-----------------------------------------------------------------
I-Search Discussion List
"Social Search Marketing and Technology"
-----------------------------------------------------------------
Moderator: Published by:
Disa Johnson Search Return
http://www.searchreturn.com
-----------------------------------------------------------------
February 14, 2013 I-Search #158
-----------------------------------------------------------------
SEND POSTS:
-----------------------------------------------------------------
Refer a friend: http://www.searchreturn.com/subscribe.shtml
-----------------------------------------------------------------
.....IN THIS DIGEST.....
// -- NEW DISCUSSION -- //
"SEO meets Security"
~ I-Search
-----------------------------------------------------------------
// -- NEW DISCUSSION -- //
-----------------------------------------------------------------
==> Where SEO, Security Meet
From: I-Search <>
SEO meets Security: Happy Valentine's Day!
SEO skills are useful to have. The value of SEO skills go way
beyond search marketing, since you should be savvy about a great
number of things from software to code and information. One thing
that will show up more frequently on your radar, if it hasn't
already, is SEO hacking. As mentioned previously, I think 2013 is
the year for security and privacy. The president mentioned it
this week too.
As much as 3% of webmaster messages sent by Google involve hacked
sites (informing victims). Vulnerabilities are exploited for
the purpose of adding links from compromised sites to boost
rankings for spam. I've been privy to the sort of 'hush hush'
conversation when brand sites have been compromised and get
whispered about and probably notified by Google.
Compromising CMS systems is as old as SEO guestbook or blog
comment robots to cloaking. Wordpress hosts as much as 15% of the
Web. Since retooling guestbook robots to exploit the Wordpress
comment system resulted in the nofollow attribute being
introduced, none of the robots I've monitored slowed down by a
single tick. It's too easy and cheap to exploit. The makers of
CMS systems are rarely to blame, though they've had their mishaps
in the past. It's the nature of their plugin libraries that
provide the platform for compromising websites.
Spammers make their own plugins and drop links back to
themselves, which can sometimes seem harmless when that's all
they do, compared to leaving a trojan in the plugin for the
purpose of injecting code on the sly when you're not looking.
Most CMS platforms are built using PHP (a server-side scripting
language). Due to the nature of PHP, code is unprotected from
being open source, sold as a benefit it is unfortunately a
delight for hackers.
Because of their popularity, PHP-based code is where the SEO
cyber-warfare battlefield is largely fought. PHP makes it easy to
fight on behalf of either side. Once you know enough scripting
yourself you can defend against attack and know enough to fix
errors made by others. Avoid installing plugins when you don't
know enough PHP, or just because of a good rating. Consider that
installing a plugin on behalf of your clients is a sort of legal
liability. Recommendations by anyone who isn't wise to security
issues can be sketchy.
The recipe for hacking a plugin is incredibly simple: Install
Wordpress, then look for plugins which edit content and find a
vulnerability. Come up with a link injection routine that will
allow you to add keyword links. It can as simple as url params.
Once you've created a nice hack, search the web for Wordpress
powered sites with compromised plugins installed and go to town.
This can happen. Plugins are open source. Installing a plugin
allows you to access its code even if you don't have access to
the host provider account. You get more if you have access. As
long as you've got admin access to a Wordpress installation
though, you can add plugins to look for vulnerabilities. Since
PHP is a simple scripting language, not compiled into byte-code,
coming up with injection routines can be fairly basic. Google is
aware and sending alert messages.
You can usually find some tell-tale sign of blogs powered by
Wordpress with the plugin available. An example might include
finding a compromised plugin that, in common practice, links back
to the author in HTML. Use Google to find these. If your targets
aren't in Google, it's not worth your time to inject links into
them. Just search for sites that link to the author, and there
you go - a list. This is where SEO and security meet. Be aware.
Be ready. Be good.
-----------------------------------------------------------------
Stay Tuned.
Got feedback?: http://www.searchreturn.com/feedback.shtml
Archives: http://www.searchreturn.com/digest-archive.shtml
Alternate formats:
http://www.searchreturn.com/info-formats.shtml
Manage Subscriptions:
http://www.searchreturn.com/help/manage-subs.shtml
Problems unsubscribing? Contact the postmaster:
mailto:postmaster@searchreturn.com
Information on how to sponsor this publication:
http://www.searchreturn.com/help/advertise.shtml
Published by Search Return
http://www.searchreturn.com
Website Membership:
http://www.searchreturn.com/register.shtml
The contents of the digest do not necessarily reflect the
opinions of Search Return LLC or Disa Johnson. Search Return LLC
and Disa Johnson make no warranties, either expressed or implied,
about the truth or accuracy of the contents of the Search Return
Digest.
Copyright © 2005-2013 Disa Johnson. All Rights Reserved.
-----------------------------------------------------------------