All things Shopify and commerce
Google search console threw up some URLs from my site tha haven't been indexed.
They seems to be spammy links to a fifa coins site.
But I didn't create them
Any help would be hugely appreciated.
Best
Mike
Solved! Go to the solution
This is an accepted solution.
Hey.
I just had the similar reply (see below). They're obviously aware of the issue and have decided this is how they deal with it for now. I feel that this issue is bigger than "it's just a thing you can't stop and doesn't matter - get Google to disavow them..."
Hi Mike,
Thank you for reaching out to us. My name is XXXX and I am here to assist you today.
I understand there are some unauthorised activity initiated in your store and I would be more then happy to resolve this issue for you.
I've taken a deeper look on all the information you've provided on the thread and I am very happy to share with you that your store is safe and it is just a little bot running wild.
The odd-looking url and domains that you have posted on the thread are actually search terms of what some visitors to your site have actually searched.
This search term is usually distinct from typical searches on the site (such as being in Korean on an American shop, and including a domain) and may span up to thousands of these kinds of backlinks. It can be a bit scary for the merchant but there are no real security concerns here.
The technical term of what has happened is called Spam Backlinks. I get that this is not exactly the most pleasant thing to have so I have attached a link here on how you can potentially stop it from happening.
Whatever that is happening at the moment does not pose any form of threat to your store in anyway. Taking that into consideration there are 2 courses of action here that you can take:
Option 1: Not take any action as none is actually necessary and taking steps would not do anything other then removing some search data that is not affecting you now or in the future
Option 2: "Code" it away
Using your SEO reporting software (Which in your case is Google Search Console) you can collect all the bad backlinks into a .txt file and report them via Google's Disavow Tool. Information on the structure can be found in their help doc here. Note that the backlinks to list will be the referral site address rather than their search term URL.
Please understand that option 2 is fairly complicated and in light of that I will need to share this disclaimer with you pertaining to Option 2:
This is an advanced feature and should only be used with caution. If used incorrectly, this feature can potentially harm your site's performance in Google's search results. We recommend that you only disavow backlinks if you believe that there are a considerable number of spammy, artificial, or low-quality links pointing to your site, and if you are confident that the links are causing issues for you.
**
This is an accepted solution.
My simple solution.
{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
Details are on my blog.
But it's Japanese, not English.
https://webutubutu.com/webdesign/11116
Hey, @MikeTaylor
Have you had someone do some work on your store in the past? With that said, based on the URL it looks like that link was created in part by using the 'Vendor' field to create a URL based on Fifa coins.
Go to your Admin > Products page and click on the 'Product Vendor' filter to find any vendors that mention 'Fifa Coins'. When you filter them, those products that include that vendor will appear in the products list. From there you can select those products for editing, and the fifa coins mention from the vendor field.
If there is anything else I can help you with, please let me know.
Dirk | Social Care @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Hi There,
August 18th -- I'm having the same issue as MikeTaylor. Google search console found a couple SPAM pages that I didn't create. It's the same spam about FIFA coins.
I don't know how to get rid of them as the pages aren't in any accessible area of Admin. Had a call into Shopify support earlier today and they were very perplexed and said they will get back to me with a resolution. (hopefully)
I tried the fix above but there were no selections for another vendor.
Any further help would be most appreciated.
MikeTaylor -- Did you see more SPAM pages appear after your post July 30th?
Thanks
Michael
To respond to Dirk's question...In my case no one outside has worked on the site and all admin has been done from the same location for years. Login is always done via two-stage.
Nonetheless, it has the appearance that someone on the outside was able to generate the SPAM pages.
Exactly. If this is the case, Shopify has a major security issue on its hands.
I agree it looks like a security issue. Curious to see how many other shop owners have the same issue since not everyone checks their indexed pages or Google Search Console all the time. For reference, I uploaded a screen shot of the SPAM urls Google found. Again, these were generated somewhere outside, not by me and there is not a way to delete the bogus pages. I have not yet heard back from Shopify Support but will contact them again today.
