SEO
HubSpot WordPress Plugin Vulnerability
WPScan and the United States Government National Vulnerability Database published a notice of a vulnerability discovered in the HubSpot WordPress plugin. The vulnerability exposes users of the plugin to a Server Side Request Forgery attack.
WPScan Vulnerability Report
The security researchers at WPScan published the following report:
“HubSpot < 8.8.15 – Contributor+ Blind SSRF
Description
The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks”
Server Side Request Forgery (SSRF) Vulnerability
This vulnerability requires that a contributor level subscriber be logged in for the exposure to happen.
The non-profit Open Web Application Security Project (OWASP), a worldwide organization dedicated to software security, an SSRF vulnerability can result in the exposure of internal services that are not meant to be exposed.
According to OWASP:
“In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources.
The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.”
The services that aren’t supposed to be exposed are:
- “Cloud server meta-data
- Database HTTP interfaces
- Internal REST interfaces
- Files – The attacker may be able to read files using <file://> URIs”
HubSpot WordPress Plugin
The HubSpot WordPress plugin is used by over 200,000 publishers. It provides CRM, live chat, analytics and email marketing related capabilities.
The vulnerability discovered by WPScan notes that it was fixed in version 8.8.15.
However, the changelog that documents what was updated in the software shows that the HubSpot WordPress plugin received additional updates to fix other vulnerabilities.
Here is a list of the updates according to the official changelog, in order beginning with the oldest update:
= 8.8.15 (2022-04-07) = * Fix security issue related to proxy URL = 8.9.14 (2022-04-12) = * Fix security issue related to form inputs = 8.9.20 (2022-04-13) = * Fix security issue related to sanitizing inputs
While the security firm WPScan and the National Vulnerability Database state that vulnerability was fixed in version 8.8.15, according to the HubSpot plugin changelog, there were further security fixes all the way up to version 8.9.20.
So it my be prudent to update the HubSpot plugin to at least version 8.9.20, although the absolute latest version of the HubSpot WordPress plugin, as of this writing, is version 8.11.0.
Citations
Read WPScan Vulnerability Report
HubSpot < 8.8.15 – Contributor+ Blind SSRF
Read the National Vulnerability Database Report
Review the HubSpot WordPress Plugin Changelog
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
if( typeof sopp !== “undefined” && sopp === ‘yes’ ){
fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);
}else{
fbq(‘dataProcessingOptions’, []);
}
fbq(‘init’, ‘1321385257908563’);
fbq(‘track’, ‘PageView’);
fbq(‘trackSingle’, ‘1321385257908563’, ‘ViewContent’, {
content_name: ‘hubspot-wordpress-plugin-vulnerability’,
content_category: ‘news wp ‘
});
SEO
How Compression Can Be Used To Detect Low Quality Pages
The concept of Compressibility as a quality signal is not widely known, but SEOs should be aware of it. Search engines can use web page compressibility to identify duplicate pages, doorway pages with similar content, and pages with repetitive keywords, making it useful knowledge for SEO.
Although the following research paper demonstrates a successful use of on-page features for detecting spam, the deliberate lack of transparency by search engines makes it difficult to say with certainty if search engines are applying this or similar techniques.
What Is Compressibility?
In computing, compressibility refers to how much a file (data) can be reduced in size while retaining essential information, typically to maximize storage space or to allow more data to be transmitted over the Internet.
TL/DR Of Compression
Compression replaces repeated words and phrases with shorter references, reducing the file size by significant margins. Search engines typically compress indexed web pages to maximize storage space, reduce bandwidth, and improve retrieval speed, among other reasons.
This is a simplified explanation of how compression works:
- Identify Patterns:
A compression algorithm scans the text to find repeated words, patterns and phrases - Shorter Codes Take Up Less Space:
The codes and symbols use less storage space then the original words and phrases, which results in a smaller file size. - Shorter References Use Less Bits:
The “code” that essentially symbolizes the replaced words and phrases uses less data than the originals.
