rel=canoncial - A new way to get hacked and lose your search engine traffic

Tue, Jun 11, 2013 at 9:00PM

A client asked me to insert a zillow canonical meta tag the other day, and apparently it hijacked her site in Google search results.  Her web site became the zillow link's content instead of her site in Google, yet has the same rankings.   I'm hoping the damage will be undone quickly now that the code has been removed.

The code looked like this:

<link rel="canonical" href="" />

I'm trying to investigate where she got this code snippet from, so I can see if it was a misunderstanding or something written up wrong on

This also made me realize how easily you could lose all your Google traffic if someone is able to accidently or intentionally insert this code on your web site.

If someone inserts this rel="canonical" code in your site, there is no way to see that it has been done, since it's just in the source code.   Perhaps, some people are having their site hijacked like this at this moment and don't even realize it.

If the attacker installs code that allows rel="canonical" to only be visible for Googlebot and other robots, then you wouldn't even notice it in the source code at all.  I've seen Wordpress get attacked with spam links that only were visible by Googlebot in the past, so this is a common practice for malware authors to employ.  They might not even do anything useful with the stolen traffic - they may do it only to destroy your business and send the traffic to some irrelevant untraceable foreign web site.

Now, in addition to all the other web security concerns, you now need to be aware of the dangers of rel="canonical".  If you use third party software like Wordpress, a seemingly innocent plug-in or a security flaw in an old version could cause you to have this happen silently.  Eventually someday, you'd figure out that all your rankings have been replaced by the other web site.  This could go on for weeks or months without realizing it resulting in substantial lost business.

Here's another article that talks about issue as well:

I hope this help someone else avoid the mistake I made and to be on the look-out for this kind of attack in the future if there are any unexplainable changes in traffic or leads.

Anyone who relies on third party software such as Wordpress,  Joomla, etc needs to really think hard about security and take proactive steps to protect themselves.  People should consider auditing the security features of the software, remove unnecessary features, add more custom security, and have a stricter / more automated upgrade process so all the latest security patches are applied to the software and operating system.  

Your company might seem to be super efficient and profitable with all that nice and easy to use third party software  and automated cloud services for most of your web sites, but consider what happens when you fail to secure the applications.  

  • Your clients may lose all their traffic
  • Your server can become a blacklisted spam/malware source
  • You may get hacked repeatedly due to brute force password scripts being run from a hacked Wordpress installation that easily get past your firewall
  • You'll feel crippled with no way to afford fixing dozens or hundreds of sites that were all independently built and all potentially broken / hackable. 

Also a lot of software is not configured for the best security by default, and relying on defaults is usually bad security.  There is so much to be worried about with web security.  You really need to have a long term business strategy that keeps you safer.  I've never had a customer who asked me how I handle security.  Sure, you can go a long time without a security incident, but sometime it just takes one to open your eyes, and re-think your strategy.

You can reduce security risks by using a single installation / single database for Wordpress (or other apps) for all domains, and maintaining it properly.  It's way too hard to maintain separate installations.   It's inevitable to have hacked sites you don't even know about.  Not all plugins will be compatible with multi-tenant versions of the software probably because they may have their own database or file structures that don't have a site id to separate the content.  My Jetendo CMS application uses a single copy of the source code and database for all sites.  Plus it's compiled and deployed as Java classes, so there is no source code for most of the application, which makes it harder to attack.  You can build or adapt an app to have security in mind, you just have to make it a priority for your business.

Bookmark & Share