Hi!
I received an alert from google search console saying they excluded a page from indexation, and when I look at the page it’s spam publicity:
How can I delete this page, I can’t find it anywhere?
Thx for your help!!
Topic summary
Shopify store owners discovered spam pages being indexed by Google through exploited URL parameters, primarily affecting /collections/vendors?q= and /search?q= endpoints. Malicious bots create fake URLs by appending spam queries (often FIFA coin advertisements) that get indexed when external sites link to them, despite robots.txt blocking.
Root Cause:
The vulnerability stems from Shopify themes displaying search queries as page titles on zero-result pages instead of returning 404 errors. Google indexes these pages when external spam sites create backlinks, ignoring robots.txt directives.
Community Solutions Implemented:
- Add noindex meta tags to vendor/search pages with zero results
- Modify theme.liquid to prevent spam text in titles
- Update collection-content.liquid to display 404 messages for empty vendor queries
- Use Google Search Console’s temporary removal tool for bulk URL removal
- Avoid Google Disavow tool (recommended only for manual penalties)
Shopify’s Response:
After community pressure, Shopify deployed fixes making /collections/vendors?q= pages return 404 status. Similar fixes were implemented for search pages and web-pixels-manager spam. However, new variants continue emerging (e.g., /collections/all/ spam).
Current Status:
The /vendors?q= issue is largely resolved. Affected stores report gradual deindexing over weeks, with SEO rankings recovering. Store owners should verify noindex implementation and ensure robots.txt doesn’t block crawlers from seeing 404/noindex responses.
1 Like
Hi @MVUILL
I can definitely understand your concern! Based on the URL you shared it looks like this might be a collection created within your admin or possible from the new Shopify Collabs service.
The “spammy” content of that page you shared is what appears to be the collection page title. If you still cannot find this page within your store admin please reach out to our live support team for additional help with this.
Please know that our theme and technical support team may be limited in what they can do depending on where/how this page was created. We generally can only support theme edits on our own in-house themes or technical issues that resolve around the Shopify platform itself. That doesn’t mean they won’t do everything they can to help you get this resolved!
To contact live support please follow this link: Contact Support - Shopify Help Center.
1 Like
I just found out i got the same issue what is going on? Only few ppl have access to the site, the rest are few collaborators, there last access was 8 month!
Any one else has this issue???
2 Likes
I’m having the same issue. I spoke with Shopify and they disregarded saying that it is most likely the themes third party and to contact them. However, when looking at other forums and doing a quick google search there are thousands of Shopify accounts affected.
This is in fact a malware.
I called my domain company and they did confirm this site was generating malware but due to Shopify’s limitations on providing file transfer privileges they could not delete or remove the malware and stated Shopify has to do it.
I’m contacting Shopify again today to see if anything can be done.
3 Likes
This is a vicious bot that has effected a lot of stores online, not just shopify . Its not in shopify code or in your theme. Its using a vulnerability in most website venders?q section to create this fake fifa url page you see , which can be done by any one, but what sucks is that this bot is also creating links on another site to this fake url it created on your site. Then google indexes that page and shows it in the search result.
shopify robot.txt is already blocking indexing this page , but google has this stupid policy that says if another website has a link to a page on your site then google will still index that page regardless if your robot.txt is asking not index .
Its all over the internet effecting most of online stores. If you do a google search of fifa 23 coins you will see what i mean.
So far shopify told me all i can do is disavow the website with link to this fake created fifa url on my site.
If you find a solution let us now.
3 Likes
What’s the process to disavow a website? I’d like to do it too!Thx
Update: I spoke with A Shopify rep yesterday and no luck.
