Loophole in Shopify stores (Chinese websites hacking attempts)

pierremdbp · ‎12-05-2022

In Google Search Console, I have noticed a huge spike regarding the “indexed pages" of my website modelesdebusinessplan.com.

It went from approx 3,000 pages to 2.3M and then 1.6M.

It’s very concerning. Moreover, all these new pages look very spammy.

You can notice that they seem to all start with “https://modelesdebusinessplan.com/collections/vendors?

Basically, I think they're running a script to fetch millions of queries in the collection search engine.

Each query would create a new page, that would automatically be submitted to Google for indexing.

I think they try to get my website de-indexed from Google, which would indeed cause my business to go bankrupt (100% of my traffic is organic).

Some URLS link to Chinese websites providing weird / black-hat SEO services.

I think it's a classic "internal site search spam issue" : https://yoast.com/internal-site-search-spam/

It seems like other Shopify websites have been victim of it :

Is someone familiar with this issue ?

Can someone recommend a quick and easy fix ?

Shopify support has not been very helpful so far.

Thanks

P.

Ninmario · ‎12-05-2022

Hello,

I have the exact same problem, suddenly over 300k sites were indexed on the same date as yours.

Is it maybe a shopify or google issue? Or maybe a plugin that injects the code?

Because I couldn't find any modification or script in my store.

OREILLC · ‎12-06-2022

We have the same issue, any solution?

pierremdbp · ‎12-07-2022

A development team is working on disallowing crawling and indexing of the "vendor" pages.

pierremdbp · ‎12-07-2022

A development team is working on disallowing crawling and indexing of the "vendor" pages. Hopefully it will resolve the matter.

tc77 · ‎12-07-2022

Your development team, or one at Shopify? If at Shopify, do you have a PRB or other ticket number so I can get added to the fix resolution?

pierremdbp · ‎12-08-2022

A team I hired through Shopify Experts

Ninmario · ‎12-09-2022

So I got an answer from the support, and they told me that "my store and this issue does not fall under Shopify and this is under Google."

And their suggestion is "to de-list you storefront from the Google index for site mapping. As well for reaching out to the support of Google"

Well I already did that and I also knew that much before, but ok.

So my solution now is to put the meta tag "noindex" on all those sites, so it prevents google bot and other crawlers to index specifically those sites. I'll wait for the next crawl and google should unindex all the sites then hopefully.

julie42 · ‎01-16-2023

When you wrote "put the meta tag "noindex" on all those sites" are you referring to the bogus URLs?

My Google Search Console currently shows 3.39K affected pages, but I can not see these pages or URLs on my site or in my Shopify admin.

How would I add the "noindex" meta tag to URLs that are not visible on my site or in Shopify admin? Can it be done in Search Console?

pierremdbp · ‎12-07-2022

It's Shopify-related, the way internal search engine works allow them (these websites) to do that. Unfortunately, Shopify Support has not come back to me for 48 hours.

tc77 · ‎12-06-2022

We have the same issue. What theme are you on?

pierremdbp · ‎12-07-2022

Supply version 8.9.5

BOILISÉ · ‎12-16-2022

Hi !

I have the exact same problem and it's killing my SEO ranking...

You're the first person to talk about it I can find online.

I did 2 things trying to mitigate this issue:

1. Disavow bad backlinks (following these instructions : https://prowly.com/magazine/stop-spam-backlinks-ruining-google-reputation/)

2. Update robots.txt to prevent crawling 'collections/vendors?q=' pages (following these instructions : https://logeix.com/shopify-seo/robots-txt )

I can't tell if it's working yet.

Since there are several cases of this issue, support from Shopify would be highly appreciated.

Let me know if you find something else.

pierremdbp · ‎12-16-2022

Thanks for your message. I'm still waiting to see whether the fix my developer has made will help. Shopify Support came back to me 8 days after (...) saying : "We do not have the appropriate resources to assist with your query further, as it falls outside of our range of support".

They also sent me the link I posted in my first message, as if they found it by themselves.

Not a great support experience.

Seosteve · ‎12-19-2022

Why is Shopify ignoring this issue?

It is strange as we have seen on one of our sites now and it is clearly a product vulnerability that someone can create a vendor account. There must be a setting to disable vendors?

Max85 · ‎12-20-2022

Hi

We experienced the same issue, 7 millions spam backlink pages were created through the collections/vendor?q search. Then, HTML code was added on our product pages to automatically redirect trafic to spam websites.

We have done the following :

1. Stop further indexing by adding this code into the head tag

{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}

2. Remove existing indexed pages

2.1. Launch Search Console

2.2. Select "Indexing" > "Removals"

2.3. Paste in unwanted URL or select prefix

2.4. Hit next

2.5. Click "Submit Request"

Has anyone tried this before, did it help?

Mark1988 · ‎12-22-2022

Am experiencing the same. Discovered it today, when a Google Search Console expert did some work for me. I first thought she had something to do with it, since in a moment more pages got indexed, but reading this post right now it shines a different light on the matter...

I got around 800-842 of these Chinese spammy pages now indexed by Google. The wierd thing is as it looks they are webpages of my own Shopify webshop. How they got there, or where to find them - i got no clue. Because then can start to get rid of them..

Regarding above 2 steps. At step 1 , in which sjabloon section of the Theme code do you need to insert this?

Also issued a ticket for support with Shopify, hope they can help me get rid of it.

Mark1988 · ‎12-27-2022

Dear all,

For the onces that have also problems with this, have seen above some solutions.

Ofcourse we can get these Chinese spammy pages 'not indicated' from our Google Search Console. But how about to get rid of the Chinese spammy pages themself? Because they appears to have separate pages on our shopify webshop under collections/vendors...

