We have identified a new method of SEO hack that registers WordPress search results in Chinese and product names in Google search results, and we will explain how to deal with it.

SEO hack that generates WordPress search results with arbitrary character strings and registers them with search engines without permission

This is a new method that seems to be an SEO hack that we have been consulted by several website operators. If your site is attacked by this method, your site will be searched in Chinese or by product name, and the search result pages will be registered with search engines, and your site’s search results will be contaminated with a large number of spam-generated pages.

It is assumed that this attack is carried out in the following way

1 Hacker performs a search on your site with an arbitrary search string (?s= is attached to the domain to access your site)

2 The search results are generated on the WordPress site, even if there are zero results on that page (this is a WordPress specification).

3 Hook the search result page to the search engine and have the search engine register the page in the index.

Why would a hacker perform such an attack?

Because it is a new technique, the reason is not entirely clear to us, but perhaps the hacker is hoping that the title of the search results page, etc. will have the effect of improving the SEO of the target site.

Or it may be part of black hat SEO to reduce the reputation and search ranking of your site as it is contaminated by search engines such as Google’s non-existent search results page on WordPress.

Has your site been defaced or infected with malware?

This does not necessarily mean that your site has malware, as this can be accomplished without hackers entering your site from the outside.

However, there is a possibility that your site has been tampered with by placing malicious HTML on your site that is then trapped by search engines, so we recommend that you have your site scanned for malware and vulnerabilities.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Coping Methods

A possible workaround at this time is to insert a noindex meta tag in the search results to prevent search engines from registering search results in WordPress.

This will exclude the search results pages on your site from the search engines, which are generated by hackers without your permission.

The code to add a noindex tag to the search results on WordPress is as follows. (It works if you put it in functions.php)
*Some themes already have a built-in function to not register search results on search engines.

add_action('wp_head', 'noindexsearch_result');
function noindexsearch_result() {
    if (is_search()) { 
    ? >
    <meta name="robots" content="noindex, nofollow" />
    <?php 
    }
}

To noindex a search result if it does not exist on a WordPress site, use the following code

add_action('wp_head', 'noindexsearch_result');
function noindexsearch_result() {
    if (is_search()) {
        global $wp_query;
        if(empty($wp_query->found_posts)){
        ? >
        <meta name="robots" content="noindex, nofollow" />
        <?php 
        }
    }
}

We will soon incorporate a countermeasure for this rogue SEO hack attack into our [Free] WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].

We will post an announcement on our site when we do so.