How to Protect Your Business From Nefarious Subdomain Hijacking
A couple days ago while I was at a conference news came about that Network Solutions was hijacking unused customer subdomains to post links to their other websites. It is getting really hard to trust *many* online service providers.
A big tip for new websites is to use the www subdomain and 301 the non www version to the www version, for 3 reasons
- If some nefarious group tries to add subdomains to your site you can easily spot them with a Google search for site:mysite.com -site:www.mysite.com (you could subtract other subdomains if you liked as well, likeso). You can even set up a Google Alert to track Google indexing any subdomains by entering that search in a Google Alert. Once any new subdomain is discovered you can delete any of their nefarious activity and/or add the subdomain and 301 it to your site to reclaim any link popularity (if the domain was expired or re-purchased and the subdomain had some remnant link equity).
- Already owning the www and non-www means that they have fewer opportunities to hijack one of your most important subdomains.
- Some automated penalties that occur on subdomains do not flow back to the root. If you are using WWW you can move it to another subdomain, but if your core site is at the root (without the www) then you may be out of luck.
Disclaimer: Microsoft Live Search is *really* bad at following 301 redirects. So if you are already using the non-www version and have built a lot of links, then it may not be worth the risk of 301ing it...especially if your site is really clean and you are not pushing any algorithmic limits with aggressive SEO techniques.
In addition to the above tips, ensuring that you software is up to date and using your own non-shared host also helps mitigate the risk of subdomain hijacking. SEO Book reader Rich Atkinson also stated
Another good tip is to create a wildcard dns 'A' record for your domain. Then config your web server to 301 all unrecognised hosts to your main site.
This is good for picking up the ww.example.com typos too.
Of course - you may or may not be able to do this on shared hosting.
Comments
These guys never quit. What a spammy company Network Solutions is.
Hey Aaron,
Good advice. Another good tip is to create a wildcard dns 'A' record for your domain. Then config your web server to 301 all unrecognised hosts to your main site.
This is good for picking up the ww.example.com typos too.
Of course - you may or may not be able to do this on shared hosting.
Cheers
- rich
Thanks for the tip Rich :)
Personally I think tip number one should be run like hell if you have anything to do with Network Solutions. Between this and registering domains based on searches, just as rustyc says, they're going all out on the spam and otherwise bad behaviour.
My understanding is that this only works if Network Solutions is your registrar. If you're not with them are these steps really necessary? Assuming other registrars are not going to follow suit.
The ww 301ing to www is a good idea regardless though and I'll try and set that up this evening.
If you control your own DNS, or you're at an ISP where you have access to a control panel that lets you edit your DNS, there's no problem right? Meaning, any shenanigans would be visible in the cpanel, right?
"www." is dead, or should be. Making that your prime URL is a bad idea for branding and everything else.
Well there are lots of accounts that had mystery meat subdomains pop up on a wide array of registrars. Network Solutions was just one of many.
I was under the impression it was solely an issue with Network Solutions. Thanks for the correction. In that case it is a lot more concerning.
Over the years many others have done similar or the same.
Aaron, You state that "Some automated penalties that occur on subdomains do not flow back to the root." What automated penalties were you talking about that do and don't flow back to the root domain?
I can't really share all that information Mike.
Add new comment