The recent hacking of SEO blogs such as Wolf Howl, BoogyBonBon and Stuntdubl underlined a key point – the vulnerabilities of publishing software that we rely on.
However, in this incident, although the hacker was simply desperate for attention, some hackers will hack sites in order to insert hidden links.
This is something seen increasingly through 2006 – that insecure websites are ripe for hacking – for link benefits.
One of the more infamous stories came up in September when Donald Trump’s corporate site was found to be filled with hidden pages and links hacked in for pharma products.
However, the problem is much more widespread.
I’ve only seen a couple of my own older Wordpress installs targeted like this – and usually alerted to their being hacked because the hackers inserted other files – Flash or even malware.
However, it’s well known that worms have been written for the popular phpbb platform and other popular software applications, crawling Google especially to locate potential targets. Bill Atchison has repeatedly documented automated scripts checking servers for vulnerable software installs.
The danger is that it’s going to become more widespread for commercial purposes – and that the SEO benefits of hacking sites are going to force an increasing economic pressure for people to do it.
Hacking isn’t SEO
We already see mass vandalism of sites via automated form spamming – hitting blog comments, forums postings, guestbooks, and even contact forms.
Whatever the ethical dimension to this particular method, so far it’s proved difficult to make a legal case for automated spamming.
Not so for hacking.
Regardless of the motivation – whether for ego, boredom, attention, or links – it will never be SEO. It’s simply hacking.
And hacking other people’s sites has no legal grey area – it’s illegal.
Unfortunately, I predicted last year that we would see further hacking activity for SEO purposes, and it’s hard to see the process do anything but gain momentum.
And because of the serious ramifications of illegal hacking activity, it’s important that the SEO industry makes it plain that hacking into servers and hosting accounts can never be regarded as accepted SEO practice. Our industry has a shitty enough name as it is.
Security for webmasters
However, the simplest solution is to get off our lazy backsides and ensure that our own and client sites are secured in the first place.
As a Windows user my approach to security has been inherently lax – I set updates to automatically on the PC, and that’s it. Let Microsoft deal with everything else.
It’s an attitude that has permeated building my own websites. Whenever a latest software release is made available, it has never seemed a priority to upload the updated files. Not so now.
I’d already realised the foolishness of this and already scheduled training for my secretary in FTP and software upgrades. The recent SEO blog hacks underlines the potential for damage that can occur.
So far Michael Gray and Todd Malicoat have shown strength of character, by privately fuming, but publicly humouring us with images to catch our attention and entertain us from the ugliness of the hacking incidents.
Wolf Howl and BoogyBonbon are already up, hopefully Stundubl will be up soon, and Wordpress have issued Wordpress 2.0.7 to patch the recently exposed vulnerability.
However, unless you’re able to apply professional security solutions, as demonstrated, even installing latest software versions isn’t always going to protect you from hackers.
Therefore protection of your site data can become a real prerogative.
Protection of site data
It’s commonly stated that you should have backups made of all your sites. For database driven sites, though, the real Achilles heel is the database itself.
Recovering template files is one thing, but if a hacker can access your site database they can at best mine it for private data, or at worse, simply delete it.
And if you have no recent database back-up, you could be facing a major loss of data.
A simple precaution is to ensure that you use different username/password combinations for your database. However, you can automate regular backups of your databases using a cron job, and have the database emailed to you.
Good if you have lots of small sites, but perhaps not so simple if you have to work with really large databases.
Even still, if you can apply such an option, you may want to consider downloading such backups to an external harddrive attached to your PC, for extra redundancy purposes.
Overall
The past couple of days have pushed another ugly face of humanity into the SEO industry.
The important points that I’m taking from this are:
1. SEO must never be associated with hacking
2. Data security has to be an increased priority
While no doubt there are webmasters and SEO’s out there who already apply a mixture of simple and complicated security procedures for protecting their data, for the rest of us it’s been a wake-up call to expedite security concerns.
