How To Stop & Fix An SEO Spambot Site Attack via @sejournal, @makhyan
Spambot attacks are on the rise, with 25.6% of all internet traffic coming from a bad bot, and increasingly sophisticated methods are used to circumvent common security measures.
Enterprises and small websites alike must stop SEO spambots from derailing their optimization efforts and causing steep drops in traffic and revenue.
If you’ve been a victim of an attack, you’ll find the steps here to recover and restore your rankings.
You’ll learn about smart prevention and high-level monitoring systems, too.
What Is An SEO Spambot Attack?
SEO spambots are much like the friendly Googlebots that you want to crawl your site. However, instead of indexing your content, these bots will use vulnerabilities to infiltrate your website.
Why?
They’re engaging in spamdexing.
Essentially, these spam attacks will use your site in an attempt to rank content that can’t rank otherwise. Bots make hackers a ton of revenue, and their spam tactics cause your site to suffer a significant drop in SEO and revenue.
Additionally, black hat SEO techniques are employed to hide the attack.
A few of the many nefarious things a spambot can do are:
- Content spam.
- Content scraping.
- Credential sniffing.
- SQL injections to update portions of a site.
- Link insertions.
- Redirect generation.
- Google Analytics referral spam.
- User-generated content (UGC) spam.
Often, the main goal of spam is to insert links into your website. Hidden links will help boost the hacker’s website and revenue while damaging your site.
We’ve also seen redirects generated to create false URLs that redirect to the hacker’s website.
In each of these cases, the spambot works to leverage the site for its own gain.
Sometimes, display ads are inserted into a site using an SQL injection, but most of these infiltrations are for links or redirects to a website that, in some way, generates revenue.
Recognizing An SEO Spambot Attack
Spambots work diligently to circumvent your normal detection methods. Links are inserted or pages are created with the greatest effort taken to hide them from the site owner.
Sometimes, you’ll find that your CMS has core vulnerabilities, and you’re just another victim of an attack.
However, a few red flags that something may be amiss are:
- A drop in traffic.
- Random site pages.
- GSC warnings.
- Google Search warnings.
Enterprises and more established websites will have multiple forms of detection, such as:
- Firewalls.
- Logging systems.
- Monitoring systems.
If you’re running WordPress, there are core vulnerabilities that hackers will spot and use to their advantage.
Diagnosing attacks on your site is possible using plugins such as MalCare or Wordfence, both of which add multiple layers of security to your site.
Additionally, you can use Cloudflare to take preventative measures to stop bots in their tracks by using the bot management system.
Step-By-Step Guide To Remedying A Spambot Attack
Remedying a spambot attack requires a few steps that will help you stop the attack and restore your site.
1. Stop Bots From Doing Additional Damage
During the next two steps, your site will remain vulnerable until you determine how the spambot accessed your site and did its damage. Therefore, before scanning your site, you’ll want to put bot protection in place.
Cloudflare’s bot management system uses AI and machine learning to stop bad bots.
The tool will use a three-prong approach to provide real-time protection:
- Behavioral analysis will be used to detect any traffic anomalies.
- Machine learning will use billions of data points to accurately detect bots.
- Fingerprinting will also be utilized to classify bots that have been detected previously.
Rich analytics and logs will add to your site’s security and allow you time to clean up your site.
2. Run A Site Scan To Determine Impacted Pages
Now that your site has a high level of protection in place to stop additional spambot attacks, it’s time to run a scan on your site. We use the word “scan” very broadly because you can:
- Run an analytics report to see pages where site traffic fell drastically.
- Run a scan using Screaming Frog or something similar.
- FTP into your site and scour folders for manually created pages.
You can even go through each page on your site manually, looking at the source code for pages that may have hidden links.
Screaming Frog will also help you find hidden redirects.
If you have logs available, be sure to analyze them to see where traffic is originating and find any pages on the site that may have been created by the bot.
A lot of time will be spent determining what needs to be cleaned up on the site.
3. Find How The Site Was Infiltrated
Secure sites aren’t infiltrated. For the most part, attacks from spambots look for existing vulnerabilities that you didn’t correct. Sites may have been infiltrated due to:
- Bad plugins.
- Out of date software.
- SQL injections.
- Easy to guess FTP/Admin passwords.
Your first step is to ensure that all of the software and plugins on your site are updated. Old scripts need to be updated, and if you notice scripts that you didn’t create, delete them.
Spambots may leave a script on your server to regain access to your site in the future.
Working with someone to go through your logs and uncover how the attack unfolded is recommended.
You want to patch up these vulnerabilities before going through the following steps. Cloudflare should add an extra layer of protection, too.
4. Clean Up Top Pages First
Cleaning up your site depends on what type of attack occurred. If your site has user-generated pages spam or mass page creation, you’ll need to go through the arduous task of determining which pages are wanted and which aren’t.
You’ll then need to delete these spam-generated pages.
However, you also want to do a few critical things for pages that aren’t generated by spam:
- Analyze your analytics.
- Mark pages that are greatly impacted.
- Start cleaning up your top pages first.
Your revenue-generated pages must be worked on first to help restore their rankings.
When we say “work,” you’ll need to go through all of these pages thoroughly to search for:
Typically, you’ll need to manually clean up and review each page.
Even if a link were simply inserted in the footer of your site, you’d still want to check through all of your pages to ensure that there isn’t something else you’re missing on each page.
Once you’re confident that all of the spam was removed, it’s a waiting game to see what happens to your rankings.
5. Monitor The Site
Monitoring your site should become a part of your daily operations. You’ll want to monitor your site in a few ways:
- Monitor your rankings and analytics for any changes.
- Monitor site logs for suspicious activity.
You must pinpoint how the attack occurred and fix the point of entry. However, there are times when the spambot will put a backdoor on your server, go back in and mess everything up – again.
It’s crucial that you continue monitoring your site for any suspicious activity so that you can remedy issues quickly.
6. Optional: Restore From Backup
If you’re very lucky and catch the attack early on, you may be able to restore your site to its previous state using a snapshot. However, if you have new customer orders or data inserted into databases that have been impacted, this method won’t work.
Unfortunately, your backups will still contain the original vulnerabilities that led to a successful attack.
At this point, your best bet is to restore the site using Cloudflare protection and then correct the key vulnerabilities of the attack.
If an attack goes unnoticed for weeks or months, your backups may already be compromised, rendering this solution unusable.
Final Thoughts
Spambots are dangerous because they can go undetected for long periods of time. If a bot slips by and inserts links or content into existing pages, it can quickly ruin your company’s reputation and derail your SEO efforts.
Additionally, these link insertions are often one or two words that are linked to the site, and the text is made to not look like a link.
Identifying an attack of this nature can be extremely difficult.
We’ve also seen spambots generate thousands of pages on a site, using physical files, so the new posts never appear in a CMS dashboard.
Clearing out spam at this level took two full months, so there was significant damage to the client’s website.
Stopping an SEO spambot attack requires attention to detail and intensive monitoring. Cloudflare is a good option along with multiple levels of firewalls, logging, and monitoring systems to thwart spambot attacks.
You’ll also want to consider user controls and access and work on other ways to harden your website’s server.
More resources:
Featured Image: Tatiana Shepeleva/Shutterstock