All things Shopify and commerce
Hello!
Today, we discovered an unused URL on our site: /collections/vendors
This URL path exists on every Shopify site, and it can be a huge security hole.
This path takes a querystring parameter (q) and allows you to override content (titles and page details). As a "feature", it allows you to create customized pages for partners and vendors. For a link hacker, it is a pathway to filling up Google with bad content under your website.
Here's how it works:
1. Hackers create links on a website
2. Google eventually picks up the links
3. The Google index eventually displays those links
Here are a few discussions about this:
So, what should YOU do? If you are not using /collections/vendors, you should zap it from your site:
1. See if your site is currently displaying something really scary on /collections/vendors... To check this out go to https://yoursite.com/collections/vendors?q=SCARY+THING+ANYONE+CAN+DO+TO+MY+SITE
If you see that scary text, you are vulnerable...
3. In the Shopify Admin, go to Online Store > Navigation and then use the View URL Redirects link at the top of the page. Redirect /collections/vendors to /404
3. Edit your theme.liquid file. Add the following in the <head> section:
{%- if request.path == '/collections/vendors' -%}
<meta name="robots" content="noindex">
{%- endif -%}
4. Consider creating a custom robots.txt file. This is a bit more complicated. Basically, you go into the code of your theme and add a new template. Robots.txt should be one of the options. This will create a custom version in your code base. Once you have that, you can add:
{%- if group.user_agent.value == '*' -%}
{{ 'Disallow: /collections/vendors*' }}
{%- endif -%}
Which should tell all search engines to ignore content within /collections/vendors
5. Consider editing your collections.liquid and theme.liquid to protect the <title> element of the page and the body content of the page (typically anywhere where collection.title is used in the code).
6. Check to see if your website has already been a target. Go to Google and search for "site:yourstore.com/collections/vendors" (minus quotes)
If there are lots of bad URLs, taking the steps I've outlined above should help. You can also log into the Google Search Console and request immediate removal of all links that begin with https://yoursite.com/collections/vendors
Just make sure you do that last bit correctly or you'll zap your whole site from Google (bad!)
Want to know how many brands may be impacted? Here's a google search: https://www.google.com/search?q=%2Fcollections%2Fvendors+m642.com
Thank you so much for the heads-up. I had no idea this was even an issue. I will be making changes to our site; hopefully others do the same!
My pleasure, Threed! There are soooo many Shopify customers impacted by this. The exploit has been around for a long time too. There is zero reason for this. Zero!
Thanks Jamie! Shopify should be paying you for finding this hole.
Thank you! I've got 3,070,000 results. Google SC has been giving me high fives for the massive increase in traffic from the far east so I knew something was wrong. I've done everything on your list... I was wondering how I go about no 5? Your instructions are pretty plain english and much appreciated!
Glad I could help!
For number #5, the first thing to note is that the q parameter overrides the title of the collection when the path is /collections/vendors. So, anywhere your theme uses something like collection.title you should wrap it with a conditional clause that looks for /collections/vendors and then does something else.
For my theme that meant a change to the main theme.liquid file and another in something called collection--header.liquid. My guess is that theme.liquid will apply to pretty much every site. The collection page itself though probably has a unique structure.
theme.liquid - Find your <title> section. If you already have conditions there to display different text, you'll want to expand it with an elsif statement like I did below:
{% if request.page_type == 'index' %}
<title>{{ page_title }}</title>
{% elsif request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}
<title>{{ page_title }} | {{ shop.name }}</title>
{% endif %}
For the collection page itself (collection--header.liquid in my case), I wrapped the use of collection.title with an if statement like this:
{%- if request.path != '/collections/vendors' -%}{{ collection.title }}{% endif %}
If your site is the one I think it is (I did a quick google search), you will want to look for the template that has an h1 tag with the class of "collection-hero__title".
I would also recommend just bringing up the /collections/vendors page with a q parameter that is easy to identify and then look at the resulting HTML code. For example, /collections/vendors?q=ARGHHHH Then when you view code, you can look for ARGHHHH and track down all the instances in your theme where it might appear and escape them out using the techniques above.
Thank you!
Hello! I was curious if you could help me with this code placement:
{% if request.page_type == 'index' %}
<title>{{ page_title }}</title>
{% elsif request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}
<title>{{ page_title }} | {{ shop.name }}</title>
{% endif %}
This is the only code I can see that has <title> in my site code:
<title>
{% if template contains "index" %}{{ page_title }}{% else %}{{ page_title }}{% if current_tags %} {{ 'general.meta.tagged_html' | t: tags: meta_tags }}{% endif %}{% if current_page != 1 %} {{ 'general.meta.page' | t: page_number: current_page }}{% endif %}{% unless page_title contains shop.name %} - {{ shop.name }}{% endunless %}{% endif %}
</title>
Does the elsif statement go after it?
I'm not a coder and desperately want to fix this issue on my site. I was able to successfully implement your steps at the top of the thread. Just confused about this part. Thank you so much for your help!
