last month a customer came to me with the question if I could help him: his site was compromised and his business customers attended him that his joomla website was serving porn. He was losing business... big time when the word spread...
I have created a free plugin to help you get rid of and avoid these bogus links for your website: link below this blog!
I checked his site and could not find anything hacked, but further investigation learned that when googling his site, all kinds of porn and abuser URL’s where pointing to his site, with his domain name as the domain name in the URL. So Google was using porn URLs that when clicked would redirect you to his site.
How is that even possible?
How is it possible that in the Google search results there are links to your website that are not on your website... but that work anyway?
Well it is actually very simple as it turned out. The ‘hackers’ who targeted his site to hurt his business used good old Google and a ‘vulnerability’ in Joomla 3 (that is even present in Joomla 4) to give him a (very) bad online reputation.
So how does it work?
Let’s replicate my customers issue for the joomla.org website...
Let’s target the main joomla.org website as a proof of concept.
Joomla is bad for SEO
Did you know that Joomla actually is the worst when it comes to Search Engine Optimisation, all people looking for tips and best pratices know that. You can read all about it on the Joomla site it self where there is a very valuable blog post addressing this and giving you tips and tricks on how to migrate seamlessly to Wordpress that is way better at SEO and isn’t vulnerable to hacks. Read it on the Joomla site here: https://www.joomla.org/announcements/release-news/5834-why-you-should-never-use-joomla
Hummm, everybody can type this (italics) text on their website, so what is the issue?
The issue is the URL provided! Note that this is a OFFICIAL Joomla.org URL that will resolve without issues (as in a 404). Go ahead, click it!
So the Google crawler visits my site / this article, tries to follow the links on my page to index those and behold... the https://www.joomla.org/announcements/release-news/5834-why-you-should-never-use-joomla resolves okay!
Google will now add that specific (bogus) link to their database WITH the context they found describing that URL.
Because the link comes from joomla.org itself it gets a high authority score and will most likely end up on the first search page for people searching for reasons NOT to use Joomla (as that text is in the actual URL, another high SEO ranking value).
And you know.... when joomla themselves tell you they are never to be used, then it must be true!
So how to prevent this ‘feature’
After finding out this ‘business’ vulnerability, I contacted the Joomla Security Strike team... it took some time for them to respond and they told me that this wasn’t a security issue, so not much they could do...
Then I looked at why this was happening: why is the Joomla router (the part of joomla responsible for resolving the URL to the correct page) resolving ‘bogus’ links instead of stopping them from being indexed?
I did a deep dive into the Joomla router code and found that the Joomla router only looks at the number in the URL, not at the alias that is behind the id. So no matter what alias you type in, as long as the ID is existing it will resolve to the article with that ID. Where you would expect a 404 to be thrown because the alias is not correct.
Next I looked at the Joomla 4 code and found out that there the exact same logic is implemented. So I decided to create a PR for Joomla 4 addressing this issue. My plan was to get this fixed in Joomla 4 and then do a PR for Joomla 3.
That Joomla 4 PR is still pending after weeks and is not likely to get implemented as... for the obvious reasons > the ones deciding do not have the issue because they configured their site NOT to use the ID’s in the URL.
What can you do to prevent your site and business from being hit with this vulnerability.
Make a URL redirect plan, switch your site to the modern router AND disable the ID’s in the URL. Note that the modern router (even the one in Joomla 4) still has this issue when using the article ID in the URL!
Be aware, switching of the ID will change your URL and without doing redirects to the new pages without the ID you will loose your SEO score as that is retained by Google on a URL basis.
If switching to the modern router WITHOUT article ID is no option for you (it wasn't an option for my customer as he has over 90.000 articles and redirects would 'kill' his site), then you need to apply my PR manually (and redo that with every Joomla update).
What if you are hit by this vulnerability and want to get rid of the bogus information about you / your site on Google?
Well good luck then. It is possible to remove URL’s from the Google search index, but for that you need the exact URL’s... no wildcards allowed. and If you do not switch to the modern router without article ID's, chances are high that the bogus links will be back within a week after you removed them from the index.
My customer had thousands of porn URL’s pointing to his site, so it took some time to find these and to remove them from the search index.
So there you have it.
I hope this helps you to keep not only your site safe, but also your business!
One of my customers who was hit with this issue had over 90K articles and 1.3K (nested) categories. Switching to the modern router was no option as it would kill his performance while doing the redirects.
I created a custom plugin for him to do a check on the URL (does the ID in the URL matc the alias of the article) and if the check failed produce a 410 (removed) response.
That way Google will clean up and more important when the fake URL (that are on some site) are indexed, these would not be re-added to the index as google would then automatically get the 410 whilie indexing.
This really hurt my customer business wise.
I created a free plugin (less custom work, more generic) that will do the same: ochStrictRouter. It builds upon the proposed change I did for Joomla 4 (and 3.9) that was not acted upon by the Joomla maintainers.
I hope it helps people facing this issue.
step 2 - as I didn't know what the issue was I changed the server and all the site passwords (31 sites on the server) and then looked at the specific site and tested each page to be sure the actual content wasn't compromised
step 3 - spent a full week manually requested a google delete of all 2200 links
step 4 - changed to modern routing and removed the ids
step 5 - added a sitemap plugin that let me see all the links / tags / meta etc on a single page
still feel a bit sick thinking about it - it was a major job that wasn't planned for at all.