A bonus effect of using compression is that it can also be used to identify duplicate pages, doorway pages with similar content, and pages with repetitive keywords.
Research Paper About Detecting Spam
This research paper is significant because it was authored by distinguished computer scientists known for breakthroughs in AI, distributed computing, information retrieval, and other fields.
Marc Najork
One of the co-authors of the research paper is Marc Najork, a prominent research scientist who currently holds the title of Distinguished Research Scientist at Google DeepMind. He’s a co-author of the papers for TW-BERT, has contributed research for increasing the accuracy of using implicit user feedback like clicks, and worked on creating improved AI-based information retrieval (DSI++: Updating Transformer Memory with New Documents), among many other major breakthroughs in information retrieval.
Dennis Fetterly
Another of the co-authors is Dennis Fetterly, currently a software engineer at Google. He is listed as a co-inventor in a patent for a ranking algorithm that uses links, and is known for his research in distributed computing and information retrieval.
Those are just two of the distinguished researchers listed as co-authors of the 2006 Microsoft research paper about identifying spam through on-page content features. Among the several on-page content features the research paper analyzes is compressibility, which they discovered can be used as a classifier for indicating that a web page is spammy.
Detecting Spam Web Pages Through Content Analysis
Although the research paper was authored in 2006, its findings remain relevant to today.
Then, as now, people attempted to rank hundreds or thousands of location-based web pages that were essentially duplicate content aside from city, region, or state names. Then, as now, SEOs often created web pages for search engines by excessively repeating keywords within titles, meta descriptions, headings, internal anchor text, and within the content to improve rankings.
Section 4.6 of the research paper explains:
“Some search engines give higher weight to pages containing the query keywords several times. For example, for a given query term, a page that contains it ten times may be higher ranked than a page that contains it only once. To take advantage of such engines, some spam pages replicate their content several times in an attempt to rank higher.”
The research paper explains that search engines compress web pages and use the compressed version to reference the original web page. They note that excessive amounts of redundant words results in a higher level of compressibility. So they set about testing if there’s a correlation between a high level of compressibility and spam.
They write:
“Our approach in this section to locating redundant content within a page is to compress the page; to save space and disk time, search engines often compress web pages after indexing them, but before adding them to a page cache.
…We measure the redundancy of web pages by the compression ratio, the size of the uncompressed page divided by the size of the compressed page. We used GZIP …to compress pages, a fast and effective compression algorithm.”
High Compressibility Correlates To Spam
The results of the research showed that web pages with at least a compression ratio of 4.0 tended to be low quality web pages, spam. However, the highest rates of compressibility became less consistent because there were fewer data points, making it harder to interpret.
Figure 9: Prevalence of spam relative to compressibility of page.
The researchers concluded:
“70% of all sampled pages with a compression ratio of at least 4.0 were judged to be spam.”
But they also discovered that using the compression ratio by itself still resulted in false positives, where non-spam pages were incorrectly identified as spam:
“The compression ratio heuristic described in Section 4.6 fared best, correctly identifying 660 (27.9%) of the spam pages in our collection, while misidentifying 2, 068 (12.0%) of all judged pages.
Using all of the aforementioned features, the classification accuracy after the ten-fold cross validation process is encouraging:
95.4% of our judged pages were classified correctly, while 4.6% were classified incorrectly.
More specifically, for the spam class 1, 940 out of the 2, 364 pages, were classified correctly. For the non-spam class, 14, 440 out of the 14,804 pages were classified correctly. Consequently, 788 pages were classified incorrectly.”
The next section describes an interesting discovery about how to increase the accuracy of using on-page signals for identifying spam.
Insight Into Quality Rankings
The research paper examined multiple on-page signals, including compressibility. They discovered that each individual signal (classifier) was able to find some spam but that relying on any one signal on its own resulted in flagging non-spam pages for spam, which are commonly referred to as false positive.
