Hi Jizo_Inagaki,
Which liquid file does the code go into that you mention above?
Can you be specific for us please? I am having the same issue as everyone here with spammy vendor links - hundreds of thousands of them!!
Topic summary
Issue Identified:
Shopify store owners discovered spam URLs appearing in Google Search Console, primarily related to FIFA coin sites they didn’t create. These URLs exploit search query parameters and vendor fields to generate spammy backlinks.
Root Cause:
The spam results from bots manipulating search terms and vendor query strings (e.g., /collections/vendors?q=fifa-coins). Shopify support initially characterized these as harmless “spam backlinks” from external search queries, not actual security breaches.
Community Solutions:
User Jizo_Inagaki provided code snippets to add noindex meta tags:
- For vendor pages: Check if path is
/collections/vendorswith zero products - For search pages: Check if path is
/search/with zero results
Both solutions insert <meta name="robots" content="noindex"> in theme.liquid after the <head> tag.
Official Response:
Months later, Shopify deployed a platform-wide fix generating 404 pages for unknown vendors based on query strings, blocking Google indexing. However, the rollout is gradual.
Ongoing Concerns:
Some users report recurring spam pages despite fixes. Questions remain about whether to use Google’s disavow tool (designed for external backlinks, not on-site spam) and whether the solutions fully prevent future attacks.
Hello! I had this issue as well. These pages can be removed from your site’s index via Google Search Console.
-
Launch Search Console
-
Select “Indexing” > “Removals”
-
Paste in unwanted URL
-
Hit next
-
Click “Submit Request”
After a few days the URL will be removed from Google’s index.
1 Like
I am suffering the same issue. It seems a major security breach. Shopify should act. I saw my organic traffic to decrease significantly, and discovered this in SEMrush.
Shopify are you sleeping? I have same problem. What is the reason? How can we fix healthy which not bad effect our Seo.
Hi Jizo,
I added the code in the head tag in theme.liquid but can’t see any difference when I try a query with “collections/vendors?q=test”
Is it because I haven’t published the theme where I modified the code yet?
Thank you- I tried pasting in my theme.liquid file, straight after the head tag but this spammy page is still showing- should it be placed anywhere else?
Hi Marieszz,
Check the browser’s source display to see if noindex is output within the head tag.
If you cannot confirm, I would suggest consulting with Shopify partner or expert.
- Stop Google from indexing these spam URLs by implementing a ‘noindex’ meta robots tag, as suggested in the Accepted Solution. Fyi, DO NOT disallow these URLs in the /robots.txt file because Google will never get to the ‘noindex’ meta tag AND it doesn’t stop Google from indexing just the URL anyway.
- Then request the removal of all URLs starting with ‘/collections/vendors?q=’ from Google’s index using Google Search Console.
- The above will solve the immediate issue but will still leave you with a horrific-looking ‘backlink profile’ which can get your site penalised in Google anyway. That’s why you need to analyse your whole link profile (Google Search Console > Links > Linking Domains is a good starting point), then create a disavow file with all the dodgy linking domains (just Google it to get the right format/sample file) and submit it to Google. Then repeat once a week for a few weeks to catch new offending domains.
- Finally, complain to Shopify to do something about it! They come up with all sorts of excuses. I’ve heard it’s because of the tag functionality. Or UTMs. But this should be resolved on their end really, especially when they provide service to many small businesses which don’t have a clue about this!
- Bonus: check if the offending URLs don’t include ‘+’ symbols. If they do, Shopify’s default robots.txt will disallow access to these URLs so your new ‘noindex’ meta tag will not be read/obeyed by Google on those URLs. It’s a very ‘smart’ move by these spammers, actually. So watch out for these too.
Good luck!
@wardn can you please explain exactly how we locate the referring page for our spam links so we can disavow it in Google Search Console? Thanks in advance!
@IanBoothSEO Can you please explain exactly how we implement your solution of…
Use Robots.txt to disallow such URLs from being crawled, e.g.:
User-agent: *
Disallow: ?q=
Thanks in advance!
Hey, everyone.
Thank you for flagging this issue in the Community. We have raised the issue with our developers for further review. We do not have a timeline on the fix, however, I will provide an update once this has been resolved.
