Search form submission spam or search field submission spam can be an issue that plagues many websites, from WordPress sites to websites built on a custom CMS. Depending on how your on-site search function is built, it can be used to inject malicious scripts and code onto your website, and give access to spammers to have their way with your uniquely created search form pages. These pages are typically no-indexed, but an experienced spammer can use a variety of methods to gain access to your website if plug-ins aren’t up-to-date or if you have other security issues such as weak passwords.
If you find that your website is showing up in searches similar to the ones in the screenshot of Google search results, you may be in store for a little bit of work, however, with our guide, we wanted to make it easy. Find out how to prevent your website from being used to further these spammers’ SEO agendas so you can identify and prevent spam search form submission on your own website.
What is an On-Site Search Form / Field?
What is the anatomy of a search form or search field, and how can they be spammed to create new pages? First, let’s start with the search form itself, which is a text box that can be used to enter queries that search the database for matches, and logic can be applied for these matches to be more accurate, think of a search form like Amazon’s. The Amazon search field provides a way to internally search through their hundreds of thousands of products to find the exact one a user will want to purchase, which is the intention of these search forms, to more accurately find the content a user wants. Auto-fill and other features can make this process much easier, but depending on how a website is created, these search forms can be very insecure.
See the screenshot below of a website that has been afflicted by this very issue of search form spam:
How Does Search Form Submission Spam Work?
Generally, when a user searches on the website, it makes a request to the database to return pages that match the keyword(s) entered into the search form. When spammers do this, they will oftentimes enter keywords related to their website, such as the ones in the first screenshot around “enhancement pills”. A website will then generate a new page with a unique URL with the spam text and some other related text that mentions “no results found”. Now, this is where it gets interesting because there is now a uniquely generated page with the keywords the spammer wants, and they can pass this link onto the search engine and a search engine can index the newly created search page. Oftentimes, these individually created search pages are set to noindex (meta robots) or will be blocked in the robots.txt file, but if they are posting links to spammy sites, comment sections, and other places, these links can be found and crawled by Google and other search engines, which is how I can find these (through third part links data providers such as Ahrefs.com). One thing to consider is to perform regular backlink monitoring to ensure that these links (and others) are not indexed by Google.
Although, these individually created pages aren’t even the worst thing that can happen with these search forms. When search result pages are not static, each request will require the site to generate this page which can put a strain on the server’s power, and a LARGE number of these searches through automated systems can cause servers to crash (DDoS attack). Additionally, these search forms can also be used for web application attacks, where they can attempt to use PHP vulnerabilities for remote code injection. These two issues are the worst-case scenarios, but rarely the case with secure, up-to-date websites.
How to Stop Search Form Submission Spam.
There are a few options, and these greatly depend on your development framework, but this guide on how to stop search form submission spam will cover how to fix this for a WordPress site.
- Remove or disable search on your website. This may be the “nuclear” option, but if you are experiencing an insurmountable amount of spam and do not have the development resources to properly solve the issue, disabling the search form to prevent the search field submission spam can work.**
- Add noindex and nofollow meta robots tags to the search results pages in the template itself. You can also add the search query string to your robots.txt file to disallow bots from accessing them as an extra layer of defense against spam, although the danger of DDoS and hacking through PHP vulnerabilities is not completely gone.**
- Use a plug-in such as CleanTalk. Honestly, this is the easiest option, even if you do not have the technical know-how to update your search templates, this will help you across the board to prevent spam.
- Replace your search form with something more secure such as Relevanssi.
** These two options (#1 & #2) will work for sites other than WordPress sites, but may not help fix the entire issue that exists with potential DDoS or PHP vulnerabilities.
For more information, here are some helpful resources: