We have been consulted about a new type of malware that hooks the search results of site searches in WordPress to search engines, and here is a case study of it.


Registering WordPress search results to search engines without permission

WordPress outputs the search query in the page, so no matter what string of characters you search for, the query will appear in the site’s pages.

A type of malware called an SEO hack has been discovered, which is a method of outputting this arbitrary string on an arbitrary site and hooking that page into the search results.

Check for rogue pages in the search results.

If a large number of such malicious pages are registered in the search results, your company’s pages that users originally want to visit may appear at the bottom of the search results.
This will prevent users from accessing legitimate pages.

First, check to see if your company’s site is registered with search engines for such illegal pages.
A Google search using the following query will show all pages registered with search engines for that domain.

site:The domain of the site you want to check

What if a large number of invalid pages are registered in the search results?

Check your site for malware infections with the WordPress malware scanning plugin.

Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Prohibit Google from displaying WordPress search results pages in search results.

You can also use meta tags to prohibit search engines from displaying WordPress search results pages in their search results.

The following code can be included in your theme’s Functions.php to prohibit search engines from registering WordPress search results by outputting a noindex meta tag.

// Do not register search results with search engines
function noindex_searchresult(){
    if( is_search()){
        echo '';'
    }
}
add_action('wp_head','noindex_searchresult', 3 );

This meta tag is only recognized by search engines when they crawl the page again. Therefore, it is not guaranteed that search engines will immediately exclude invalid search result pages.

We recommend that you consult a specialist for WordPress malware removal or if you are seeing malicious pages in the search results.