URL hijacking

A good search engine ranking is of rudimentary importance in the success of a web project. Jumping your site to the top of the results page for search queries increases the chance that web users will find their way to your website. It’s not a coincidence that search engine optimization has been one of the most important disciplines in web development for years now. It applies to both finding and incorporating appropriate keywords as well as adapting the structure of your site for search engine evaluation tools. An additional goal is to increase your own link popularity through the use of backlinks – i.e. links pointing to your web project – generated on external sites.

If the framework of SEO is being used properly then you can expect an increase in the volume of visitors. If, despite maximizing search engine optimization you don’t record any growth or even lose long term traffic, this could mean that your SEO measures aren’t being implemented effectively. But the possibility also exists that so-called URL hijacking has deleted your pages from the index of the respective search engine and hidden them from potential visitors.

The concept of URL hijacking describes a phenomenon wherein a website disappears from the results of a search engine and is replaced by another. This other site links to the actual target page or URL, but not by a direct reference, instead going through a redirection. For example, linked-site.com points to your-site.com, but uses a redirect instead of the usual HTML tag <a>. The redirected URL looks similar to the following example:

When a search machine finds a link like that, it categorizes the linked site and the target site as identical, which means that it deletes one of the two from the index. It orients itself based on the HTTP status codes, which stick on to the redirect. While Code 301 (Moved Permanently) denotes a permanent redirection from the given URL, Code 302 (Found) denotes a temporary redirection to the designated URL. The first type is unproblematic, but the 302-redirect is the main reason for URL hijacking. Such well-crafted redirects suggest to the search engine’s crawler that the target site exists only temporarily and that the linked page is actually the original – and the crawler never checks whether the sides are actually related or not. If a check doesn’t happen, then the wrong page is indexed and it supplants the ranking of the linked URL.

There’s a wide variety of reasons for using URL redirecting. As a result, permanent redirections of so-called typo domains to the correct domain are a widespread practice. For example, if you accidentally type googel.com instead of google.com into the address bar of your browser, you will still be taken to the start site of the popular search machine. Permanent forwarding to the correct address of the main page is also not unusual. If you visit the main page of the English-language version of Wikipedia, for example, by typing in en.wikipedia.org, you will automatically follow a 301-redirect to the URL en.wikipedia.org/wiki/Main_Page. Developers also use permanent forwarding to lead visitors to the new web address after a domain change or to identify the content of a web project that has received a new URL.

Temporary 302 redirects, on the other hand, are primarily used to temporarily present content from another URL to allow them to remain available, for example, during maintenance of the original page. If a developer manually creates this type of redirection, the intent is that the content will appear on the original URL again later. But there are two scenarios for either temporary redirects or one that leads to URL hacking that is intended solely for this purpose:

1. Unintentional use of the 302 redirect: It is quite possible for developers to refer to a foreign web project with a temporary redirect without having bad intentions. It could be a mistake where the intention was to set a permanent redirect. The URL rewrite engine of the Apache webserver, mod_rewrite, sets default redirects with the 302 status code.


2. Dynamically generated URLs: PHP is a widely used scripting language for web development. The server scripts in this programming language are a simple and practical way to create dynamic content for your website. But often times these are also PHP scripts that dynamically integrate target addresses into an existing URL using the temporary forwarding status code 302. These types of scripts are mainly used in web address directories, but also in many content management systems.


3. Consciously introduced URL hijacking: Criminals also know how to use URL hijacking, and they gladly make use of it. They consciously use 302 redirects to advance their own content in the index and to “kidnap” particularly well-ranked pages. The tactic is neither sustainable nor legal and it falls under the term black hat SEO.

Everyone concerned with improving the ranking of their websites knows how challenging and time-intensive the process is. The higher you rise in your search machine rankings, the more likely a hijacking of the indexed pages is. Unlike an attack that is made possible through holes in the security of a web project, the process of URL hijacking is closely linked to the basic SEO discipline of link building, so it can’t just be prevented by the use of a security software. As a result, it’s incredibly important to regularly analyse both new and existing backlinks to filter out problematic URLs. There are a number of tools and services like SEMrush, LinkResearchTools, SISTRIX, or the Google Search Console that can be help.

The mentioned Google service provides a tool for removing URLs that allows you to delete any unwanted redirects that refer to your website from the search index. Before doing so, though, you should always contact the developer in question and ask to adjust the routing – that way there’s a chance that the appropriate backlinks can be maintained. The status code 307 (Temporary Redirect) has offered an option since HTTP 1.1 for temporary forwarding that doesn’t lead to URL hijacking.

If the original site is already missing from the index, you should contact the search engine provider and ask for a restoration of the original rankings once you’ve reworked or deleted the damaged backlink.