|
Shelbee (Shopify) Nov 2, 2022, 00:02 EDT Hey Arlene, Shelbee here from Shopify Support. Just following up from our call we had today in regards to what you have seen in your Google Merchant Centre. I was able to get some more feedback from our Technical Team and they have provided me with the below information to relay over. The question mark in a URL (like in this link) signals that everything after will be a parameter (something a store visitor has entered into the site) and are not part of the base URL in the same way a product URL is displayed. Note that a base URL (A URL originating from a product, collection, page, etc) like this one from your store does not contain a ? The main concern here is about the impact this may have on your SEO. While annoying this page has little to no impact on the store and no action needs to be taken. If you do note a considerable impact on SEO or a large number of these URLs have being identified (large beings dozens or hundreds) then there are steps you can take. However, these also carry a level of risk in terms of SEO. Using you SEO reporting software you can collect all the bad backlinks into a .txt file and report them via Google’s Disavow Tool. (NOTE: the backlinks you need to list will be the referral site address rather than their search term URL.) This is an advanced feature and should only be used with caution. If used incorrectly, this feature can potentially harm your site’s performance in Google’s search results. We recommend that you only disavow backlinks if you believe that there are a considerable number of spammy, artificial, or low-quality links pointing to your site, and if you are confident that the links are causing issues for you. The team has assured me there is no solution to this issue that originates from the Shopify Platform. There are fantastic third-party guides to minimizing the impact of backlinks as well, we would recommend looking into this guide on this. Take care, Shelbee | Support Advisor | Shopify So it seems that even though I request for a Disavow the malware already installed is not going to be cleaned or removed by Shopify. This is the second time I get the same, “no solution to this issue that originates from the Shopify Platform” & “this page has little to no impact on the store and no action needs to be taken”. I’ve already added the following code to my theme in hopes that the vendors won’t be crawled by bots and indexed. {%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%} Doesn’t change the fact that there is malware installed that can’t be removed. If anyone has any idea on how to remove malware please let me know. Thanks! -Arlene |
1 Like
Hi everyone! Thank you for sharing the screenshots here and letting me know that this page is being created in more than one store. If you have created a ticket for this already, even if you were previously told there isn’t anything more we can do, can you please share that ticket number here with me and also share the URL for this page on your store. If you have not yet created a ticket about this, please reach out to our live support to create one. Feel free to share a link to this forum post as well when doing so.
While I am not able to directly view accounts through the community forums, I feel that we definitely have cause for a deeper investigation by our technical team as to where this page is being created from. There is a high chance that it is being injected by a third party app that hasn’t been caught yet. We absolutely want to put a stop to that.
2 Likes
I have 2 tickets created, 33975571 & 33965781.
This is not an issue with any third party app on shopify or theme.
There are over 220,000 Shopify & NON-Shopify websites affected.
This is a quick google search for the text that’s populating on our websites.
I’ve contacted my Domain and they confirmed there is in fact malware installed.
We need a sweep and removal of malware as Shopify users.
OK i m going to show you that this is a vulnerability with the vendors?q section of any website:
Any one can use this code here is a screenshot of the code used notice how the highlighted in blue section added says “thisisatestforshopify”:
Anyone can do this to any website , its not a malware in shopify servers, at least i don’t think it is since its effecting a lot of other non shopify stores. This is probably a bot going around doing this to most online stores on the net that have the vendors?q section .
I already asked shopify to see if they can turn off the vendor?q section and there reply was NO since its a vital part of platform.
As i mentioned in my earlier post, the problem is google indexing that page created by the bot and showing it in the search result. Last time i searched on google millions of online stores are effected worldwide.
I tried to modify my robot.txt so that google won’t index these pages. But i soon found out that is useless since google has this policy. If another website has a link to that page google will still index that page on ur site and ignore your robot.txt instruction not to index. Which is what the bot is doing as its creating fake a page in an online store its also creating a link to it.
Google policy is to ignore the site owners request not to index specific pages.
I honestly don’t know if this effecting our SEO , if its happening to everyone aren’t we all in the same boat?
Using my google search council i only found one site linking to this created fifa url , i m going to disavow it and see if that does anything!
Thank you @NEI-Arlene for that additional information and your open tickets about this situation. I have connected with our security team about this concern and I can share some insight and best next steps to get this resolved.
When reviewing these links, it is important to understand how they function and how they were initially created.
Example URL: https://www.yourstoreurlhere.com/collections/vendors**?q=**test
The “?q=” in the URL is sending a search query to the website in the first part of the url structure and it is searching for whatever is placed after the URL.
If you went to your own website and added “/collections/vendors?q=test” to the end of your store address and hit enter, you would see a page show up with the page title being “test” and no products found. These URLs can be made by anyone and will generally work on any website with a search function.
Malicious external websites will create these empty backlinks to store URLs to help promote their services or products by using the search query on the website to generate a page with their product details as the title. The page itself doesn’t exist independently, it only exists as part of a search result on the website being targeted.
How to disavow these backlinks from Google.
Using a SEO reporting software you can collect all the bad backlinks into a .txt file and report them via Google’s Disavow Tool. Full steps on how to do this are in the link. (NOTE: the backlinks you need to list will be the referral site address rather than the search term URL.)
