Hi guys,
Recently I was doing a study on Google rankings, more specifically, I was trying to figure out how Pay Day loan companies manipulate the rankings.
I found 2 commonly used issues. The first involved a Joomla extension, which is since been removed from the Joomla homepage but has already been installed on many websites.
The second involved Drupal. On a default installation, Drupal does not nofollow any links in the comments submitted by users. This is used to spam literally thousands of websites. If you search Google for "pay day loans", most of the top 20 results are people using this bug/loophole in Drupal to gain links to their website.
Why is it that Drupal does not do this by default? It seems that most other CMS's do so.
Thanks
You can read my full report at Pay Day Loan Rankings: The shady tale of Joomla hacks and Drupal leaks
Comments
That's an interesting bit of
That's an interesting bit of research. Another way that is popular with spammers is to use the profile feature that is available on some Drupal websites. It can be configured to have a URL field. This field also does not have a "nofollow" attribute. This is the reason we've blocked most user profiles here on drupal.org.
As to "why?": As soon as somebody downloads Drupal, it is IMO their responsibility to maintain their website. This includes removing spam.
--
Drupal services
My Drupal services
Thank you for reply and
Thank you for reply and positive comments on my blog. I've had some fantastic feedback from the industry since publishing.
I agree with you about it being a webmasters responsibility to maintain their site, but I would have thought something so obvious and easy to fix would be included as default. A SQL injection vulnerability wouldn't be left and said it was down to the webmaster to fix. This has more impact than a SQL injection based on the scale of it.
Drupal is an amazing tool and I was shocked that they don't nofollow when I was investigating, it just seems such an obvious thing to have these days. I do not know Drupal code from memory, but I imagine it's an extremely simple fix too. A few characters of code and wipe out a large portion of spam in a sector, seems crazy :)
But I'll leave that up to your guys, it is your software :)