The researchers made an important discovery that everyone interested in SEO should know, which is that using multiple classifiers increased the accuracy of detecting spam and decreased the likelihood of false positives. Just as important, the compressibility signal only identifies one kind of spam but not the full range of spam.
The takeaway is that compressibility is a good way to identify one kind of spam but there are other kinds of spam that aren’t caught with this one signal. Other kinds of spam were not caught with the compressibility signal.
This is the part that every SEO and publisher should be aware of:
“In the previous section, we presented a number of heuristics for assaying spam web pages. That is, we measured several characteristics of web pages, and found ranges of those characteristics which correlated with a page being spam. Nevertheless, when used individually, no technique uncovers most of the spam in our data set without flagging many non-spam pages as spam.
For example, considering the compression ratio heuristic described in Section 4.6, one of our most promising methods, the average probability of spam for ratios of 4.2 and higher is 72%. But only about 1.5% of all pages fall in this range. This number is far below the 13.8% of spam pages that we identified in our data set.”
So, even though compressibility was one of the better signals for identifying spam, it still was unable to uncover the full range of spam within the dataset the researchers used to test the signals.
Combining Multiple Signals
The above results indicated that individual signals of low quality are less accurate. So they tested using multiple signals. What they discovered was that combining multiple on-page signals for detecting spam resulted in a better accuracy rate with less pages misclassified as spam.
The researchers explained that they tested the use of multiple signals:
“One way of combining our heuristic methods is to view the spam detection problem as a classification problem. In this case, we want to create a classification model (or classifier) which, given a web page, will use the page’s features jointly in order to (correctly, we hope) classify it in one of two classes: spam and non-spam.”
These are their conclusions about using multiple signals:
“We have studied various aspects of content-based spam on the web using a real-world data set from the MSNSearch crawler. We have presented a number of heuristic methods for detecting content based spam. Some of our spam detection methods are more effective than others, however when used in isolation our methods may not identify all of the spam pages. For this reason, we combined our spam-detection methods to create a highly accurate C4.5 classifier. Our classifier can correctly identify 86.2% of all spam pages, while flagging very few legitimate pages as spam.”
Key Insight:
Misidentifying “very few legitimate pages as spam” was a significant breakthrough. The important insight that everyone involved with SEO should take away from this is that one signal by itself can result in false positives. Using multiple signals increases the accuracy.
What this means is that SEO tests of isolated ranking or quality signals will not yield reliable results that can be trusted for making strategy or business decisions.
Takeaways
We don’t know for certain if compressibility is used at the search engines but it’s an easy to use signal that combined with others could be used to catch simple kinds of spam like thousands of city name doorway pages with similar content. Yet even if the search engines don’t use this signal, it does show how easy it is to catch that kind of search engine manipulation and that it’s something search engines are well able to handle today.
Here are the key points of this article to keep in mind:
- Doorway pages with duplicate content is easy to catch because they compress at a higher ratio than normal web pages.
- Groups of web pages with a compression ratio above 4.0 were predominantly spam.
- Negative quality signals used by themselves to catch spam can lead to false positives.
- In this particular test, they discovered that on-page negative quality signals only catch specific types of spam.
- When used alone, the compressibility signal only catches redundancy-type spam, fails to detect other forms of spam, and leads to false positives.
- Combing quality signals improves spam detection accuracy and reduces false positives.
- Search engines today have a higher accuracy of spam detection with the use of AI like Spam Brain.
Read the research paper, which is linked from the Google Scholar page of Marc Najork:
Detecting spam web pages through content analysis
Featured Image by Shutterstock/pathdoc
SEO
New Google Trends SEO Documentation
Google Search Central published new documentation on Google Trends, explaining how to use it for search marketing. This guide serves as an easy to understand introduction for newcomers and a helpful refresher for experienced search marketers and publishers.
The new guide has six sections:
- About Google Trends
- Tutorial on monitoring trends
- How to do keyword research with the tool
- How to prioritize content with Trends data
- How to use Google Trends for competitor research
- How to use Google Trends for analyzing brand awareness and sentiment
The section about monitoring trends advises there are two kinds of rising trends, general and specific trends, which can be useful for developing content to publish on a site.
