What is URL hijacking and how can you prevent?
URL hijacking can cause your website to be deleted from the index of a search engine and hidden from potential visitors. This phenomenon commonly occurs when redirects are used instead of links.
What is URL hijacking?
The concept of URL hijacking describes a phenomenon wherein a website disappears from the results of a search engine and is replaced by another. This other site links to the actual target page or URL using a redirect. For example, linked-site.com
links to your-site.com
but uses a redirect instead of the usual HTML tag <a>
. The redirected URL looks similar to the following example:
www.linked-site.com/redirect .php?target=www.your-site.com
When a search engine finds a link like this, it categorizes the linked site and the target site as identical, which means that it deletes one of the two from the index. It orients itself based on HTTP status codes, which attach to the redirect.
While Code 301 (Moved Permanently) denotes a permanent redirection from the given URL, Code 302 (Found) denotes a temporary redirection to the designated URL. The first type is unproblematic, but the 302 redirect is the main reason for URL hijacking. These well-made redirects suggest to the search engine’s crawler that the target site is only temporary and that the linked page is actually the original – and the crawler never checks whether the sites are actually related or not. If this isn’t checked, the wrong page is indexed and takes on the ranking of the linked URL.
- Free Wildcard SSL for safer data transfers
- Free private registration for more privacy
- Free 2 GB email account
When are 301 and 302 redirects used?
There’s a wide variety of reasons for using URL redirecting. As a result, permanent redirecting of typo domains to the correct domain are a widespread practice. For example, if you accidentally type googel.com
instead of google.com
into your browser’s address bar, you will still be taken to the popular search engine’s start site. Permanent redirecting to the correct address of the main page is also not unusual.
If you visit the main page of the English-language version of Wikipedia, for example, by typing in en.wikipedia.org
, you will be taken to en.wikipedia.org/wiki/Main_Page
via a 301-redirect. Developers also use permanent redirecting to lead visitors to the new web address after a domain change or to identify the content of a web project that has received a new URL.
Temporary 302 redirects, on the other hand, are primarily used to temporarily display content from another URL so that it remains available, for example, if the original page is undergoing maintenance. If a developer manually creates this type of redirection, the intent is that the content will appear on the original URL again later. There are three temporary redirect scenarios that can lead to URL hijacking, one of which is intentionally used for this purpose:
Unintentional use of the 302 redirect
It is quite possible for developers to link to a different web project with a temporary redirect without having bad intentions. It could be a mistake where they intended to set a permanent redirect. The URL rewrite engine of the Apache webserver, mod_rewrite
, sets default redirects with the 302 status code.
Dynamically generated URLs
PHP is a widely used scripting language for web development. The server scripts in this programming language are a simple and practical way to create dynamic content for your website. But often times these are also PHP scripts that dynamically integrate target addresses into an existing URL using the temporary forwarding status code 302. These types of scripts are mainly used in web address directories, but also in many content management systems.
Intentional URL hijacking
Criminals also know how to use URL hijacking, and they gladly make use of it. They consciously use 302 redirects to advance their own content in the index and to “kidnap” particularly well-ranked pages. The tactic is neither sustainable nor legal and it falls under the term black hat SEO.
URL hijacking vs. other attack methods
URL hijacking is often confused with other attack methods such as domain hijacking or typosquatting. These are actually different types of attacks that can be used to harm you or your website’s ranking.
URL hijacking vs. domain hijacking
Although both URL hijacking and domain hijacking are used with the aim of gaining control over a website, the two attack methods differ, especially when it comes to their approach:
Domain hijacking is when attackers gain control over a domain by accessing the domain management accounts, for example, by changing the DNS settings. In the worst-case scenario, attackers can take over the victim’s entire web presence.
URL hijacking vs. typosquatting
As the name suggests, the attack technique typosquatting takes advantage of typos. Where redirects are normally used to help the visitor get to the desired website despite minor typos, this is where typosquatting sneaks in. Attackers purposely register domains with common typos to direct visitors to their website, which often contains malicious code.
How to protect your website from URL hijacking
Website operators trying to improve the ranking of their website know how challenging and time-intensive the process is. The higher you rise in your search engine rankings, the more likely your indexed pages are to get hijacked. Unlike an attack that happens due to security gaps in a web project, the process of URL hijacking is closely linked to the basic SEO discipline of link building, so it can’t just be prevented by using antivirus software.
As a result, it’s incredibly important to regularly analyze both new and existing backlinks to filter out problematic URLs. There are a number of tools and services you can use for this including:
Google provides a tool for removing URLs that allows you to delete any unwanted redirects that link to your website from the search index. Before doing so, you should always contact the website administrator responsible for the site and ask to adjust the routing. This way there’s a chance to keep the corresponding backlinks. The status code 307 (Temporary Redirect) has an option for temporary forwarding that doesn’t lead to URL hijacking, which has been available since HTTP 1.1. If the original site is already missing from the index, you should contact the search engine provider and ask for a restoration of the original rankings once you’ve reworked or deleted the damaged backlink.