Understanding and Resolving Spam URLs and Unwanted Traffic in Google Search Console
Content
If you've discovered strange, non-existent URLs in Google Search Console or a sudden, overwhelming surge in traffic from unknown bots, you're not alone. This is a common issue many WordPress site owners face, often related to spam attacks or misconfigured settings. This guide will help you understand why this happens and walk you through the most effective steps to resolve it.
Why Am I Seeing Fake URLs and Spam Traffic?
These issues typically stem from one of two sources:
- Malicious Attacks (Hacks/Spam): Your site may have been targeted by a spam attack. As seen in the sample threads, this can manifest as fake Japanese-language URLs, unexpected query parameters (like
?destination=node/), or a flood of traffic from bots exploiting your site's internal search function. - Crawler Configuration: Search engine bots and other crawlers may be accessing parts of your site you'd prefer to keep private, such as the WordPress REST API (
/wp-json/) or internal search results pages. While tools like the Yoast SEO plugin offer settings to manage this, misconfigurations can sometimes lead to these URLs being discovered and indexed anyway.
Common Solutions to Stop Spam URLs and Traffic
1. Investigate a Potential Security Breach
If you see large volumes of completely fake URLs with gibberish or foreign characters, your site's security may be compromised.
- Contact Your Web Host: Your first step should be to contact your web hosting provider. Ask them to run a full security audit on your server to identify any malware or backdoors.
- Clean and Secure the Site: Once any malware is removed, it's crucial to secure your site to prevent it from happening again. Resources from Sucuri and WordPress.org offer excellent guides on post-hack cleanup and hardening your site's security.
2. Combat Internal Search Spam
A frequent tactic spammers use is to bombard your site's search function with random queries, creating countless junk URLs.
- Use Yoast SEO's Crawl Optimization Settings: The Yoast SEO plugin includes features specifically designed to fight this. Navigate to Yoast SEO -> Settings -> Advanced -> Crawl Optimization. Ensure the following options are enabled:
- Prevent crawling of internal site search URLs (This adds a
Disallow: /?s=rule to your robots.txt file). - Filter search terms
- Filter searches with emojis and other special characters
- Filter searches with common spam patterns
- Prevent crawling of internal site search URLs (This adds a
- Understand robots.txt Limits: It's important to know that while a
Disallowrule in your robots.txt file instructs bots not to crawl a URL, if another site links to it, Google can still index the URL based on that link text. This is why you may see URLs with the status "Indexed, though blocked by robots.txt."
3. Manage Access to wp-json and Other Endpoints
If search console is reporting issues with your /wp-json/ endpoint or other WordPress URLs, you can control indexing.
- Review Your robots.txt File: Check your current robots.txt file to see what is already being blocked. You can use the Yoast SEO tools to manage this file.
- Noindex Specific Endpoints: For more robust control beyond crawling, you may need to add
noindexmeta tags to specific areas. This often requires custom code or a dedicated security plugin.
4. Block Unwanted Bots at the Server Level
If your site is being overwhelmed by traffic from malicious bots causing server overload, blocking them via your robots.txt file may not be sufficient.
- Server-Level Blocking: For aggressive bots, consider blocking their IP addresses directly using your hosting provider's control panel (e.g., cPanel's IP Blocker) or by adding rules to your
.htaccessfile. This is a more definitive way to stop traffic from known bad actors.
Conclusion
Dealing with spam URLs and bot traffic can be frustrating, but it is a solvable problem. Start by investigating potential security issues with your host, then methodically use the crawl optimization settings in the Yoast SEO plugin to lock down your site's search and common endpoints. For persistent or severe bot attacks, server-level blocking is the most effective solution. By taking these layered steps, you can clean up your Search Console index and protect your site's performance.
Related Support Threads Support
-
Illegal Invoicationhttps://wordpress.org/support/topic/illegal-invoication/
-
Unrecognised URL 404shttps://wordpress.org/support/topic/unrecognised-url-404s/
-
Potential Security Issue with Third-Party Librarieshttps://wordpress.org/support/topic/potential-security-issue-with-third-party-libraries/
-
I am receiving unexpected Japanese characters in my text.https://wordpress.org/support/topic/i-am-receiving-unexpected-japanese-characters-in-my-text/
-
[NSFW] Different Domain URLs for One Websitehttps://wordpress.org/support/topic/different-domain-urls-for-one-website/
-
Problem with unwanted traffichttps://wordpress.org/support/topic/problem-with-unwanted-traffic/
-
www URLs randomly crawled when site set to non wwwhttps://wordpress.org/support/topic/www-urls-randomly-crawled-when-site-set-to-non-www/
-
WordPress Site Getting Indexed with Fake Japanese/English URLshttps://wordpress.org/support/topic/need-help-wordpress-site-getting-indexed-with-fake-japanese-english-urls/
-
Disallow /wp-json/ ?https://wordpress.org/support/topic/disallow-wp-json/
-
Canonical/Redirect Errors (Via Google Search Console)https://wordpress.org/support/topic/canonical-redirect-errors-via-google-search-console/
-
Strange url indexed on search consolehttps://wordpress.org/support/topic/strange-url-indexed-on-search-console/
-
Spam searchhttps://wordpress.org/support/topic/spam-search/