Hi Michael
Did you hear anything from Shopify support?
Hi. I’ll need to check Google Search Console (I’m away). But Dirks experience is exactly mine.
Sorry Michael’s issue. Doing this on a phone. (Badly).
We have just discovered the same issue. No work done by outsiders. No vendors for Fifa found under products. It seems like some security breach.
Hey Shopify. This really seems to be a problem. It looks like a flaw in your platform is being exploited and people are able to manipulate our websites. Can you please update us on where you are with this?
Best
Mike
Hi Dirk,
I wanted to just highlight that we have all tried this but nothing shows up. I've also made all the changes to ensure it wasn't a breach however this is starting to look like an issue with shopify itself. I keep getting told whenever I reach out it could be a theme issue, yet all the sites here are different templates most of which are shopify templates (mine is third party). We are also told it could be apps but what is the likelihood that we all downloaded the same app? The same spam can be seen through all our sites. I am seriously concerned about customer data right now and all your team is doing is shifting the blame to us and saying we should "hire experts".
This really needs to be fixed, it's not enough to tell us to disavow on search console. If you do not solve this many more of your sites will be compromised.
We have a huge season coming up and need this fixed asap.
Hi All,
Sept 8th and our site has shown this same issue in Google Search Console.
Definitely appears that @Shopify has some sort of breach they are hopefully fixing. This threw a warning in our Search Console on Sept 4th.
-C
Hey all.
Months on and still no action from Shopify and still the URLs are there (and I still can't get rid of them). Great that they've put our copyright on the bottom though...
Hello unhappy to report my shopify site has the same rogue fifa url indexed as a collection. How many of your paying customers have to endure this before a proper fix is initiated? Referring me to take action that requires you to issue a disclaimer to me because I could destroy my google search results is not a solution at all. C'mon Shopify, you are better than this. At least you used to be.
Please do something about this.
Angela
Will you respond to us??
Hey Dirk,
Are you even checking in on this? What is Shopify doing about this apparent hack of all of our stores? Is your team removing the rogue code and patching the vulnerability?
-Chris
Hey folks.
If I may suggest, this appears to be an SEO hack that exploits the fact that search query URLs are indexable by search engines. The hacker can easily create new pages that will appear on Google with their website and code added in the title.
It's not a specific Shopify issue, in fact, I am auditing a Magento-based site now and found this thread while Googling the issue.
I think if your Vendor search pages weren't indexable, this wouldn't be an issue.
You should use Robots.txt to disallow such URLs from being crawled, e.g.:
User-agent: *
Disallow: *?q=*
I am also seeing that the URLs with search parameters are self-canonicalising. i.e URLs like: [domain]/collections/vendors?q=Visit%20Cheapfifa23coins.com%2030%25%20OFF%20code%3AFIFA2023%7C%20Excellent%20company.%20Very%20trustworthy%20and%20professional%20for%20%20fifa%2023%20100k%20coins%20in%20UKRAINE%21..%20%20u2ai
The static URL /collections/vendors/ should be the canonical URL for all query URLs.
Hopefully this can help you all out and maybe Shopify will consider improving their many indexation issues.
@IanBoothSEO Can you please explain exactly how we implement your solution of...
Use Robots.txt to disallow such URLs from being crawled, e.g.:
User-agent: *
Disallow: *?q=*
Thanks in advance!
Same issue in my Google Search Console. Doesn't appear connected to my shop at all, nothing found in vendors or products, nobody else has done work on my shop.
Google shows the referring page to this bogus link as:
www_reviewopolis_com_slash_4r468_slash_c42rs_dot_pptx
Looks like this referring page was created back in June. Stayed up for a month before disappearing, then came back last week. It is now gone again.
@wardn can you please explain exactly how we locate the referring page for our spam links so we can disavow it in Google Search Console? Thanks in advance!
