I-Search #158: SEO meets Security

                    I-Search Discussion List
            "Social Search Marketing and Technology"
Moderator:                                          Published by:
Disa Johnson                                        Search Return
February 14, 2013                                   I-Search #158
Refer a friend:       http://www.searchreturn.com/subscribe.shtml

                   .....IN THIS DIGEST.....

// -- NEW DISCUSSION -- //

             "SEO meets Security"
			 ~ I-Search


// -- NEW DISCUSSION -- //


==> Where SEO, Security Meet

From: I-Search <>

SEO meets Security: Happy Valentine's Day!

SEO skills are useful to have. The value of SEO skills go way 
beyond search marketing, since you should be savvy about a great 
number of things from software to code and information. One thing 
that will show up more frequently on your radar, if it hasn't 
already, is SEO hacking. As mentioned previously, I think 2013 is 
the year for security and privacy. The president mentioned it 
this week too.

As much as 3% of webmaster messages sent by Google involve hacked
sites (informing victims). Vulnerabilities are exploited for 
the purpose of adding links from compromised sites to boost 
rankings for spam. I've been privy to the sort of 'hush hush' 
conversation when brand sites have been compromised and get 
whispered about and probably notified by Google.

Compromising CMS systems is as old as SEO guestbook or blog 
comment robots to cloaking. Wordpress hosts as much as 15% of the 
Web. Since retooling guestbook robots to exploit the Wordpress 
comment system resulted in the nofollow attribute being 
introduced, none of the robots I've monitored slowed down by a 
single tick. It's too easy and cheap to exploit. The makers of 
CMS systems are rarely to blame, though they've had their mishaps 
in the past. It's the nature of their plugin libraries that 
provide the platform for compromising websites.

Spammers make their own plugins and drop links back to 
themselves, which can sometimes seem harmless when that's all 
they do, compared to leaving a trojan in the plugin for the 
purpose of injecting code on the sly when you're not looking. 
Most CMS platforms are built using PHP (a server-side scripting 
language). Due to the nature of PHP, code is unprotected from 
being open source, sold as a benefit it is unfortunately a 
delight for hackers.

Because of their popularity, PHP-based code is where the SEO 
cyber-warfare battlefield is largely fought. PHP makes it easy to 
fight on behalf of either side. Once you know enough scripting 
yourself you can defend against attack and know enough to fix 
errors made by others. Avoid installing plugins when you don't 
know enough PHP, or just because of a good rating. Consider that 
installing a plugin on behalf of your clients is a sort of legal 
liability. Recommendations by anyone who isn't wise to security 
issues can be sketchy.

The recipe for hacking a plugin is incredibly simple: Install 
Wordpress, then look for plugins which edit content and find a 
vulnerability. Come up with a link injection routine that will 
allow you to add keyword links. It can as simple as url params. 
Once you've created a nice hack, search the web for Wordpress 
powered sites with compromised plugins installed and go to town.

This can happen. Plugins are open source. Installing a plugin 
allows you to access its code even if you don't have access to 
the host provider account. You get more if you have access. As 
long as you've got admin access to a Wordpress installation 
though, you can add plugins to look for vulnerabilities. Since 
PHP is a simple scripting language, not compiled into byte-code, 
coming up with injection routines can be fairly basic. Google is 
aware and sending alert messages.

You can usually find some tell-tale sign of blogs powered by 
Wordpress with the plugin available. An example might include 
finding a compromised plugin that, in common practice, links back 
to the author in HTML. Use Google to find these. If your targets 
aren't in Google, it's not worth your time to inject links into 
them. Just search for sites that link to the author, and there 
you go - a list. This is where SEO and security meet. Be aware. 
Be ready. Be good.


Stay Tuned.

Got feedback?: http://www.searchreturn.com/feedback.shtml

Archives: http://www.searchreturn.com/digest-archive.shtml

Alternate formats:

Manage Subscriptions:

Problems unsubscribing? Contact the postmaster:

Information on how to sponsor this publication:

Published by Search Return

Website Membership:

The contents of the digest do not necessarily reflect the
opinions of Search Return LLC or Disa Johnson. Search Return LLC 
and Disa Johnson make no warranties, either expressed or implied,
about the truth or accuracy of the contents of the Search Return

Copyright © 2005-2013 Disa Johnson. All Rights Reserved.