
How to prevent websites from hijacking your google search results
So, recently this has been happening to a lot of my sites.
When I search google for something that is unique in my site, I keep getting results to some random domain names which have my site’s content but a completely different domain.
I started researching how this could be possible?
And I found out about page hijacking:
A page hijack is a technique exploiting the way search engines interpret certain commands that a web server can send to a visitor. In essence, it allows a hijacking website to replace pages belonging to target websites in the Search Engine Results Pages (“SERPs”).
When a visitor searches for a term (say, foo) a hijacking webmaster can replace the pages that appear for this search with pages that (s)he controls. The new pages that the hijacking webmaster inserts into the search engine are “virtual pages”, meaning that they don’t exist as real pages. Technically speaking they are “server side scripts” and not pages, so the searcher is taken directly from the search engine listings to a script that the hijacker controls. The hijacked pages appear to the searcher as copies of the target pages, but with another web address (“URL”) than the target pages.Once a hijack has taken place, a malicious hijacker can redirect any visitor that clicks on the target page listing to any other page the hijacker chooses to redirect to. If this redirect is hidden from the search engine spiders, the hijack can be sustained for an indefinite period of time.
Possible abuses include: Make “adult” pages appear as e.g. CNN pages in the search engines, set up false bank frontends, false storefronts, etc. All the “usual suspects” that is.
A possible prevention:
This site explains in detail how this works:
http://www.leetupload.com/database/Misc/Papers/Phlak/Web%20Hacking/google-302-page-hijack.htm
I’ve just started using the methods described in this site to protect some of my sites.
Still need to wait a few weeks to know if the hijacker’s sites actually start dying down.
How to use it to your benefit:
I also happen to run a few sites that have some content that google tends to block under the DMCA act.
Because of this, my sites have started to move way back in the google search results.
But people making these hijacking sites have have actually moved my results to the front page, albeit a different hijacker’s domain.
If you have a similar situation, then you can use this simple javascript trick to leverage the work these sites are doing to your benefit.
And have them redirect to your original site.
You need to add this javascript code in the HEAD section of your site:
if (window.location.hostname !== "yoursite.com") {
window.location = "http://yoursite.com/" + window.location.pathname;
}
What this does is basically check if the current site is “yoursite”. If not then it will redirect to the same page on your domain.
But these hijacking sites find all your site URLs from your page and replace it with theirs.
So you need to obfuscate this special little javascript snippet.
Go to this site:
https://javascriptobfuscator.com/Javascript-Obfuscator.aspx
Here add this javascript code and press the Obfuscate button.
Then paste the obfuscated code in your head section.
Obfuscated code will look something like this:
var _0xfcbd=["\x68\x6F\x73\x74\x6E\x61\x6D\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x79\x6F\x75\x72\x73\x69\x74\x65\x2E\x63\x6F\x6D","\x68\x74\x74\x70\x3A\x2F\x2F\x79\x6F\x75\x72\x73\x69\x74\x65\x2E\x63\x6F\x6D\x2F","\x70\x61\x74\x68\x6E\x61\x6D\x65"];if(window[_0xfcbd[1]][_0xfcbd[0]]!== _0xfcbd[2]){window[_0xfcbd[1]]= _0xfcbd[3]+ window[_0xfcbd[1]][_0xfcbd[4]]}
And you are done đ
Now firstly the hijacker site will start loading. Then before it even loads fully, it will do the check whether it’s your site or not and then the redirection will kick in.
But unfortunately if someone has actually cloned your full site then this trick won’t work.
It only works if someone is using the 302 redirect.
Simplest way to check for this is to create a test.html page with something unique written in it on your site.
And then immediately go to the hijacker’s site to check if this page exists. If the hijacker site is using redirection, then this page will exist on their site as well.
Whereas if someone has cloned your site then this page won’t exist yet.
Hope this helps.
If you’ve faced a similar problem please write your experiences to us in the comments section.
I’m sure some of you have found better solutions for this, so please share those as well.