Please note the following warning on Google Search Console:
This is an advanced feature and should only be used with caution. If used incorrectly, this feature can potentially harm your site’s performance in Google’s search results. We recommend that you only disavow backlinks if you believe that there are a considerable number of spammy, artificial, or low-quality links pointing to your site, and if you are confident that the links are causing issues for you.
Also, a great resource to learn more about how backlinks work: How to Stop Spam Backlinks from Ruining Your Google Reputation.
If you have any concerns about reporting these backlinks to Google or researching more information on your website’s SEO then I recommend hiring an expert from our expert marketplace that specialize in this field and can assist you further: Hire Shopify Experts, developers, designers and freelancers.
Edited to add: There is another forum thread in the community here with a possible solution for stopping these kinds of backlinks from working: Solved: Re: Has my site been hacked?
Was there a deeper investigation by the technical team and if so, what was the result?
Thanks!
3 Likes
I have no idea, unfortunately I just received the above message from Shay. I did however input the code I posted above to prevent Google Bots from crawling and indexing that page. That didn’t work due to Google policy that says if another website has a link to a page on your site then google will still index that page regardless if your robot.txt is asking not index. So I went ahead and requested the link to be removed temporarily from google console under removals then temporary removals. I also requested it to be removed under ‘Outdated Content’. I’m hesitant to use disavow option because I’ve read bad things about using that tool in terms of it affecting ranking.
Still following his thread in hopes that someone comes up with a real solution.
Best regards!
RE: Google Disavow Tool
It is my understanding that this tool is for Spammy backlinks from OTHER sites pointing to your site as opposed to Spammy links ON YOUR SITE which is the case here. In other words, you are disavowing a URL on your own site not from an outside site. Therefore, the SEO implications could be unexpected.
Since this is such a widespread problem, it seems reasonable for Shopify to get in touch directly with Google and coordinate on the issue. The spam content that store owners are seeing is pretty consistent. Therefore, it seems feasible that Google could just ignore this content being injected into Shopify stores going forward.
1 Like
Our team is aware of the concerns merchants have around these spam backlinks being flagged for their store. I wanted to clarify that these links are not being injected into your store, but are being created using the website’s search function. You can easily replicate how these spam backlinks work yourself by using the same URL query on your own store:
https://www.yourstoreurlhere.com/collections/vendors**?q=**fuzzypinkslippers
The page for the spam query only exists so long as the query URL for the page exists. The only way to stop this from happening is to remove the URL from the website that is creating it.
It’s not a hack or malware, but a limitation of whatever theme/search is being used. Category and search pages without results should be 404ing or set to noindex (can be done using liquid) and definitely not print out the query. That is the solution. See how SKIMS does it. This tactic does not work on their store: https://skims.com/collections/vendors?q=Buy%20FUT%2023%20coins%2C%20Cheap%20FIFA%2023%20coins%20for%20sale%2C%20Visit%20Cheapfifa23coins.com%2C%20PS4%2FPS5%2FXBOX%20ONE%2FPC%2030%25%20OFF%20code%3AFIFA2023%7C%20lovely%20customer%20service%20if%20you%20want%20to%20buy%20%20fifa%2023%20coins%20ps4%20in%20AUSTRIA%21..%20%208qit
4 Likes
Thanks Greg, this would seem to be the best solution - I just wish you had more details of how to implement - but assume this will be different theme by theme?
We’re currently working at updating our site to be similar to skims - so thanks for the starting point. But as an interim fix we’ve applied a catch all in the following files to at least prevent indexing in Google.
robots.txt.liquid:
{{ ‘Disallow: /?q=’ }}
theme.liquid:
{% if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%}
{% endif %}
3 Likes
Remember this won’t work due to Google policy that says if another website has a link to a page on your site then google will still index that page regardless if your robot.txt is asking not index.
There are so many people that enter the noindex code but are still experiencing the same issue.
Did Skims use the disavow tool?
1 Like
What is the solution?
The no index code? This has been proven to not work. Did Skims use the Disavow tool?
Ok, so as temp fix V2 - I wonder about , making this display when the path is equal to path == ‘/collections/vendors’ and collection.all_products_count == 0 as that rectified an issue we were having months ago regarding tags and tags appearing in google as /tag1+tag2+tag3 and all the many variations?
BTW, Shopify solution as of 11am this morning is still, “it’s a link problem” you need to disavow all the links with Google - not our problem.
Skims appear to be displaying a 404 when the product=0, which would in theory stop google displaying the link in Google as the end result would be a 404. I’ve requested our dev team to look into this and will update if this indeed is a fix - not sure if theme dependant.
3 Likes