Hi Mike,
I am having the same issue. Did you happen to install the app Easy Redirects 301 & 404? Shopify keeps telling me it could be an app and perhaps we can try to narrow down which (if any) it is.
Shopify only recommended us to disavow this in search console, but did not provide a solution to remove this from the website. Apparently they can't fix this so far.
Google shows 327 000 search results with this page. This looks like a mass problem. Conversation with support ended only on second recommendation to disavow the link. This is not the backlink, this is a page created on my domain! And the screenshot shows that those pages are indexed!
This is an accepted solution.
Hey.
I just had the similar reply (see below). They're obviously aware of the issue and have decided this is how they deal with it for now. I feel that this issue is bigger than "it's just a thing you can't stop and doesn't matter - get Google to disavow them..."
Hi Mike,
Thank you for reaching out to us. My name is XXXX and I am here to assist you today.
I understand there are some unauthorised activity initiated in your store and I would be more then happy to resolve this issue for you.
I've taken a deeper look on all the information you've provided on the thread and I am very happy to share with you that your store is safe and it is just a little bot running wild.
The odd-looking url and domains that you have posted on the thread are actually search terms of what some visitors to your site have actually searched.
This search term is usually distinct from typical searches on the site (such as being in Korean on an American shop, and including a domain) and may span up to thousands of these kinds of backlinks. It can be a bit scary for the merchant but there are no real security concerns here.
The technical term of what has happened is called Spam Backlinks. I get that this is not exactly the most pleasant thing to have so I have attached a link here on how you can potentially stop it from happening.
Whatever that is happening at the moment does not pose any form of threat to your store in anyway. Taking that into consideration there are 2 courses of action here that you can take:
Option 1: Not take any action as none is actually necessary and taking steps would not do anything other then removing some search data that is not affecting you now or in the future
Option 2: "Code" it away
Using your SEO reporting software (Which in your case is Google Search Console) you can collect all the bad backlinks into a .txt file and report them via Google's Disavow Tool. Information on the structure can be found in their help doc here. Note that the backlinks to list will be the referral site address rather than their search term URL.
Please understand that option 2 is fairly complicated and in light of that I will need to share this disclaimer with you pertaining to Option 2:
This is an advanced feature and should only be used with caution. If used incorrectly, this feature can potentially harm your site's performance in Google's search results. We recommend that you only disavow backlinks if you believe that there are a considerable number of spammy, artificial, or low-quality links pointing to your site, and if you are confident that the links are causing issues for you.
**
Hey. I didn't install this app. Sorry.
iconhookah.com - we are having the same issue. We need this to be solved please.
We also have this problem. The page is live since 09-29-2022.
I hope this can be solved very soon!!
Is therer someone that now how to fix this and remove the link from your website?
Hey, folks!
If anyone is encountering a similar situation, I recommend reading through the accepted solution post in this thread for additional context and the next steps you can take regarding the search query URLs in Google Search Console.
If there is anything else I can help you with, please let me know.
Dirk | Social Care @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
I disagree.
Has there been any indication that there are spam backlinks? I don't see this.
Stop allowing search engines to crawl search parameter URLs on your websites. There is potential for infinite URLs to be generated. This is what is being abused by spammers.
Use Robots.txt
User-agent: *
Disallow:*/vendors?q=*
Sorry but I don't believe this is resolved.
Are you seriously telling us we have to manually disallow every single spam link?
Do you realise these people automate these processes and we could potentially be looking at dealing with thousands? That's if we even manage to pick them up in the first place. And don't you think this will have a negative impact on our SEO overall, something many store owners work extremely hard on? Why is shopify not actually doing something about this? It's getting ridiculous.
This is an accepted solution.
My simple solution.
{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
Details are on my blog.
But it's Japanese, not English.
https://webutubutu.com/webdesign/11116
Perfect.
Thank you!! This is an actual solution!
HI Jizo
Do you place this tag in the theme.liquid :
{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
i tried that and its not working , can yo give me detail plz!
