Re: Has my site been hacked?

Hi Mark,

putting noindex into the header is not neccesary anymore, because Shopify updated these pages - 404 errors are the new output.

I don't think anything is put into the theme code. The bug could be perfectly done without any access to the backend. Anyone could create those URLs on it's own and add any type of content. The only things that were needed for an indexation were backlinks as you have mentioned in possibility 1.

I don't see any way to clear the search console - as they are 404 errors right now they might be flagged as 404 errors, which would make the GSC much cleaner. But Google would need to crawl these pages again.

Hi Jen,

this will make it more tricky. You'd need a webdeveloper for this. The search is often blocked by robots.txt, so Google is not able to read a noindex tag, which you could add to the page. As the search is important, Shopify can't put a 404 error on those pages.

What I'd do:

1. Request removal of all URLs starting with https://yourpage.com/search?q= - make sure, that you don't have indexed any search query that is important. You can do that by typing site:https://yourpage.com/search?q= into Google. This removal will expire in a few weeks/months. That's why you'd need to do further things.
2. When there are pages indexed and also blocked by robots.txt, delete the blocking statements in the robots.txt and start the troubleshooting. This will probably take a few days, depending on the amount of pages.
3. After the troubleshooting is done, add the deleted statements to the robots.txt again.

Hi Jen.

I think the following code will output noindex when there are 0 search results.
However, it is not well verified, so if you use it, please check it carefully by yourself.
If you are not sure, please consult with a Shopify partner or expert.

{% if request.path == '/search' and search.results_count == 0 %}
  <meta name="robots" content="noindex">
{% endif %}

Notes.
Shopiyf may add a process to return a 404, which may soon be unnecessary.

Details are on my blog.
But it's Japanese, not English.

https://webutubutu.com/webdesign/11116

ありがとう！

(((Thank you so much!!!!))) I'm going to dig into this now and will come back to let you all know how it went. Also, I'll Goggle Translate your blog. The other code you provided has worked like a charm, so I expect this will do the same. 

Total rock star! Also, if you are available for hire, I'd work with you in an instant. You can look me up on LinkedIn if interested (Jen Degtjarewsky / Jennifer) - Jen@MediaLabOne.com

Hi Everyone - Have spoken to Shopify, who spoke with their dev team and they say this is the preferred solution. I'll post both below for anyone having these issues:

NOTE: Both go in the theme area (theme.liquid) - Line 4, after the  <head> tag.

#1 - Solution for attack on VENDORS page:

{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%} <metaname="robots"content="noindex">{%- endif -%}

#2 - Solution for attack on SEARCH RESULTS PAGES that return zero results:

{% if request.path == '/search' and search.results_count == 0 %}

{% endif %}

CREDIT: Both solutions were created by Jizo_Inagaki who is a rock star in my humble opinion. 💪

Hi JenDeg.

There was a problem with my answer and I thought it would be better to put the code together, so I created the following code.

Problems with my solutions:

• Shopify's robots.txt has the entire search result set to Disallow
• Search engines cannot recognize a noindex on the search results page

Necessary Action:

• Remove Disallow for search results from robots.txt
• Output noindex to necessary pages

■ Caution!

I am not good at writing English, so there may be some writing errors.
Here is how to do it, but failure to do so can cause serious problems.
It is also possible that my code is incorrect.
So if you are not confident in your judgment or skills, please consult a Shopify partner or expert.

■ How to remove Disallow for search results from robots.txt

Be sure to check the following:

• https://help.shopify.com/en/manual/promoting-marketing/seo/editing-robots-txt
• https://shopify.dev/themes/seo/robots-txt?shpxid=c28a2c7d-F5D2-4CC2-E558-8F0B35E3611B#remove-a-defau...

Create robots.txt.liquid and add two lines to the original code as follows.

# we use Shopify as our ecommerce platform
{%- comment -%}
# Caution! Please read https://help.shopify.com/en/manual/promoting-marketing/seo/editing-robots-txt before proceeding to make changes to this file.
{% endcomment %}
{% for group in robots.default_groups %}
  {{- group.user_agent -}}

  {% for rule in group.rules %}
    {%- unless rule.directive == 'Disallow' and rule.value == '/search' -%}
      {{- rule -}}
    {%- endunless -%}
  {% endfor %}

  {%- if group.sitemap != blank -%}
    {{ group.sitemap }}
  {%- endif -%}
{% endfor %}

Code part added:

• {%- unless rule.directive == 'Disallow' and rule.value == '/search' -%}
• {%- endunless -%}

■ How to output noindex to necessary pages

As an example, you can summarize the code for noindex in the head tag as follows

{%- liquid
  assign flag_noindex = false
  case request.path
    when '/search'
      assign flag_noindex = true
    when '/collections/vendors'
      if collection.all_products_count == 0
        assign flag_noindex = true
      endif
    endcase
-%}
{% if flag_noindex %}
  <meta name="robots" content="noindex">
{% endif %}

Operating conditions:

• Output noindex in search results (even if there are more than 1 results)
• Output noindex when there are 0 results in vendor

However, if the status code 404 is returned when there are 0 cases on the vendors page, the noindex for the vendors page is not very useful.
As a small possibility, it may serve as a precautionary measure, though.

Just to be sure, check for yourself that the code works as intended!

