Here is what to do if your WordPress site is being warned by Search Console of a large number of noindexes on non-existent WordPress search results pages.
Thousands or more noindex warnings on WordPress sites
Google Search Console is a website for site operators that informs you how Google’s search engine is processing your site’s pages and incoming search terms.
If you see thousands of pages with Indexing > Pages > Excluded by noindex tags and the URLs contain ? s=Chinese or other keywords that you don’t recognize in the URLs.
Noindex means that the page is not registered with any search engine.
If the page is not excluded by noindex and the page is registered with search engines and appears in Google search results, this is a more serious problem.
SEO hack to exploit the automatic generation of search result pages in WordPress
WordPress generates a search results page even when no search results exist, and displays the search query in the title and content of that page.
Example of a URL that generates a page even when no search results exist with ↓?s=.
https://Your wordpress site url/?s=HackersSEOKeywords
A type of hacking has recently been confirmed in which hackers exploit this specification to create non-existent search result pages with arbitrary keywords and register them with search engines for SEO gains.
No harm done if noindexed
Since noindex means that the page was not registered in the search results, there is no harm even if a large number of such fraudulent search result pages are alerted.
WordPress 5.7 and above automatically noindexes the search result pages of WordPress, so a large number of “Excluded by noindex tag” is displayed in the search console.
However, with lower versions of WordPress, the search engines may register the incorrect search result pages generated by WordPress, which may pollute Google’s search results and cause a drop in search traffic.
How to deal with the problem of invalid search result pages on WordPress being registered with search engines
This type of SEO hack can be accomplished even if the hacker has not necessarily hijacked WordPress, so it is not highly likely that WordPress has been malware-infected or tampered with.
However, we recommend that you run a malware test.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
The following two measures are necessary to deal with the problem.
1. If there are no search results on WordPress, make sure to add a noindex tag to the page so that it will not be registered in the search engines.
2 Return a status code 404 so that the search engine can treat the non-existent search result page as a missing page.
These two settings can be configured from the security function of the above plugin.
In the Security tab of the plugin’s settings page, set the security level to High or higher, or click on the
In the advanced settings, check “noindex search results on WordPress if they do not exist.