I would encourage you to view our top related threads on this issue that provide viable workarounds:
Hello, again!
Our developers have recently shipped a change that will generate a 404 page if the vendor is unknown (based on query string). The change will block it from indexing on Google. These changes will only apply to vendor pages, but our teams will investigate whether other pages may be vulnerable to this abuse.
This change is rolling out platform wide as we speak, so it may take some time for you to see these changes implemented. However, moving forward, this should help mitigate the ability spammers have with taking advantage of the query print out to advertise their spam links.
3 Likes
This works - thanks! 
Great, thank you. A year ago the same thing was happening to ‘/search?q=’ URLs. Not sure if it’s still the case.
That seems to work. Anyway, in our case there are some links, that are blocked by robots.txt, which leads Google not to check the blocked pages for the 404 errors. I’d still do the recommended steps by Vader_art (excluding step 4) to make sure, that everything will be deindexed quickly and correctly.
In our case, we did the following steps additionally:
- We checked our Search Console for “blocked by robots.txt but still indexed” pages
- We deleted the following statements in the robots.txt
Disallow: /collections/+
Disallow: /collections/%2B
Disallow: /collections/%2b
Disallow: //collections/+* - We have just clicked “review” in Google Search Console for Google to Check those pages
- After the check is done successfully, we’re going to add the statements to the robots.txt again
Thank you so much for posting this code. We just added it to our site.
Hi - We used the disavow tool at the root level and removed links from Google Search, it was not a solution. Adding the no index code and then forcing Google to re-index the site via search console seems to be working.
As I understand it, Shopify added code to prevent this on January 11, 2023, however there were 10,000 of these bad links generated on our site after the fix was in. Adding the code string already seems to be knocking these results out of Google.
You simply add it on Line 4 after the tag in your themes liquid code:
{%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%} {%- endif -%}> > CODE CREDIT TO USER Jizo_Inagaki
1 Like
Hi Jizo - Is there a code solution for attacks on sites using “/search?q=”
Thanks ~Jen
Hi all,
This negative Chinese SEO spammy backlinks were scary (and still are a bit). Have walked this path already some weeks now, and in the meantime am able to get this url’s successfully out of the Google indexed pages (to have them not indexed). Most of them are out, only need to get some few hundred out more, since some have a slightly different url with /en/ in it.
Have followed up the steps in above, by:
- delete the beginning of the url’s in the Google Search Console:
https://…/en/collections/vendors?q=
- by adding in Theme code under theme liquid the ‘no index’ code. (Maybe i added a little to much blocking code, but better to much then to less i guess)
{%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%}
{%- endif -%}
{%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%}
{% elsif request.path == ‘/404’ %}
{%- endif -%}
{%- if handle contains ‘collection/vendors’-%}
{%- endif -%}
Still am wondering how to get these url’s out of the Google Search Console completely, as they give these technical errors in the Google Search Console (i like to have things cleaned up). If someone have tips or tricks for that, pls let me know.
Believe the main reason Shopify owners got this problem, is by ‘cheap’ Gigs on Uppwork or Fiiverr, where you let ‘experts’ people into your theme. Have two thoughts about it:
-
or your site comes then under attention (be noticed) and you become intresting for this negative Chinese spammy negative backlinks attacks. (on the other side, for example my website is also on the product package, so it could already also come directly from China itself).
-
The things of point #1 + that the ‘bot’ that is mentioned earlier is getting installed somewhere in your theme code. Hope point #2 is not true (which means to people that you are cooperating from that platforms are not so legimate), but it could also be the case since in above there is mentioned also things about ‘apps’, which will give a html code in your theme code as well.
Hope my contribution on the topic will help some people and help Google and/or Shopify to find out the source and the permanent solution to annihilate these evil schemes.
Greetings, Mark
The Netherlands
Hi Mark,
putting noindex into the header is not neccesary anymore, because Shopify updated these pages - 404 errors are the new output.
I don’t think anything is put into the theme code. The bug could be perfectly done without any access to the backend. Anyone could create those URLs on it’s own and add any type of content. The only things that were needed for an indexation were backlinks as you have mentioned in possibility 1.
I don’t see any way to clear the search console - as they are 404 errors right now they might be flagged as 404 errors, which would make the GSC much cleaner. But Google would need to crawl these pages again.