Hi Jizo,

Have just printed this out and will dive into this in the morning as it's after 8pm in California right now. Thank you very much for being so thoughtful and kind to help me. I appreciate it so very much. I'm learning quite a lot through working on this and it's great to know there are solutions to foil these hackers and bots! I'll reply after I get it implemented. ~Jen

地蔵さん、こんにちは。

これを印刷したところです。現在、カリフォルニアでは午後 8 時以降なので、午前中に詳しく説明します。私を助けてくれてとても思慮深く親切にしてくれてありがとう。とても感謝しています。私はこれに取り組むことで多くのことを学んでおり、これらのハッカーやボットを阻止するソリューションがあることを知ってうれしいです!実装したら返信します。 〜ジェン

I also like the solution of Jizo_Inagaki. You can go to your Google Search Console if you have already used it and go to Index -> Pages. There could be "Indexed, although blocked by robots.txt file" at the bottom. You can click on that, "Show details" and "Review" after you have done what Jizo_Inagaki suggested - this will make the process of deleting those links faster.

Adding the /search to robots.txt again might make you vulnerable for those kind of attacks to. On the other hand, if you don't disallow the search in your robots.txt, it might lead to a waste of crawl budget. If you are not sure whether to do this or not, you can go to Settings -> Crawling Statistics after you have fixed it to have further insights in what the Google Bot is Crawling.

What about using the removal tool to remove all links with the /collections/vendors prefix for 6 months? Would this mean your site would look 'cleaner' to Google?

Also, the affected site I'm dealing with did have an app installed around the time the issues began so I have deleted that. 

https://search.google.com/search-console/removals 

That would definitely clean the index however i'd consult your Google Analytics data before doing this to make sure that you don't have any vendor URLs actually bringing in traffic and/or sales to your site before you scrap all of them from the index. 

Sorry, probably a very dumb question but the colours of my "robots" and "no index" is black not red and "content" is green. Does this matter?  I'm afraid this is one thing I struggle hugely with! I'm beginning to wish I hadn't looked at my Search Console!

Hi, Many thanks for this as it really has helped me, when I did not know where to turn. I had this problem on my website and did the suggested fix. The dodgy URL's have dropped away over time, although  I am just concerned that this hack could also be used against the search bar. As I have noticed 2 weird searches from the last week in google search console, showing as indexed but blocked by robots. Could this be possible and if so would I need to add code for this also?  Elaine

However, the hack does not solve the problem, it only prevents indexing. Moreover, it is not covered if it is a request.path in another language.

@Shopify: When will you solve the problem to the Vendors Hack finite sustainable?

If anyone wants to dig deeper for the person responsible, I spotted this persons handle in spam links and it took me to this page.  Doubt he's the only one responsible - but maybe on hot lead.  I'd do something, but have no idea where to start...

https://telemetr.io/en/channels/1989706247-kunghac/publish

Unfortunately this doesn't remove them permanently, only for a few months then they get re-crawl

ed

Shopify are you sleeping? I have same problem. What is the reason? How can we fix healthy which not bad effect our Seo. 

This works - thanks! 🙂

Great, thank you. A year ago the same thing was happening to '/search?q=' URLs. Not sure if it's still the case.

That seems to work. Anyway, in our case there are some links, that are blocked by robots.txt, which leads Google not to check the blocked pages for the 404 errors. I'd still do the recommended steps by Vader_art (excluding step 4) to make sure, that everything will be deindexed quickly and correctly.

In our case, we did the following steps additionally:

1. We checked our Search Console for "blocked by robots.txt but still indexed" pages
2. We deleted the following statements in the robots.txt
   Disallow: /collections/*+*
   Disallow: /collections/*%2B*
   Disallow: /collections/*%2b*
   Disallow: /*/collections/*+*
3. We have just clicked "review" in Google Search Console for Google to Check those pages
4. After the check is done successfully, we're going to add the statements to the robots.txt again

Have also noticed that there are now different Chinese spammy url links starting with below.

These seo spammy backlinks are now being targeted to the 'search bar'. Does anyone has that as well / has noticed? ..../search?q=... Almost all of them are blocked, but a handfull went through and is being indexed. Also have reveived from some gmail name called 'Chris Parker', mentioning the site has errors. But as almost none of this spam is being indexed, this will be ofcourse not searchable or vissible for the people that are searching or visiting the site. So most likely it's the person that runs these BOTS.

https://yourdomain.com/search?q=2%E5%8F%B7%E7%AB%99%E5%A8%B1%E4%B9%90%E5%AE%98%E6%96%B9-%E2%9C%94%EF%B8%8F%E6%8E%92%E5%90%8D%E4%BB%A3%E5%81%9A%E8%AE%BF%E9%97%AE%E2%9E%A1%EF%B8%8Fliuhen.vip%E2%AC%85%EF%B8%8F-%E5%BD%A9%E5%AE%9Dapp%E4%B9%B0%E5%BD%A9%E7%A5%A8%E8%B5%9A%E9%92%B1%E6%98%AF%E7%9C%9F%E7%9A%84%E5%90%97-2%E5%8F%B7%E7%AB%99%E5%A8%B1%E4%B9%90%E5%AE%98%E6%96%B9-2%E5%8F%B7%E7%AB%99%E5%A8%B1%E4%B9%90%E5%AE%98%E6%96%B9-%E2%9C%94%EF%B8%8F%E6%8E%92%E5%90%8D%E4%BB%A3%E5%81%9A%E8%AE%BF%E9%97%AE%E2%9E%A1%EF%B8%8Fliuhen.vip%E2%AC%85%EF%B8%8F-%E5%BD%A9%E5%AE%9Dapp%E4%B9%B0%E5%BD%A9%E7%A5%A8%E8%B5%9A%E9%92%B1%E6%98%AF%E7%9C%9F%E7%9A%84%E5%90%97-2%E5%8F%B7%E7%AB%99%E5%A8%B1%E4%B9%90%E5%AE%98%E6%96%B9