{"id":28564,"date":"2011-05-20T13:00:00","date_gmt":"2011-05-20T13:00:00","guid":{"rendered":"https:\/\/www.searchenginewatch.com\/2011\/05\/20\/hacked-canonical-tags-coming-soon-to-a-website-near-you\/"},"modified":"2019-04-23T09:30:05","modified_gmt":"2019-04-23T09:30:05","slug":"hacked-canonical-tags-coming-soon-to-a-website-near-you","status":"publish","type":"post","link":"https:\/\/searchenginewatch.com\/2011\/05\/20\/hacked-canonical-tags-coming-soon-to-a-website-near-you\/","title":{"rendered":"Hacked Canonical Tags: Coming Soon To A Website Near You?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"right\" title=\"Canonical Hacks\" src=\"https:\/\/searchenginewatch.com\/wp-content\/uploads\/sites\/25\/cnt-import\/sew\/IMG\/635\/177635\/canonical-hacks-270x167.jpg\" alt=\"Canonical Hacks\" width=\"270\" height=\"167\" border=\"0\" \/>Google recently alerted website owners of a recent trend involving the hacking of websites to insert a <a href=\"https:\/\/searchenginewatch.com\/article\/2066270\/The-Canonical-Tag-Can-Save-You-from-the-Duplicate-Content-Monster\" target=\"_blank\" rel=\"noopener\">canonical tag<\/a> and point it to the hacker\u2019s site. Is your site at risk? How can you protect against it?<\/p>\n<p>There&#8217;s a great <a href=\"http:\/\/www.webmasterworld.com\/google\/4311094.htm\" target=\"_blank\" rel=\"noopener\">discussion<\/a>\u00a0going on over at Webmaster World about this topic. To give credit where it&#8217;s due, it&#8217;s quite a bright attack that \u2013 if undetected \u2013 stands to provide potentially more SEO value than the vast majority of spam tactics that I&#8217;ve witnessed in my decade plus of experience.<\/p>\n<p>To make sure we&#8217;re all on the same page, let&#8217;s quickly define the canonical tag.<\/p>\n<h2><strong>What is the Canonical Tag?<\/strong><\/h2>\n<p>For years, webmasters wrestled with the issue of duplicate content. The majority of these cases were caused by simple product duplication on a series of listings pages.<\/p>\n<p>Let\u2019s say a website sells blue widgets. They are ordered on one page by size, on another by color, and on a third by price. That&#8217;s three pages with fundamentally the same content.<\/p>\n<p>Google will try to determine the best possible page to show in the results. Before the canonical tag, webmasters couldn&#8217;t define it for themselves, resulting in scenarios where less desirable pages were appearing in the SERPs.<\/p>\n<p>In 2009 Google <a href=\"https:\/\/searchenginewatch.com\/article\/2052759\/Duplicated-Confusion-The-Canonical-Edict-from-the-Big-Three\" target=\"_blank\" rel=\"noopener\">announced support<\/a> to the rel=canonical tag allowing website owners to place a tag in their headers indicating which page was to be considered the primary result. Later that year Google announced that the canonical tag was also going to <a href=\"http:\/\/googlewebmastercentral.blogspot.com\/2009\/12\/handling-legitimate-cross-domain.html\" target=\"_blank\" rel=\"noopener\">work across domains<\/a>\u00a0allowing webmasters of multiple sites with similar content to define specific content as fundamentally sourced from a different domain.<\/p>\n<h2><strong>The Power of the Canonical Tag<\/strong><\/h2>\n<p>For any hack to be worth doing it first must hold value. This leads us to the question of whether or not an exploitation of the canonical tag is worth doing in the first place. I found a statement from Google&#8217;s Matt Cutts on a related topic very interesting. It takes some reading between the lines so watch the following video from April 2011 and then read on.<\/p>\n<p><iframe loading=\"lazy\" src=\"http:\/\/www.youtube.com\/embed\/zW5UL3lzBOA\" width=\"560\" height=\"349\" frameborder=\"0\"><\/iframe><\/p>\n<p>You&#8217;ll notice that the video discussed link loss from a 301 redirect and why that&#8217;s a necessity, interesting and indirectly relevant. But the statement that most closely matches what we&#8217;re asking ourselves about here comes in the last few seconds when he&#8217;s comparing the strength of the canonical tag and the 301 redirect and states, \u201c&#8230; but as far as the amount of PageRank that gets passed, there&#8217;s not a lot of difference.\u201d<\/p>\n<p>In one video we can get two pieces of information on the amount of weight the rel=canonical tag can pass over which combined lead only to one conclusion. The two pieces of information are:<\/p>\n<ol>\n<li>There is very little strength loss on a 301 redirect.<\/li>\n<li>The amount of strength passed via a 301 and the rel=canonical tag are virtually the same.<\/li>\n<\/ol>\n<p>The conclusion then is that an exploit that inserts the rel=canonical tag onto a page can be a very effective strategy, on par with 301ing the page itself but even \u201cbetter\u201d in that it likely won&#8217;t be detected by the site owner.