Using the Explore tool, you can leave the search box empty and view the current rising trends worldwide or use a drop down menu to focus on trends in a specific country. Users can further filter rising trends by time periods, categories and the type of search. The results show rising trends by topic and by keywords.
To search for specific trends users just need to enter the specific queries and then filter them by country, time, categories and type of search.
The section called Content Calendar describes how to use Google Trends to understand which content topics to prioritize.
Google explains:
“Google Trends can be helpful not only to get ideas on what to write, but also to prioritize when to publish it. To help you better prioritize which topics to focus on, try to find seasonal trends in the data. With that information, you can plan ahead to have high quality content available on your site a little before people are searching for it, so that when they do, your content is ready for them.”
Read the new Google Trends documentation:
Get started with Google Trends
Featured Image by Shutterstock/Luis Molinero
SEO
All the best things about Ahrefs Evolve 2024
Hey all, I’m Rebekah and I am your Chosen One to “do a blog post for Ahrefs Evolve 2024”.
What does that entail exactly? I don’t know. In fact, Sam Oh asked me yesterday what the title of this post would be. “Is it like…Ahrefs Evolve 2024: Recap of day 1 and day 2…?”
Even as I nodded, I couldn’t get over how absolutely boring that sounded. So I’m going to do THIS instead: a curation of all the best things YOU loved about Ahrefs’ first conference, lifted directly from X.
Let’s go!
OUR HUGE SCREEN
The largest presentation screen I’ve ever seen! #ahrefsevolve pic.twitter.com/oboiMFW1TN
— Patrick Stox (@patrickstox) October 24, 2024
This is the biggest presentation screen I ever seen in my life. It’s like iMax for SEO presentations. #ahrefsevolve pic.twitter.com/sAfZ1rtePx
— Suganthan Mohanadasan (@Suganthanmn) October 24, 2024
CONFERENCE VENUE ITSELF
It was recently named the best new skyscraper in the world, by the way.
The Ahrefs conference venue feels like being in inception. #AhrefsEvolve pic.twitter.com/18Yjai1Cej
— Suganthan Mohanadasan (@Suganthanmn) October 24, 2024
I’m in Singapore for @ahrefs Evolve this week. Keen to connect with people doing interesting work on the future of search / AI #ahrefsevolve pic.twitter.com/s00UkIbxpf
— Alex Denning (@AlexDenning) October 23, 2024
OUR AMAZING SPEAKER LINEUP – SUPER INFORMATIVE, USEFUL TALKS!
A super insightful explanation of how Google Search Ranking works #ahrefsevolve pic.twitter.com/Cd1VSET2Aj
— Amanda Walls (@amandajwalls) October 24, 2024
“would I even do this if Google didn’t exist?” – what a great question to assess if you actually have the right focus when creating content amazing presentation from @amandaecking at #AhrefsEvolve pic.twitter.com/a6OKbKxwiS
— Aleyda Solis ️ (@aleyda) October 24, 2024
Attending @CyrusShepard ‘s talk on WTF is Helpful Content in Google’s algorithm at #AhrefsEvolve
“Focus on people first content”
Super relevant for content creators who want to stay ahead of the ever evolving Google search curve! #SEOTalk #SEO pic.twitter.com/KRTL13SB0g
This is the first time I am listening to @aleyda and it is really amazing. Lot of insights and actionable information.
Thank you #aleyda for power packed presentation.#AhrefsEvolve @ahrefs #seo pic.twitter.com/Xe3A9MGfrr
— Jignesh Gohel (@jigneshgohel) October 25, 2024
— Parth Suba (@parthsuba77) October 24, 2024
@thinking_slows thoughts on AI content – “it’s very good if you want to be average”.
