URL Hijack by Spam Trackback through 302 Redirection in WordPress

URL Hijack by Spam Trackbacks through 302 Redirection in WordPress is getting a very popular method nowadays again. The major target are blogs with >80 % traffic from Google Search Engines.

What is this URL Hijack is?

People will arrive to your webpage by any means (suppose from the Google Search Result pages); after few seconds will be redirected to the spammer / hacker’s own webpage.

What is 302 and 301 redirection?

To redirect a page, multiple methods can be used.

Well recognized for redirections are status codes 301 and 302. 301 redirect is permanent redirection ( that is content moved from one domain to another permanently).

The 302 redirect is temporary redirection; the main page remains valid to Google Search. Obviously, The effect of the two redirections are also different to the search engine.

How URL Hijack is performed using spam Trackbacks?

How URL Hijacking can happen, was written by Joost de Valk in Yoast in two years ago:

This is were, in my opinion, WordPress goes wrong, as that redirect is a 302 redirect. On line 65 of wp-trackback.php, it says the following:
wp_redirect(get_permalink($tb_id));

So it uses the function wp_redirect to redirect you back to the original post. This function lives in wp-includes/pluggable.php, and by default, sends a 302 redirect. You can make it send a 301 redirect by simply changing the code to:
wp_redirect(get_permalink($tb_id),301);

We will not discuss on how URL Hijack is actually done by using which line of code. This post will be exploited to use by the hackers for URL Hijack, who are still not aware of the method.

How to prevent URL Hijack by spam trackbacks in WordPress blog?

• Use Disallow Tracbacks, Comments, Comment feeds from Robots.txt. We wrote ago about using Robots.txt perfectly in post to fight duplicate content issue.
• Use Ultimate Security Check like plugins to check other security loop holes.
• Use Exploit Scanner like plugin to check if your WordPress theme has any problem itself.
• Always manually check who is actually giving the link that you are getting as a Trackback. This is what we suggest to do to prevent URL Hijack or allowing spam trackbacks.
• Copy paste the URL of the trackback (if suspicious) to any text Editor to see what it looks like. Simply delete the URL and allow Trackback / delete it if you guess anything suspicious.
• Never use “Free Premium Themes” ; other than illegal it can itself inject codes to facilitate the URL Hijack. We recommend using good Premium themes or if you do not afford, use official free themes from WordPress as scaffold and create your own Child Theme.
• Certain plugins can do this URL Hijack, try not to download WordPress plugins outside of WordPress repositary.
• Update WordPress and plugins regularly to prevent URL Hijack.

Other methods of URL Hijack

• Manipulating the .htaccess file : hacker needs access to the root. Difficult task for the hacker to exploit for doing a URL Hijack as it is almost impossible to gain access with a good setup. But this is very effective for doing the URL Hijack  : visitor will practically not notice the redirection; everything will happen instantaneously.
• Malicious Java Scripts of bad Advertisers. We can just say, these Advertisers do not perform any URL hijack through advertising: Google Adsense, Adbrite, LakeQuincy Media, Technorati Media, Tribal Fusion, Chitika. For all others, be cautious, we have not tested. We discovered 3 (till now) who do these.

Incoming search terms:

0saves

Save

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Visitors Read This Post Also Read:

1. Reasons to use WordPress for business or a blog website Presentation of features a WordPress Blogging platform   WordPress is the blogging platform used most...
2. Understand and use trackbacks Trackback is a concept in the world of blogs that is particularly difficult to explain....
3. Tips for chossing the right WordPress theme WordPress has become the most popular open source content management system (CMS). In its beginnings,...
4. Checklist to choose a perfect WordPress theme Previously, we gave a basic primer on how to choose the right WordPress theme ;...
5. Best SEO plugin: Platinum SEO pack versus All in one SEO pack WordPress supplies by default with some features those are enough to place the blog in...
6. Best features of WordPress This article Best features of WordPress describes the features which has established WordPress in the...
7. Some of the best WordPress plugins Well, we purposefully named the topic as  Some of the best WordPress plugins instead of...
8. Codes and plugins for placing Advertisement banners in WordPress blogs It is very important to rightly place the Advertisement units in your WordPress blog in...
9. 10 things bloggers must remember to do We hope this article serves as a checklist to be visited from time to time....
10. Avoid duplicate content issue in webmaster tool for wordpress blogs Lately, every now and then the question is asked how to avoid duplicate content in...
11. WordPress Plugins to create a glossary in your blog Be faster and more precise, what many bloggers love. Using a glossary is widespread in the...
12. 5 SEO plugins for WordPress 2011 has just begun and you still have not found your resolution for this new...
13. 15 Tips to secure your WordPress site Some time ago we had a problem with our WordPress site suffered a little hacking....
14. 66 possible topics for your blog Thought block. Though it is a term for certain psychiatric disorders; it is now often...
15. Tips for starting self hosted WordPress blog Those who are thinking to start own self hosted blog, this article might telp to...