It's a fairly lucrative "business practice". Getting juicy links from authoritative websites can skyrocket your rankings within a few days, even if that. Yet, this isn't a new thing or something that someone just came up with.
Such gamification has been going on since the early 2000s, it's just kept lowkey enough that people don't see it as the biggest deal ever. However, it's a big deal for people who pay for such services.
If you look at certain job advertising websites for bloggers/marketers, you'll find plenty of job listings where the employer is looking for writers with "access to high-authority editorials" -- because naturally, they know that those links are worth a hundredfold more than 50 links from an average blog.
Whether it's a problem on Google's side is up for discussion. Giving sites high authority and then bumping up other sites who are linked from those places is definitely a weird way to implement a ranking system. But rest assured, it's there and it works.
And as for the title, it should read "bloggers are paying hackers to break into websites", rather than blaming one side only.
A lot more could be said on this, especially from experience, but there's really no point. Addressing an elephant this big would require Google to be actively involved in the discussion. And that's unlikely to happen.
But a lot of them do a really bad job of it like linking to irrelevant sites multiple times even on a single page. This makes it fairly obvious a site has been hacked and severe de-ranking soon follows.
Those doing it in a clever way are few and far between and, it could be argued, if they are simply linking to relevant sites in a measured manner, who cares? The 'legitimate' links on many commercial sites are paid for one way or another anyway?
I agree it goes against the spirit of a supposedly neutral search service though.
> Giving sites high authority and then bumping up other sites who are linked from those places is definitely a weird way to implement a ranking system.
“We hacked thousands of porn sites and replaced their content with links to our own commercial porno offerings, now that we’re in that business.” -Blackhat Dominatrix CEO Chick
Run any website and your logs will eventually be full of hits to /wp-admin /cgi-bin etc. from zombies scanning the net for known vulnerabilities. This has been going on forever.
Yep - this is why I ultimately gave up on hosting Wordpress at all and just went with Pantheon. The managed service to deal with this was easily worth more than constantly being paranoid as to whether I was up to date with the most recent types of Wordpress vulnerabilities.
This has been a hit and miss for me, and that's actually worse, because when I get that "wordpress has updated on its own" email I get the feeling of security, and then months later I log into the admin area only to find wordpress decided not to install a core update for... whatever reason
Yes and sometimes you don't even need to break into the sites. When I was doing some "blackhat seo" about ten years ago I discovered a high PR forum in the same niche that allowed anchor links in the username field. This meant that I could I put something like <a href="mysite.com">keyword</a> as the username and it would just appears as "mykeyword" on the forum index page.
Just one of the many ways I've learned to game Google. Social engineering also works well for link building and plenty of other grayhat methods. While I had considered the possibility of outright breaking into systems to place links, I never believed it worth the risk. Not surprised others have started doing it (or started getting caught doing it).
As much as I appreciate with the premise that this shouldn't have happened.. I'd much rather people feel safe coming here talking about it. They talk about a long past incident and they don't suggest they are proud of it.
Having this sort of discussion here increases the visibility of these sort of annoyances in ways that make Google more likely to clamp down on the practice. It makes forum administrators more likely to clamp down on abuse, and frankly anything that helps decrease trust in the SEO industry is a good thing.
Yeah there are a ton of ideas I came up with that I never acted on like faking being a resident of a cities with GOV TLDs who have business directories on that domain. There was enough of these directories providing do-follow links that it may have been worth the effort. Seemed borderline illegal so I decided not to.
Actually, there was an article on HN recently about how easy it is to procure GOV domains by pretending to be a city. The balls of that one blew me away.
Blackhat SEO is no different than hacking. It's just exploiting systems.
I see a distant analogy with something I got to know from a private investigator. Burglars also changed their game in the similar spirit. Instead of stealing your big TV, jewelry or other physical goods they try to escalate the physical breach into digital one, e.g. installing spyware on your laptop instead of stealing it. Wiping a bank account pays better than stealing physical stuff.
Do you know where this is happening and who exactly is doing it?
Most residential burglaries I hear of are disorganized smash and grab type situations, with desperate people and drug addicts looking for cash, jewelry, lightweight electronics and other things to easily liquidate.
Years ago (2006-2013) I ran a personal site that used Wordpress for its front page/blog, with the remainder using very simple hand-rolled PHP templating and text files. The front page was a constant source of trouble — if I didn’t stay perfectly on top of keeping Wordpress up to date I’d get hit with the same kind of hidden link stuff mentioned in the article. Crazy thing is that my site barely even had an audience to speak of… can’t imagine what it must be like for more popular blogs.
