It started again … all Google rankings went down, and now there are 22k+ indexed pages instead of 1k+.
Topic summary
Shopify store owners discovered spam pages being indexed by Google through exploited URL parameters, primarily affecting /collections/vendors?q= and /search?q= endpoints. Malicious bots create fake URLs by appending spam queries (often FIFA coin advertisements) that get indexed when external sites link to them, despite robots.txt blocking.
Root Cause:
The vulnerability stems from Shopify themes displaying search queries as page titles on zero-result pages instead of returning 404 errors. Google indexes these pages when external spam sites create backlinks, ignoring robots.txt directives.
Community Solutions Implemented:
- Add noindex meta tags to vendor/search pages with zero results
- Modify theme.liquid to prevent spam text in titles
- Update collection-content.liquid to display 404 messages for empty vendor queries
- Use Google Search Console’s temporary removal tool for bulk URL removal
- Avoid Google Disavow tool (recommended only for manual penalties)
Shopify’s Response:
After community pressure, Shopify deployed fixes making /collections/vendors?q= pages return 404 status. Similar fixes were implemented for search pages and web-pixels-manager spam. However, new variants continue emerging (e.g., /collections/all/ spam).
Current Status:
The /vendors?q= issue is largely resolved. Affected stores report gradual deindexing over weeks, with SEO rankings recovering. Store owners should verify noindex implementation and ensure robots.txt doesn’t block crawlers from seeing 404/noindex responses.