Hey, Tony!
You should be able to use a slightly modified version like this:
{% if request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}
<title>
{% if template contains "index" %}{{ page_title }}{% else %}{{ page_title }}{% if current_tags %} {{ 'general.meta.tagged_html' | t: tags: meta_tags }}{% endif %}{% if current_page != 1 %} {{ 'general.meta.page' | t: page_number: current_page }}{% endif %}{% unless page_title contains shop.name %} - {{ shop.name }}{% endunless %}{% endif %}
</title>
{% endif %}
@Jamie_Grove Thanks so much for this response!
One last question:
{% if request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}
Confused about- Name of Your Site
Should this stay as is? Or do I replace it with my shop name?
Thank you!
Shopify is completely ignoring this and they're recommending "no action is the best action." Do NOT do nothing about this - it will destroy your AS and heavily impact your rankings.
The robots.txt won't be effective if the pages are already indexed, as it limits the google from crawling and finding these pages to 'noindex'. Robots.txt is also a recommendation and Google will ignore it from time to time. Also, if you're using vendors, you can enter the following code and it will 'noindex' /collections/vendors that have no products in them, past and future. Enter it in the <head> section of your theme.liquid file - I put mine right about </head> so it's easy to find for future updates.
{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
You can verify the code is effective in search console by 'testing live URL'. It will take time for Google to recrawl these pages, but it should slowly remove these from being indexed and effecting your site.
Shopify is dropping the ball on this hard.
Hey, everyone.
Thank you for flagging this issue in the Community. We have raised the issue with our developers for further review. We do not have a timeline on the fix, however, I will provide an update once this has been resolved.
I would encourage you to view our top related threads on this issue that provide viable workarounds:
Trevor | Community Moderator @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
But the hack does not solve the problem! It only prevents the indexing. Moreover, it is not covered if it is a request.path in another language.
For vendors:
{%- assign targetPath = '/collections/vendors' -%}
{%- if request.path contains targetPath and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
For search:
{%- assign targetPath = '/search' -%}
{%- if request.path contains targetPath and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
Hello, again!
Our developers have recently shipped a change that will generate a 404 page if the vendor is unknown (based on query string). The change will block it from indexing on Google. These changes will only apply to vendor pages, but our teams will investigate whether other pages may be vulnerable to this abuse.
This change is rolling out platform wide as we speak, so it may take some time for you to see these changes implemented. However, moving forward, this should help mitigate the ability spammers have with taking advantage of the query print out to advertise their spam links.
Trevor | Community Moderator @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
That's good news, Trevor. It would be really great if they just added an option in the admin to turn off the /collections/vendors page entirely since the scope is not one we can access. It was a huge surprise to find a page that was completely out of my control on the site. I'm sure other merchants are equally surprised when they find out.
We have had this appear on our sites (google says in october)
Serps for valid pages apearing with google translation options, and then around a thousand of the vendor related urls..
at the moment if i click them from search console then they seem to go to a 404 page
is that considered fixed as the threads that have been recomended are full of many band aid fixes.
also now in search console as of the 18th we are getting urls containing "[email protected]/sandbox/products/........"
there is a thread on this here
Shopify Bug - Web Pixels Manager Sandbox
My question is where is the best place to read a statement from shopify addressing these bugs ensuring shopify customers that they are being fixed and google search ranking etc should be not affected further ?
The web-pixels-manager bug is a new one on me. I only have a single entry now but I’ve gone ahead and blocked it in my robots.txt and in the search console as a precaution. Thanks for pointing that out!
If the other URLs on your site do go to true 404s then I would assume that the problem will resolve itself in the Google index over time.
Hi, sorry I've just noticed this one too. Can you explain, how I do this please? This isn't my forte and Shopify seems to have too many bugs atm. I was on like chat for over an hour re the collections/vendors thing. They said it was nothing to do with them and to hire an expert!
Try checking the links directly on your site. I just received a message this week from Shopify that says they are rolling out a fix to block these URLs across all sites. If this update has reached your site, you should get a page not found message when you try to visit one of the links. If that happens, Google will pull them out of the index in a week or two.
I totally agree just write a new comment on this conversation
https://community.shopify.com/c/shopify-discussions/website-hacked-help/td-p/1748004/page/8
To resume we have :
- Bug with url /search?q=
- Bug with url/collections/vendors?q=
and now a bug with false url containing "[email protected]/sandbox/products/........"
Each week we have a new attack !.
What are you doing shopify to :
- prevent this issues
- Give the community a clear technical answer on all of this problems?
Our Search console is a disaster !
Thanks shopify to to do what you must do: Help your customer. We all face SEO difficulties cause of that.
It looks like the issue hasn't been fully addressed yet, if this thread is an indicator: https://community.shopify.com/c/shopify-discussions/guidance-required-japanese-chinese-spammy-keywor...
User said that the spam page indexes went down a little at first, but are now rising. Do you have any advice?