SEO’s tend to be problem solvers, having to take on board a whole array of skills and resources to aid themselves and their clients. It looks as though security issues are going to be yet another basic utility to prioritise, for those who haven't already.
By: IBrian
SEO isn’t hacking - and data security tips
Public Relations
The author's views are entirely his or her own (excluding the unlikely event of hypnosis) and may not always reflect the views of Moz.
From the tech point of view: is that why SEOmoz is building its own publishing system (instead of using/improving something like Wordpress) - to lessen the risk of been hacked?
Building our own publishing system affords us features wordpress doesn't have as well as allowing us to have a single login for all of our tools, community, and so on.
I don't think SEO is defined as being able to manipulate the search results by any means necessary!
In fact if you look up the term SEO in Wikipedia it clearly states that "Search engine optimization (SEO) seeks to improve the number and quality of visitors to a web site from "natural" ("organic" or "algorithmic") search results."
So tell me, how does hacking produce any natural or organic results? Not only that but SEO does have ethics involved. I think the original post said it best:
"hacking other people’s sites has no legal grey area – it’s illegal."
So why would it be categorized with the SEO industry then? Because some person who doesn't have anything positive to contribute to the SEO industry decided to implement certain tactics to help gain temporary results for themselves? It seems to me that it totally contradicts what the real people in the SEO industry are trying to accomplish.
Now, correct me if I'm wrong, I am new to the SEO community/industry, and still have a lot to learn. (First time poster)
Is buying links considered SEO? Those aren't "natural"
SEO is just a word used to describe an action. If you're doing SEO through illegal means or through legitimate means you're still doing SEO. We're really just arguing semantics here, not a big deal.
I will say, however, that hacking for SEO probably doesn't have a lot of long term potential, it seems more like a way to make a quick buck rather than building a solid business model.
Hacking a site for SEO for the long run can have potential. See this at blogoscoped -- it's still online, after at least two years now (and two years of trying to contact a webmaster). The Unesco site is peppered with hidden links that are recognized by the major engines.
Imagine breaking into seomoz.org and adding static links to images used on some major pages... and selling those links to the highest bidder. Even on a SEO site like here I imagine it would last for quite a while, if done properly. Just imagine how long it would last on an average non-SEO site with PR5/6.
Take a good/strong cracker or build a team of them worldwide, let them crack into sites, add a backdoor for link-drops, and sell static links in the network. Breaking in to 5-20 sites/day/person should be no problem - can you imagine the value of those links? It could be worth a lot of money.
I'm not saying blackhat techniques aren't effective in making money, I just think you'll be perpetually fighting an uphill battle. You'll have the sites you're compromising working against you (both legally and technology-wise), you'll have the search engines combatting you with new spam detection algos, and you may even have the state or goverment creating laws to stop what you do.
You may have a few good months or even years of solid income, but I wouldn't try to build a long term business strategy on it, it's too volatile.
You may have a few good months .... or you may -- like on the Unesco site -- have a few good years. If you check that site, you will find links all over. If you follow up other places where those links are, you'll find a very large network of sites that are already involved and have been involved for a long time now.
The laws might not allow you to hack someone else's site, but who can prove that you paid some off-shore SEO agency to push your site which just happens to employ an army of "consultants" who place these links? It's not magic, there is an exploit for just about any piece of software.
You need to get in once, adjust the templates, done. You can use known scripts to find exploitable hosts with high PR and with a known history of linking to other sites. Adjusting templates needs to be done manually to get the right files and to get a location that carries enough link-value but is not accidentally found.
Imagine if a SEO company could sell a client 100 PR6 links within a week/month - what would that be worth? There's a bit of money involved here... Sites that are willing to take risks might go first (not just porn/pills/gambling, but also affiliates and spammers), but once it is re-sold through SEOs you'll get it for everyone.
Of course far higher risks for the users of any such service - would probably be restricted to pills/porn/gambling.
But hopefully this isn't the direction things will go...
In short; what's ok for one may not be respected and considered by the SEO community itself because it contradicts what the honest people are trying to accomplish (maybe we are trying to set the new standard for "doing SEO"). Some of us are trying to maintain our ethics and honest quality service.