Shopify didn't advise us with a appropriate answer yet.

Thanks for your reply/advise.

Max85 · ‎01-02-2023

Hi Mark,

Yes good point! I have asked the same question to shopify support as for now the collections/vendors pages are the most visited pages on our webshop.. which is very annoying and fakes all metrics.. Visted pages.JPG

Shopify isn't answering for 10 days now, has anyone a solution to remove all these spammy pages from the shopify webshop ?

Thanks!

MOISCHKOWITZ · ‎01-02-2023

So I dont have the problem yet but it scares me. I think it could be fixed like this though.

{% comment %} If the URL has either of the words collection or vendors in it tell google not to index the page {% endcomment %}
{%- if handle contains 'collection'
  or handle contains 'vendors'
  -%}
  <meta name="robots" content="noindex">
{%- endif -%}

{% comment %} If you added a tag called no--index to any of your prodcuts tell google not to index the page {% endcomment %}
{% if product.tags contains 'no--index' %}
  <meta name="robots" content="noindex">
{% endif %}

this code must be placed in the theme.liquid somewhere in the head. Please allow a few days (week) for google to delist the pages. Let me know if this works for you.

> I hope you find my reply helpful. To let me know click on like!
> I'd love to help. Was your question answered? Mark it as an Accepted Solution
> WhatsApp: https://zeep.ly/UJ0nE | Email: mluebcke@gmail.com

ndrishinski · ‎01-14-2023

Hi MOISCHKOWITZ,

I found that I had to make an alteration to your provided code above. Because the links created in Search Console for my client's site are not authentic, they navigate to the 404 page, even though the url contains "collection" or "vendor".

{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{% elsif request.path == '/404' %}
<meta name="robots" content="noindex">
{%- endif -%}

I know it is contrary to the url, but the actual request.path returned is '/404'.

If the links are landing on the 404 page DESPITE what the url says, please inspect if the "noindex" meta tag is being added.

END Marketing & Development
Shopify Theme Dev / Optimization
theendmarketing.com

julie42 · ‎01-26-2023

Hi Ndrishinski,

After adding the code from Jizo_Inagaki, Search Console reported a decrease in indexed collections/vendors pages, yet I still have many indexed collections/vendors pages, all of which are leading to my 404 page.

So after seeing your notes and code regarding - the request.path returned is '/404' - I updated my noindex collections/vendors code to the code you provided.

I'm curious to see how this will effect Search Console reports.

Thank you!

Hidmytro · ‎03-22-2023

Hi! what's your results after updating the code?

julie42 · ‎01-16-2023

Hi Max85,

How did you find the HTML code that was added to your product pages? Was there a particular word or phrase I can search for to see if the same has been done on my site?

Also, in Step 1, where did you add the head tag?

On each affected product page or in a particular template?

Benmar09 · ‎01-11-2023

Hello,

Did you ever get to find an answer for this? i've been hit with the same issue and for the life of me have no idea what to do

julie42 · ‎01-16-2023

I'm curious to know, is there anyone here experiencing this issue that is using a newer Shopify ONLINE STORE 2.0 theme?

FreshMarketing · ‎01-16-2023

Yes one of my clients 2.0 stores has this issue

julie42 · ‎01-20-2023

Hi FreshMarketing,

Thanks for letting me know this issue also exists with the Online Store 2.0 themes.

kittycatmeowmy · ‎01-17-2023

Yes, I'm using 2.0 and have the problem.

julie42 · ‎01-26-2023

Hi Kittycatmeowmy,

Thanks for the reply!

maeson-shop · ‎01-18-2023

Yes, unfortunately!

FreshMarketing · ‎01-16-2023

This post has two accepted solutions, https://community.shopify.com/c/shopify-discussions/has-my-site-been-hacked/td-p/1680367

1. adding the code provided by Shopify Expert @Jizo_Ingaki (in link)

2. a long explanation by a Shopify Support person who says:

I am very happy to share with you that your store is safe and it is just a little bot running wild.

The odd-looking url and domains that you have posted on the thread are actually search terms of what some visitors to your site have actually searched.

This search term is usually distinct from typical searches on the site (such as being in Korean on an American shop, and including a domain) and may span up to thousands of these kinds of backlinks. It can be a bit scary for the merchant but there are no real security concerns here.

The technical term of what has happened is called Spam Backlinks. I get that this is not exactly the most pleasant thing to have so I have attached a link here on how you can potentially stop it from happening.

Whatever that is happening at the moment does not pose any form of threat to your store in anyway. Taking that into consideration there are 2 courses of action here that you can take:

Option 1: Not take any action as none is actually necessary and taking steps would not do anything other then removing some search data that is not affecting you now or in the future

Option 2: "Code" it away
Using your SEO reporting software (Which in your case is Google Search Console) you can collect all the bad backlinks into a .txt file and report them via Google's Disavow Tool. Information on the structure can be found in their help doc here. Note that the backlinks to list will be the referral site address rather than their search term URL.

Please understand that option 2 is fairly complicated and in light of that I will need to share this disclaimer with you pertaining to Option 2:

This is an advanced feature and should only be used with caution. If used incorrectly, this feature can potentially harm your site's performance in Google's search results. We recommend that you only disavow backlinks if you believe that there are a considerable number of spammy, artificial, or low-quality links pointing to your site, and if you are confident that the links are causing issues for you.

Loophole in Shopify stores (Chinese websites hacking attempts)

Loophole in Shopify stores (Chinese websites hacking attempts)

Community Blog Articles