URL Hijack by Spam Trackback through 302 Redirection in WordPress

URL Hijack by Spam Trackbacks through 302 Redirection in WordPress is getting a very popular method nowadays again. The major target are blogs with >80 % traffic from Google Search Engines.

What is this URL Hijack is?

People will arrive to your webpage by any means (suppose from the Google Search Result pages); after few seconds will be redirected to the spammer / hacker’s own webpage.

What is 302 and 301 redirection?

To redirect a page, multiple methods can be used.

Well recognized for redirections are status codes 301 and 302. 301 redirect is permanent redirection ( that is content moved from one domain to another permanently).

The 302 redirect is temporary redirection; the main page remains valid to Google Search. Obviously, The effect of the two redirections are also different to the search engine.

How URL Hijack is performed using spam Trackbacks?

How URL Hijacking can happen, was written by Joost de Valk in Yoast in two years ago:

This is were, in my opinion, WordPress goes wrong, as that redirect is a 302 redirect. On line 65 of wp-trackback.php, it says the following:
wp_redirect(get_permalink($tb_id));

So it uses the function wp_redirect to redirect you back to the original post. This function lives in wp-includes/pluggable.php, and by default, sends a 302 redirect. You can make it send a 301 redirect by simply changing the code to:
wp_redirect(get_permalink($tb_id),301);

We will not discuss on how URL Hijack is actually done by using which line of code. This post will be exploited to use by the hackers for URL Hijack, who are still not aware of the method.

How to prevent URL Hijack by spam trackbacks in WordPress blog?

• Use Disallow Tracbacks, Comments, Comment feeds from Robots.txt. perfectly in post to fight duplicate content issue.
• Use Ultimate Security Check like plugins to check other security loop holes.
• Use Exploit Scanner like plugin to check if your WordPress theme has any problem itself.
• Always manually check who is actually giving the link that you are getting as a Trackback. This is what we suggest to do to prevent URL Hijack or allowing spam trackbacks.
• Copy paste the URL of the trackback (if suspicious) to any text Editor to see what it looks like. Simply delete the URL and allow Trackback / delete it if you guess anything suspicious.
• Never use “Free Premium Themes” ; other than illegal it can itself inject codes to facilitate the URL Hijack. We recommend using good Premium themes or if you do not afford, use official free themes from WordPress as scaffold and create your own Child Theme.
• Certain plugins can do this URL Hijack, try not to download WordPress plugins outside of WordPress repositary.
• Update WordPress and plugins regularly to prevent URL Hijack.

Other methods of URL Hijack

• Manipulating the .htaccess file : hacker needs access to the root. Difficult task for the hacker to exploit for doing a URL Hijack as it is almost impossible to gain access with a good setup. But this is very effective for doing the URL Hijack  : visitor will practically not notice the redirection; everything will happen instantaneously.
• Malicious Java Scripts of bad Advertisers. We can just say, these Advertisers do not perform any URL hijack through advertising: Google Adsense, Adbrite, LakeQuincy Media, Technorati Media, Tribal Fusion, Chitika. For all others, be cautious, we have not tested. We discovered 3 (till now) who do these.