If I were to spin up a new personal site I think it’d be with something like gohugo.io deployed on Netlify, making it as static as possible with no room for exploits.
I think security is one of the reason that static CMS have become so popular. Also it lets you easily separate content from the CMS (in the form of markdown, asciidoc, rst) and, maybe most importantly, it makes it very, very fast and makes it easy (and cheap) to host almost anywhere.
I use hugo with aws s3 bucket static web hosting + cloudfront currently. Costs me absolutely nothing with the AWS free tier (5GB of S3 and 50GB of cloudfront free per month). Generate the site in hugo then use the aws cli tools to sync to s3. Because it's almost entirely html with very few images I don't think I could ever hit those AWS free tier limits.
edit: I actually just checked and the free tier is only 12 months. My last months bill total was $0.01 for s3.
Gaming Google is an old sport. Long ago we had a company here give free hosting for small sites. The catch was the their server inserted porn links when Google Bot visited the page. So many people were merrily creating their subdomains while secretly helping the porn rankings. It was infuriating and amazing at the same time.
Do you have more details? The twist of only serving the inserted links to the Google Bot but not to normal users makes sense, but isn't an approach I've seen before.
I didn't look into it very much back then. They were giving free hosting and subdomains back when such a thing was expensive and jumped on it for my homepage. Somehow I saw the Google cache of my page and it was surrounded by ads.
So they were serving different content to different clients based on user agent and/or IP block.
When I found out I deleted my account.
I see the site still exists, they might do the same thing. It's 3x on the .ro TLD.
Not exactly related but I realized quite often now that sometimes when I search for very specific things, usually like some sort of coding bug or error, Google returns some results that look seemingly legitimate with sensible preview text and stuff but when I click on it it's a full on Japanese porn site. Yummy. At first I thought it was some sort of malware in my computer but then I realized it really was something wrong with google's links. It's happened enough frequently to be noticeable now
The whole backrub/pagerank/backlink thing was from the 90's. Don't you suppose Google is weighting other things more highly in their search algorithm these days?
It was insulting to Google really! Nice to see someone bold enough to compete with lorem ipsum on the site. You are right most likely a manual penalty!
They are from the 90's, however for the most part they still signify importance of the page being cited. Deviating from links to mainly on-page factors makes it easy for new search engines to compete with Google. The results can also be manipulated much more frequently than when you need high authority links to rank on top.
The amusing thing I get from this is pleading ignorance to what's being sold after being rumbled.
I've seen some of those 'vendors' lord it up about how great they are at SEO, and when it comes to them getting limelight outside their own circle, they are acting like they were born yesterday and had no idea.
Their service pillows the hacked links with other sources like SAPE to provide volume.
All lucrative of course, but quite scummy IMO and SEOs should stick to legal avenues of promotion.
Re title: I think the phrase 'bad actors' in place of 'hackers' paints a less-broad portrait of the a-holes that do that kind of stuff. Takes a real dope to drop the kind of stuff that Molly found in her blog.
Of all the places to find the term 'hackers' abused ...
A strange emphasis in mentioning the "open-source version of Wordpress" is the one being hacked into. I doubt a proprietary solution would be any less vulnerable.
> There were [links] for, you know, anal bleaching, which is apparently a thing. I mean, just truly, incredibly inappropriate things. And there was even some links to Russian pornography sites. I mean, we're talking about horrible, horrible things.
Does she mean anal bleaching and porn to be "horrible, horrible things" or was there something else, really horrible? Perhaps porn is something many old-fashioned people still are uncomfortable of talking about but I wouldn't rate it as horrible - most of the people watch it and are okay.
> runs on the open source version of WordPress
Everybody knows this: running WordPress without 24x7 professional support means you are 100% guaranteed to get pwned.
Such gamification has been going on since the early 2000s, it's just kept lowkey enough that people don't see it as the biggest deal ever. However, it's a big deal for people who pay for such services.
If you look at certain job advertising websites for bloggers/marketers, you'll find plenty of job listings where the employer is looking for writers with "access to high-authority editorials" -- because naturally, they know that those links are worth a hundredfold more than 50 links from an average blog.
Whether it's a problem on Google's side is up for discussion. Giving sites high authority and then bumping up other sites who are linked from those places is definitely a weird way to implement a ranking system. But rest assured, it's there and it works.
And as for the title, it should read "bloggers are paying hackers to break into websites", rather than blaming one side only.
A lot more could be said on this, especially from experience, but there's really no point. Addressing an elephant this big would require Google to be actively involved in the discussion. And that's unlikely to happen.