I recently spoke at A4U in London on the topic of Negative SEO with Dave, Ralph and Marcus.
Someone asked me after the session if they needed to be aware of anything to help protect their blog from damage. Bear in mind what I am about to explain is probably illegal and this isn’t a guide, its a warning on how to avoid the problem.
So, is it possible to take down a wordpress site without knowing hacking or renting a botnet, paying a hacker etc etc
Yes probably…
Say you have a wordpress site and haven’t prevented directory browsing in your plugins directory (add a line to your .htaccess that says ‘Options All -Indexes’ to prevent that).
The competition could look for plugin names in your source code then confirm it exists by browsing the plugins directory. If they then found a plugin that wasn’t too popular they could set up a way of trying to dupe you.
They could set up a one page site about that plugin with an announcement saying that they had taken ownership of the plugin and now supported it.
They could email you saying that they had taken over the plugin from its author and that you needed to upgrade your version due to a potential security issue and helpfully attach a zip file of the new upgraded plugin.
You might trust them and install that new version. The new version however isn’t that new, its the same as the old version but now they have inserted a few lines to add a hook in the header.
These lines insert the verification code for Google Webmaster Tools.
Now you have a competitor who has verified control of your domain on a fake google account.
They can remove files (removal request on the root?)
They could mess with the config of the www v non www
In short they could make your site disappear
So to avoid: -
Never accept a plugin from anywhere other than wordpress and vet the code
Watch the notifications in Webmaster Tools to spot anyone else getting verified for your domains.
No related posts.