----------------------------------------------------------------- I-Search Discussion List "Social Search Marketing and Technology" ----------------------------------------------------------------- Moderator: Published by: Disa Johnson Search Return http://www.searchreturn.com ----------------------------------------------------------------- February 14, 2013 I-Search #158 ----------------------------------------------------------------- SEND POSTS: ----------------------------------------------------------------- Refer a friend: http://www.searchreturn.com/subscribe.shtml ----------------------------------------------------------------- .....IN THIS DIGEST..... // -- NEW DISCUSSION -- // "SEO meets Security" ~ I-Search ----------------------------------------------------------------- // -- NEW DISCUSSION -- // ----------------------------------------------------------------- ==> Where SEO, Security Meet From: I-Search <> SEO meets Security: Happy Valentine's Day! SEO skills are useful to have. The value of SEO skills go way beyond search marketing, since you should be savvy about a great number of things from software to code and information. One thing that will show up more frequently on your radar, if it hasn't already, is SEO hacking. As mentioned previously, I think 2013 is the year for security and privacy. The president mentioned it this week too. As much as 3% of webmaster messages sent by Google involve hacked sites (informing victims). Vulnerabilities are exploited for the purpose of adding links from compromised sites to boost rankings for spam. I've been privy to the sort of 'hush hush' conversation when brand sites have been compromised and get whispered about and probably notified by Google. Compromising CMS systems is as old as SEO guestbook or blog comment robots to cloaking. Wordpress hosts as much as 15% of the Web. Since retooling guestbook robots to exploit the Wordpress comment system resulted in the nofollow attribute being introduced, none of the robots I've monitored slowed down by a single tick. It's too easy and cheap to exploit. The makers of CMS systems are rarely to blame, though they've had their mishaps in the past. It's the nature of their plugin libraries that provide the platform for compromising websites. Spammers make their own plugins and drop links back to themselves, which can sometimes seem harmless when that's all they do, compared to leaving a trojan in the plugin for the purpose of injecting code on the sly when you're not looking. Most CMS platforms are built using PHP (a server-side scripting language). Due to the nature of PHP, code is unprotected from being open source, sold as a benefit it is unfortunately a delight for hackers. Because of their popularity, PHP-based code is where the SEO cyber-warfare battlefield is largely fought. PHP makes it easy to fight on behalf of either side. Once you know enough scripting yourself you can defend against attack and know enough to fix errors made by others. Avoid installing plugins when you don't know enough PHP, or just because of a good rating. Consider that installing a plugin on behalf of your clients is a sort of legal liability. Recommendations by anyone who isn't wise to security issues can be sketchy. The recipe for hacking a plugin is incredibly simple: Install Wordpress, then look for plugins which edit content and find a vulnerability. Come up with a link injection routine that will allow you to add keyword links. It can as simple as url params. Once you've created a nice hack, search the web for Wordpress powered sites with compromised plugins installed and go to town. This can happen. Plugins are open source. Installing a plugin allows you to access its code even if you don't have access to the host provider account. You get more if you have access. As long as you've got admin access to a Wordpress installation though, you can add plugins to look for vulnerabilities. Since PHP is a simple scripting language, not compiled into byte-code, coming up with injection routines can be fairly basic. Google is aware and sending alert messages. You can usually find some tell-tale sign of blogs powered by Wordpress with the plugin available. An example might include finding a compromised plugin that, in common practice, links back to the author in HTML. Use Google to find these. If your targets aren't in Google, it's not worth your time to inject links into them. Just search for sites that link to the author, and there you go - a list. This is where SEO and security meet. Be aware. Be ready. Be good. ----------------------------------------------------------------- Stay Tuned. Got feedback?: http://www.searchreturn.com/feedback.shtml Archives: http://www.searchreturn.com/digest-archive.shtml Alternate formats: http://www.searchreturn.com/info-formats.shtml Manage Subscriptions: http://www.searchreturn.com/help/manage-subs.shtml Problems unsubscribing? Contact the postmaster: mailto:postmaster@searchreturn.com Information on how to sponsor this publication: http://www.searchreturn.com/help/advertise.shtml Published by Search Return http://www.searchreturn.com Website Membership: http://www.searchreturn.com/register.shtml The contents of the digest do not necessarily reflect the opinions of Search Return LLC or Disa Johnson. Search Return LLC and Disa Johnson make no warranties, either expressed or implied, about the truth or accuracy of the contents of the Search Return Digest. Copyright © 2005-2013 Disa Johnson. All Rights Reserved. -----------------------------------------------------------------