EDIT: Sorry, meant to directly tag @Trevor
@Trevor What is the status of this issue? The spam links are still increasing on my site and support chat doesn't even want to acknowledge there is an issue? What is being done to resolve this or what is the official Shopify statement on how a user can resolve this? Very annoying
Update: Looking at Google Search Console, I found that we jumped from around 2,000 pages indexed to over 6,185,166 in the space of a week at the end of December. Yes, that's millions of fake pages created by this exploit...
4,655,957 pages are now blocked by the changed I made to robots.txt and 1,119,902 are crawled but not index (likely due to my block).
Hey @Jamie_Grove ,
thank you so much for this post.
I have reported/ discribed this issue weeks ago as I have discovered ten thousands of urls in GSC.
Shopify's respond was useless, and I had no idea about the intention of this q param urls.
UPDATE
I heard from the Shopify dev team this week… A fix is going in now and will be rolling out to every site very soon. The fix will send all requests to the vendors page to a 404. This should clean up all spam links in Google within a couple weeks (once it hits your site).
Hi
News about this?
I have 255.000 pages on GSC 😞
I'm not sure if they've rolled this out or what, but I do know that if you follow the steps I outlined you can get rid of those entires. Worked for us.
This happened to us. Our non-indexed page count is 140,000 and climbing. In SEM rush, I found over 14,000 domains backlinking to collections/vendors. Started in January and really ramped up in May. They're continuing to make new backlinks so either they haven't realized it's not working or we don't fully understand the scam. This is out of my wheelhouse, so forgive me if this is a stupid question, but is there a way to remove the pages rather than just making them invisible to the crawler? It really bugs me seeing them in GSC and at the rate they're being added, disavowing the links is going to get old fast.
Hello, @Trevor can I ask what is the status of this? From the thread, it looks like a fix was being rolled out in Feb/March but we haven't heard anything about the fix at all and our store had the very same issue with its collections/vendor page over the weekend.
Also, are Shopify working on a proactive response to this happening on any other pages, collections, products, etc?
Just to follow up on @JamieMcKay last post. @Trevor please give us an update on a fix to this vulnerability. It is affecting thousands of Shopify users. How can we trust @Shopify secure service if they can't keep our sites safe? This has affected our site since last year. We have gone through the Google disavow process, but this is a @Shopify issue and must be addressed by their dev team. Please help small businesses who rely on your service.
This has also happened to us. These phantom links showed up over the course of about 30 days, then stopped.
Shopify support has told me to contact Google and contact their security support. I'm still waiting for that email.
This code is too complicated for me to add so our small family business is sitting here losing money because of bad seo and has been for months.
Hi @CVC
Disavowing the phantom vendor links through google is not enough. We are also a small business and this code fix was the only fix that tells google to block the links as they show up. Furthermore, this is not a google problem as far as I understand it. It is a @Shopify issue. I have no idea why @Shopify has allowed this vulnerability to exist for so long without sending out a patch and seriously wonder if it affects the Shopify Plus users as well, or just us small businesses. All that said, I encourage you to try the code fix @Jamie_Grove provided at the top of this thread. It helped us immensely. You should also disavow the links in your google console, to prevent those from being indexed.
Step 1 disavow links in google console - this article will walk you through how to do it.
https://support.google.com/webmasters/answer/2648487?hl=en
Step 2 - follow the instructions at the top of this thread.
I am not terribly tech-savvy and was able to do it with a little extra help from @Jamie_Grove . Best of luck!
Checking in on this to see if any new info anyone has heard from Shopify or discovered? I am still seeing spam links get picked up by Google but do not see any bad data when searching my site. It also seems Shopify has updated the base robots.txt to block all collections and vendor pages. Is there really any benefit to updating page code or robots.txt anymore? I have updated my disavow but not sure what else to do? I have seen a drop off in traffic so I am being impacted.
Hi!
i just came over this post because i have suddenly a lot of products disapproved in Google merchant venter due to missing landing page. The landing Pages works and displays on both mobile and desktop, but Google still have tha same issue with the links. I have seen that some of my products links to collections/vendors while others link to collection/products and i dont know what the problem is. Google cant help me, Shopify cant help me and i am stuck here. Anything about this vendors list that can give me these problems?
It’s probably not related to this, but if you send a link to a “bad” product would be happy to take a look.
Thank you! Here is a link to one of the products that Google won't approve: https://www.hudonline.no/products/zo-firming-serum?variant=42222202126504¤cy=NOK&utm_medium=pr...
Hi, Lena.
I looked at the page and thought I might find something with the product's canonical URL, but it appears to be fine. Did you check to see if the page was crawlable using the Google Search Console? Also, have you installed any apps that accelerate page rendering?
We recently spoke with Zopi developers @Zopi about how dropshipping businesses can enha...
By JasonH Oct 23, 2024A big shout out to all of the merchants who participated in our AMA with 2H Media: Holi...
By Jacqui Oct 21, 2024We want to take a moment to celebrate the incredible ways you all engage with the Shopi...
By JasonH Oct 15, 2024