go with your rel=canonical preference: if we think your website has been hacked and the hacker added a malicious rel=canonical.
On the ‘bright’ side, if a hacker can control your website enough to insert a rel=canonical tag, they usually do far more malicious things like insert malware, hidden or malicious links/text, etc. […]
Should Google trust rel=canonical if we see it in the body of the HTML? The answer is no, because some websites let people edit content or HTML on pages of the site.”
How to check if your website is exploited?
Open a page of your website in your browser and select “View HTML source” in your browser. If you can see a rel=canonical tag that points to an unknown domain in the head section of your page then your website has been hacked.
Unfortunately, hackers might have changed your web server so that it only shows the canonical tag to Google’s indexing robot. In that case, you have to check how Google sees your web pages:
- Download and install iBusinessPromoter (IBP)
- Select “Tools > Search engine spider simulator”
- Select Google’s spider
- Check the HTML source in the spider simulator report for the canonical tag
This works with the free demo version of iBusinessPromoter. You do not have to buy IBP to check your web pages with the spider simulator.
Google is aware of the problem. Unfortunately, it is very difficult to find out if a webmaster intentionally inserted a canonical tag to a website or if the tag was inserted by a hacker.