Oatmeal, I love ethical arguments and I'd love to engage you more deeply in this particular one, but I haven't got the time to spare at present.
The bottom line I'm stating is that whatever the motivation for hacking, it cannot be accepted nor referred to as SEO. To do so is to embrace clearly illegal activities as an accepted industry practice.
I cannot kick someone to the ground on the street, demand money from them, and then shove them a gift and call it "business" or "marketing". I think most business/marketing associations would be horrified if it were called so.
Therefore hacking is hacking, and regardless of it's motivations, and is not SEO.
I think the industry needs to be clear on that - not least because I really think we're going to see the Russian hackers really push on this envelope.
Hacking is not SEO. Even the black hat SEO blogs are under attack from this hacker. Hacking is not SEO, as stated, as much as we would like it to be so we'll beat our competitors, it's not seo. It's hacking and that guy must need some attention.
Hi all you have to see this to belive it, Matt Cutts got hacked
https://www.mattcutts.com/blog/
I guess, not all SEO's are nice or is it another April fools from google land,
Philski
Like everything there are "levels" to hacking. The kind we've seen over the last couple of days is likely to decrease simply because the motive (links, SEO) won't pay off. The more subtle insertion of links may increase though.
The person behind these recent attacks is clearly more interested in ego gratification.
And I agree, SEO must never appear to be linked to hackers in the mainstream. That will damage us all.
If someone was able to manipulate their search engine rankings through illegal or unethical means, it doesn't change the fact that they were performing SEO. Hacking to achieve rankings is just a means to an end, it doesn't really change the overall definition of what you're doing.
Think about it like a brick and mortar business: suppose one shopkeeper achieves financial success by providing quality service and fair prices, another shopkeeper does it by ripping off customers and cheating on his taxes. Both shopkeepers are still businessmen, they're just going about it differently. I'm not defending illegal activities, I'm just saying it doesn't really change the nature of what you're doing.
I caught another interesting case ... this could hit any of you just as well: https://groups.google.com/group/Google_Webmast...
Someone hacked the binaries of the server, redirected only the visitors with a search-engine referrer (only one time) to a spyware/anti-spyware site.
Do you click your own search results? Is your server running the current version / patched software?
I just came across a nice plugin that can help out the websites that depend on Wordpress. The database backup plugin comes standard with a Wordpress install, but it just needs to be configured a bit to backup all the database files. This still depends on the user actually backing it up though. Enter WP-Cron. I have not tested it at all, but it looks like it will fit the bill. It currently can be set to back up your database daily, compress it, and then email it to your choice of accounts. It probably won't work well with a large website, as it notes, but I'm sure something similar can be found, or developed quickly, to fit your liking.
This is just an example relevant to yesterday's fiascos, but a data backup protocol should always be in place. It's better to be proactive than reactive.
I know the Microsoft approach isn't really the ideal solution to improved security but for the current state of things it isn't a bad approach.
Some sort of registration process enabling automatic upgrades shouldn't be that difficult to implement and would probably use less bandwidth than your entire userbase downloading your entire package with each minor security fix.
I'm actually curious whether any project has adopted this model.
SEO in highly competitive areas is hacking. How else does one rank for viagra and ringtones?
What happened is horrible and I feel badly for everyone affected. It's also important that we do not push aside the blatant wrongness of such attacks by getting caught-up in semantic discussions like 'what is hacking' and 'what is white hat, grey hat or black hat'.
When we converse about attacks like these, especially in open venues with diverse audiences, that it is important to use clear, descriptive and jargon-free language. While hacks might describe mallicious and illegal activity to some and the ability to use great outside of the box skills to others, for some hacks is a a great series of books.
Great post! The thing that made me most upset about this recent hacking activity is that many people were acting like it was just some type of linkbait and not criminal activity.
I couldn't agree more that "hacking into servers and hosting accounts can never be regarded as accepted SEO practice".