HI Shadia1.
It will work if you include it in the head tag.
Meta tags with the noindex attribute are output.
For more information on the effects of noindex, please refer to Google's documentation.
https://developers.google.com/search/docs/crawling-indexing/block-indexing
It does not mean that they will disappear from the search results immediately.
Thank you its working now. Will keep an eye on it and see if anything changes in the future.
Maybe shopify should implement this across the platform!
I wanted to check in with the group again on this one...as I'm not sure the situation has been "solved" for most of us. Our site just experienced another round of these SPAM pages being generated. Are others seeing the same?
Also, I am curious to see if anyone used the disavow function on Google. It is my understanding that this tool is for Spammy backlinks from OTHER sites pointing to your site as opposed to Spammy links ON YOUR SITE which is the case here. In other words, you are disavowing a URL on your own site not from an outside site. Did anyone try this? and if so, what were the results?
Not everyone is comfortable at inserting code into their theme so it would be good to have a solution that doesn't involve a code change.
Shopify should indeed look into implementing a fix across the platform. It's clear that there's a hole that allows exploitation of the query function. There's probably a lot of Shopify stores that don't know this is happening.
For those who didn't see it, there is another discussion in the Shopify Forums here: https://community.shopify.com/c/shopify-discussions/website-hacked-help/td-p/1748004
According to the posters there, this is really a WIDESPREAD problem
This a widespread problem and Shopify appear to have no interest in helping their store owners resolve. When raised with support this morning it was made to seem that this issue was a one-off on our site and that we would have to hire a developer to help resolve. Not acceptable. Shopify should be IMMEDIATELY addressing the exploit in the search function to prevent this occurring - even if that is advising on what code can be implemented to assist in stopping the 'writing' of the text. For the monthly fees they charge we have a realistic expectation that Shopify would help protect us better. I am submitting a complaint and hope that others do to get some traction in getting this serious issue addressed.
Hi - We used the disavow tool at the root level and removed links from Google Search, it was not a solution. Adding the no index code and then forcing Google to re-index the site via search console seems to be working.
As I understand it, Shopify added code to prevent this on January 11, 2023, however there were 10,000 of these bad links generated on our site after the fix was in. Adding the code string already seems to be knocking these results out of Google.
You simply add it on Line 4 after the <head> tag in your themes liquid code:
{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%} <meta name="robots" content="noindex"> {%- endif -%}
CODE CREDIT TO USER Jizo_Inagaki
In multi-lingual environment, the code is not working.
Here is the changed code:
{%- assign targetPath = '/collections/vendors' -%}
{%- if request.path contains targetPath and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}
Is this solution still working?
Where do I add it?
Hi Jizo_Inagaki,
Which liquid file does the code go into that you mention above?
Can you be specific for us please? I am having the same issue as everyone here with spammy vendor links - hundreds of thousands of them!!
It goes in the theme area (theme.liquid) - Line 4, after the <head> tag.
Hi Jizo,
I added the code in the head tag in theme.liquid but can't see any difference when I try a query with "collections/vendors?q=test"
Is it because I haven't published the theme where I modified the code yet?
Hi Marieszz,
Check the browser's source display to see if noindex is output within the head tag.
If you cannot confirm, I would suggest consulting with Shopify partner or expert.
Thank you- I tried pasting in my theme.liquid file, straight after the head tag but this spammy page is still showing- should it be placed anywhere else?
Thank you so much for posting this code. We just added it to our site.
Hi Jizo - Is there a code solution for attacks on sites using "/search?q="
Thanks ~Jen
Starting a B2B store is a big undertaking that requires careful planning and execution. W...
By JasonH Sep 23, 2024By investing 30 minutes of your time, you can unlock the potential for increased sales,...
By Jacqui Sep 11, 2024We appreciate the diverse ways you participate in and engage with the Shopify Communi...
By JasonH Sep 9, 2024