<\/p>\n<h2><strong>Is This an Issue?<\/strong><\/h2>\n<p>The next question we need to ask ourselves is, \u201cIs this an issue now or just a warning?\u201d The answer is that it is an issue right now. WebmasterWorld user goodroi claims to have seen evidence of this and I have no reason to doubt him \u2013 he knows his stuff; but even if we want to take that claim with a grain of salt, Matt Cutts sent out the following Tweet on May 13th, \u201cA recent spam trend is hacking websites to insert rel=canonical pointing to hacker&#8217;s site. If U suspect hacking, check 4 it.\u201d<\/p>\n<p>With that, let&#8217;s assume it&#8217;s an issue, a known issue, and now discuss who&#8217;s at risk and how to contend with it.<\/p>\n<h2><strong>The Hack<\/strong><\/h2>\n<p>Sadly, there is no one hack when we&#8217;re dealing with things like this. Every environment has it&#8217;s own weaknesses, some more than others.<\/p>\n<p>A WordPress blog, for example, has different weaknesses than a custom CMS, which is different than a static site. To be sure, all are vulnerable and where there&#8217;s monetary incentives, there are people who will look to exploit the situation.<\/p>\n<p>The hardest part to contend with is that the offending element isn&#8217;t visible nor will it generate warnings about your site in the SERPs as malware will. It&#8217;ll just sit there, quiet in the header passing your strength to another domain.<\/p>\n<p>I haven&#8217;t heard any tales yet of a cloaked hack, but the question was asked in the forum thread if it\u2019s possible. I&#8217;m familiar enough with cloaking techniques to confirm that it wouldn&#8217;t be that difficult to cloak the tag, so when you view your source it&#8217;s not there but appears when <a href=\"https:\/\/searchenginewatch.com\/2019\/03\/12\/robots-txt-best-practice-guide-and-examples\/\">Googlebot<\/a> drops by.<\/p>\n<p>The only security you have is your own site security and hosting environment. Ensuring that your CMS is fully up to date (so stop ignoring that WordPress update notice) and that your hosting environment is secure (have you changed your password since the last time you&#8217;ve given it to a third party?).<\/p>\n<p>These are all best practices to defend against all exploits. This current situation is simply a notice of another use of your potential vulnerabilities.<\/p>\n<p>This isn&#8217;t a new issue and as Matt Cutts puts it: \u201cOn the \u2018bright\u2019 side, if a hacker can control your website enough to insert a rel=canonical tag, they usually do far more malicious things like insert malware, hidden or malicious links\/text, etc.\u201d<\/p>\n<p>It&#8217;s not new that they&#8217;ll be there \u2013 it&#8217;s just the nature of what they&#8217;re doing that is different. You may not get a malware warning, you&#8217;ll \u201cjust\u201d notice that all the power of your page is gone.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google recently alerted website owners of a recent trend involving the hacking of websites to insert a canonical tag and point it to the hacker\u2019s site. Is your site at risk? How can you protect against it?<\/p>\n","protected":false},"author":1092,"featured_media":28565,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[23207,37,2943,227,211,22,11593,1886,303,143],"content_type":[27095],"class_list":["post-28564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-development","tag-canonical","tag-google","tag-googlebot","tag-matt-cutts","tag-pagerank","tag-seo","tag-tag","tag-webmasterworld","tag-websites","tag-wordpress-blog","content_type-news"],"acf":{"tad_independentcommercial":false,"tad_content_format":false},"post_info":{"name":"idris.nagri@blenheimchalcot.com idris.nagri@blenheimchalcot.com","title":"","thumbnail_url":"https:\/\/searchenginewatch.com\/wp-content\/uploads\/2018\/10\/canonical-hacks-370x229-120x90.jpg","category":"Development","timeago":"15y"},"_links":{"self":[{"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/posts\/28564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/users\/1092"}],"replies":[{"embeddable":true,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/comments?post=28564"}],"version-history":[{"count":0,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/posts\/28564\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/media\/28565"}],"wp:attachment":[{"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/media?parent=28564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/categories?post=28564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/tags?post=28564"},{"taxonomy":"content_type","embeddable":true,"href":"https:\/\/searchenginewatch.com\/wp-json\/wp\/v2\/content_type?post=28564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}