Is my site hacked with spammy fifa coin links?

Hey all.

Months on and still no action from Shopify and still the URLs are there (and I still can’t get rid of them). Great that they’ve put our copyright on the bottom though…

hack.png3830×1332 499 KB

fifa.png3830×2368 782 KB

Hello unhappy to report my shopify site has the same rogue fifa url indexed as a collection. How many of your paying customers have to endure this before a proper fix is initiated? Referring me to take action that requires you to issue a disclaimer to me because I could destroy my google search results is not a solution at all. C’mon Shopify, you are better than this. At least you used to be.

hacked collection.JPG2158×999 86.1 KB

Please do something about this.

Angela

Will you respond to us??

Hey Dirk,

Are you even checking in on this? What is Shopify doing about this apparent hack of all of our stores? Is your team removing the rogue code and patching the vulnerability?

-Chris

Hey folks.

If I may suggest, this appears to be an SEO hack that exploits the fact that search query URLs are indexable by search engines. The hacker can easily create new pages that will appear on Google with their website and code added in the title.

It’s not a specific Shopify issue, in fact, I am auditing a Magento-based site now and found this thread while Googling the issue.

I think if your Vendor search pages weren’t indexable, this wouldn’t be an issue.

You should use Robots.txt to disallow such URLs from being crawled, e.g.:

User-agent: *
Disallow: ?q=

I am also seeing that the URLs with search parameters are self-canonicalising. i.e URLs like: [domain]/collections/vendors?q=Visit%20Cheapfifa23coins.com%2030%25%20OFF%20code%3AFIFA2023%7C%20Excellent%20company.%20Very%20trustworthy%20and%20professional%20for%20%20fifa%2023%20100k%20coins%20in%20UKRAINE%21..%20%20u2ai

The static URL /collections/vendors/ should be the canonical URL for all query URLs.

Hopefully this can help you all out and maybe Shopify will consider improving their many indexation issues.

We also have this problem. The page is live since 09-29-2022.

I hope this can be solved very soon!!

Is therer someone that now how to fix this and remove the link from your website?

Hey, folks!

If anyone is encountering a similar situation, I recommend reading through the accepted solution post in this thread for additional context and the next steps you can take regarding the search query URLs in Google Search Console.

If there is anything else I can help you with, please let me know.

I disagree.

Has there been any indication that there are spam backlinks? I don’t see this.

Stop allowing search engines to crawl search parameter URLs on your websites. There is potential for infinite URLs to be generated. This is what is being abused by spammers.

Use Robots.txt

User-agent: *

Disallow:/vendors?q=

Sorry but I don’t believe this is resolved.

Are you seriously telling us we have to manually disallow every single spam link?

Do you realise these people automate these processes and we could potentially be looking at dealing with thousands? That’s if we even manage to pick them up in the first place. And don’t you think this will have a negative impact on our SEO overall, something many store owners work extremely hard on? Why is shopify not actually doing something about this? It’s getting ridiculous.

My simple solution.

{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
  
{%- endif -%}

Details are on my blog.
But it’s Japanese, not English.

https://webutubutu.com/webdesign/11116

Perfect.

Thank you!! This is an actual solution!

I’m having the same issue. I spoke with Shopify and they disregarded saying that it is most likely the themes third party and to contact them. However, when looking at other forums and doing a quick google search there are thousands of Shopify/ Non-Shopify accounts affected.

This is in fact a malware.
I called my domain company and they did confirm this site was generating malware but due to Shopify’s limitations on providing file transfer privileges they could not delete or remove the malware and stated Shopify has to do it.

I’m contacting Shopify again today to see if anything can be done.

I understand that entering the following code:

{%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%}

{%- endif -%}

Will prevent bots from crawling the vendors page but what about the existing malware on everyone’s websites?

Has anyone had any luck having Shopify remove the malware or add extra security measures so this doesn’t happen?

Screenshot 2022-11-01 101216.png1239×907 68.3 KB

HI Jizo

Do you place this tag in the theme.liquid :

{%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%}

{%- endif -%}

i tried that and its not working , can yo give me detail plz!

HI Shadia1.

It will work if you include it in the head tag.

Meta tags with the noindex attribute are output.

For more information on the effects of noindex, please refer to Google’s documentation.
https://developers.google.com/search/docs/crawling-indexing/block-indexing

It does not mean that they will disappear from the search results immediately.

Thank you its working now. Will keep an eye on it and see if anything changes in the future.

Maybe shopify should implement this across the platform!

I wanted to check in with the group again on this one…as I’m not sure the situation has been “solved” for most of us. Our site just experienced another round of these SPAM pages being generated. Are others seeing the same?

Also, I am curious to see if anyone used the disavow function on Google. It is my understanding that this tool is for Spammy backlinks from OTHER sites pointing to your site as opposed to Spammy links ON YOUR SITE which is the case here. In other words, you are disavowing a URL on your own site not from an outside site. Did anyone try this? and if so, what were the results?

Not everyone is comfortable at inserting code into their theme so it would be good to have a solution that doesn’t involve a code change.

Shopify should indeed look into implementing a fix across the platform. It’s clear that there’s a hole that allows exploitation of the query function. There’s probably a lot of Shopify stores that don’t know this is happening.

For those who didn’t see it, there is another discussion in the Shopify Forums here: https://community.shopify.com/c/shopify-discussions/website-hacked-help/td-p/1748004

According to the posters there, this is really a WIDESPREAD problem

Is this solution still working?

Where do I add it?

This a widespread problem and Shopify appear to have no interest in helping their store owners resolve. When raised with support this morning it was made to seem that this issue was a one-off on our site and that we would have to hire a developer to help resolve. Not acceptable. Shopify should be IMMEDIATELY addressing the exploit in the search function to prevent this occurring - even if that is advising on what code can be implemented to assist in stopping the ‘writing’ of the text. For the monthly fees they charge we have a realistic expectation that Shopify would help protect us better. I am submitting a complaint and hope that others do to get some traction in getting this serious issue addressed.