We can do a lot better and Ryan explains how. Love it @ahrefs #AhrefsEvolve pic.twitter.com/qFqWs6QBH5
— Andy Chadwick (@digitalquokka) October 24, 2024
A super insightful explanation of how Google Search Ranking works #ahrefsevolve pic.twitter.com/Cd1VSET2Aj
— Amanda Walls (@amandajwalls) October 24, 2024
This is the first time I am listening to @aleyda and it is really amazing. Lot of insights and actionable information.
Thank you #aleyda for power packed presentation.#AhrefsEvolve @ahrefs #seo pic.twitter.com/Xe3A9MGfrr
— Jignesh Gohel (@jigneshgohel) October 25, 2024
GREAT MUSIC
First time I’ve ever Shazam’d a track during SEO conference ambience…. and the track wasn’t even Shazamable! #AhrefsEvolve @ahrefs pic.twitter.com/ZDzJOZMILt
— Lily Ray (@lilyraynyc) October 24, 2024
AMAZING GOODIES
Ahrefs Evolveきました!@ahrefs @AhrefsJP #AhrefsEvolve pic.twitter.com/33EiejQPdX
— さくらぎ (@sakuragi_ksy) October 24, 2024
Aside from the very interesting topics, what makes this conference even cooler are the ton of awesome freebies
Kudos for making all of these happen for #AhrefsEvolve @ahrefs team pic.twitter.com/DGzk5FSTN8
— Krista Melgarejo (@kimelgarejo) October 24, 2024
Content Goblin and SEO alligator party stickers are definitely going on my laptop. @ahrefs #ahrefsevolve pic.twitter.com/QBsBuY5Yix
— Patrick Stox (@patrickstox) October 24, 2024
This is one of the best swag bags I’ve received at any conference!
Either @ahrefs actually cares or the other conference swag bags aren’t up to par w Ahrefs!#AhrefsEvolve pic.twitter.com/Yc9e6wZPHn— Moses Sanchez (@SanchezMoses) October 25, 2024
SELFIE BATTLE
Some background: Tim and Sam have a challenge going on to see who can take the most number of selfies with all of you. Last I heard, Sam was winning – but there is room for a comeback yet!
Got the rare selfie with both @timsoulo and @samsgoh #AhrefsEvolve
— Bernard Huang (@bernardjhuang) October 24, 2024
THAT BELL
Everybody’s just waiting for this one.
@timsoulo @ahrefs #AhrefsEvolve pic.twitter.com/6ypWaTGDDP
— Jinbo Liang (@JinboLiang) October 24, 2024
STICKER WALL
Viva la vida, viva Seo!
Awante Argentina loco!#AhrefsEvolve pic.twitter.com/sfhbI2kWSH
— Gaston Riera. (@GastonRiera) October 24, 2024
AND, OF COURSE…ALL OF YOU!
#AhrefsEvolve let’s goooooooooooo!!! pic.twitter.com/THtdvdtUyB
— Tim Soulo (@timsoulo) October 24, 2024
–
There’s a TON more content on LinkedIn – click here – but I have limited time to get this post up and can’t quite figure out how to embed LinkedIn posts so…let’s stop here for now. I’ll keep updating as we go along!
-
WORDPRESS6 days ago
Threat Actors Are Exploiting Vulnerabilities Faster Than Ever
-
SEARCHENGINES7 days ago
Did Google Hit Fortune Recommends With A Search Penalty
-
WORDPRESS4 days ago
The Ultimate WordPress Toolkit for Pros (59+ Must-Have Tools)
-
WORDPRESS6 days ago
Threat Actors Are Exploiting Vulnerabilities Faster Than Ever
-
SEO6 days ago
Google Rolls Out AI-Powered Updates To Performance Max Campaigns
-
SEO7 days ago
Understanding Query Deserves Freshness (QDF) in SEO
-
AFFILIATE MARKETING7 days ago
How NYU’s Scott Galloway Uses AI on the Job, How You Can Too
-
SEARCHENGINES4 days ago
Daily Search Forum Recap: October 25, 2024
You must be logged in to post a comment Login