How to protect your website from proxy mirrors?

By Roman Berezhnoi November 29, 2022 3.25K views

How to protect your website from proxy mirrors?

One day you may see your website’s organic search traffic begins declining. There are many reasons you can see traffic drops from search engines, one of which is proxy mirrors.

Proxy mirroring is a ‘negative SEO’ technique that is gaining popularity among modern SEOs because it allows attacking competitors cost-effectively and most simply than other ways of sabotaging.

What is proxy mirroring?

Proxy mirroring is a technique of replicating a website by creating an identical copy of the website design and content but using different URLs.

Crooks can replicate thousands of websites using simple PHP code in several days. Usually, they choose the most popular sites in a particular business niche. Each unprotected website that Google ranks among the world’s top 500,000 becomes a scammer’s target.

Scammers can use proxy mirroring for different purposes, like sabotaging competitors’ websites, making a profit, and fishing. Anyway, a website owner loses valuable organic traffic and, therefore, business revenue. In some cases, search engines may remove the original website entirely from a search index while the cloned websites work and drive traffic.

How do you know if someone replicated your site?

Many people begin to check for plagiarism when they notice a significant drop in organic search traffic in Web Master Tools. But it would be better to check the plagiarism regularly, for example, one time per month. How to do that?

The simplest way is plagiarism checkers; the tools allow users to detect plagiarism, duplicate content and identify website mirrors. Plagiarism detection services are easy to use. Copy and paste the link of your site page or piece of text content into the field of plagiarism checker, and the service will find web pages that duplicate the content. If you see that the website replicates the content and design of your site, it is a proxy mirror.

Look at this snapshot. This site mirrored the F5 Studio website. 

There is an example of the scammer's site that replicate the site F5 Studio by uploading images, JS code, and CSS styles

VastCope’s website code contains links to F5 Studio’s site, and the code is 99% identical to our site code. At first glance, you might think the site was hacked and launched on another hosting, but it is not. Look at this snapshot.

There is the scammer's website with opened dev tools to show the uploaded sources from the F5 Studio website

As you can see, VastCope’s website uploads sources of the F5 Studio’s websites.

Unfortunately, many plagiarism detection services need to be better in their features, UI, and detection of plagiarism. Test plagiarism checkers to find a good one that will fit your needs.

The following way to find website clones is to analyze server log files to detect abnormal activity. This method requires technical skills and will also help protect the website because server log files provide the necessary information.

This website was detected by plagiarism checking. As you can see on the snapshot, mrpavel.is almost 100% copycat.

This site is almost 100% replicates the F5 Studio's website

In contrast to the previous case, mrpavel.art site didn’t use direct links to the F5 Studio website.

There is the scammer's website with opened dev tools to show that it doesn't use the F5 Studio sources like images or CSS styles

It was another proxy mirroring method, and the way to fix that will be described below.

If you are low-tech or too busy, you may entrust this task to professionals specializing in website security services.

How to fix and prevent site mirroring?

When proxy mirroring is detected, fixing and preventing the issue is vital. Fixing proxy mirroring requires some tech skills and experience, but I hope these methods help you.

Disable iframes and strengthen HTTP response headers

The following method disables the ability for scammers to create iframes from your site and use your content.

Some experts recommend using the directive “DENY” for X-Frame-Options If you don’t need to use iframes and don’t want anyone else to use iframes from your site. But it can cause some front-end issues. That is why I use the directive “SAMEORIGIN” for X-Frame-Options on the F5 Studio website, which works well for our site. Using this directive allows you to embed iframes on your site, but your site’s content won’t display on iframes for other sites.

Learn more about X-Frame-Options.

If your site was built on WordPress, you could use the Headers Security Advanced & HSTS WP plugin. This plugin addresses the security issues of website headers by implementing HTTP response headers on the .htaccess file. There is an example of code that was added to the .htaccess file of the F5 Studio website:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Expect-CT "max-age=7776000, enforce"
Header set Access-Control-Allow-Origin "null"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
Header set X-Content-Security-Policy "img-src *; media-src * data:;"
Header always set Content-Security-Policy "report-uri https://f5-studio.com"
Header always set X-Frame-Options "SAMEORIGIN"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>

You may add this code to the .htaccess of your site file by yourself.

Additionally, the plugin developers provide helpful online tools to check a website’s security, for example, https://securityheaders.com/. You can see how F5 Studio’s website passed the security check after enabling Headers Security Advanced & HSTS WP plugin.

There is a snapshot that proves that F5 Studio passed security check after enabling Headers Security Advanced & HSTS WP plugin

This method will improve website security against simple types of attacks. It increased the security of F5 Studio’s website, but it didn’t help us because scammers can use more advanced techniques to mirror your site, and these two sites still worked. Hence, using more advanced techniques to protect your site would be best.

Prevent static hotlinking

As I wrote above, VastCope used F5 Studio’s site sources. In this case, it is a good idea to prevent static hotlinking. It means preventing other domains from referencing static files from your site, for example, images, CSS, and JS code.

Many hosting providers can prevent static hotlinking, and you can ask their support to help you. But if your hosting provider does not have the service, you need to disable static hotlinking by adding code to the .htaccess file (Apache):

RewriteCond %{HTTP_REFERER} !^$
# allow all requests from your domain
# edit the domain to match your own
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?domain.com.*$ [NC]
# search engine access
# include or remove search engines feed readers and other sites
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?instagram.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?linkedin.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?facebook.com [NC]
# return a 403 error when any of the following file types is requested
# you can protect additional file types by editing the list below
RewriteRule \.(gif|jpeg|jpg|svg|png|css|js)$ - [F,NC,L]

Preventing hotlinking is an effective method to avoid content and bandwidth theft issues. It helped us to break the VastCope site, and we are satisfied with the result. Now the VastCope site looks broken, and you can see that on the snapshot.

There is snapshot of scammers site that looks broken necause it can't use F5 Studio's sources like images, JS code, or CSS styles

But it also has disadvantages. Some ways allow scammers to bypass the usual hotlink protection method and mrpavel.art still worked.

Blocking IP addresses

If you discover that a site mirrors yours, you can block the scammer’s site by IP. In our case, another scammer (mrpavel.art) used other methods to mirror F5 Studio’s website.

We decided to block the IP addresses of mrpavel.art in this way.
First, you need to detect the IP addresses of scammers.
The most straightforward way is using Whois https://who.is/

On this snapshot you can see the info from Whois service about the IP adresses of scammer's website

Then search by IP address.

There is results of searching by IP that allows the website owner to know the scammer's IP subnet.

Hence we needed to find CIDR to block IP subnet 162.0.224.0/20. We block the IP subnet because it is a more reliable way than blocking the IP address.
Check if these are the IP addresses in your server log files for the mirrored site’s requests.
To block the IP subnet, use this directive to the .htaccess file:

Deny from 162.0.224.0/20

Note that you must paste the CIDR address of your site scammers.

A blocked scammer’s site shows the 403 error page in the user’s browser. Now, mrpavel.art, the mirror of our site, can’t help a crook hurt our website SEO and revenue.

Using all these ways to fix and prevent proxy mirroring would be better for your website security, but sometimes this is not enough. This is why it’d be better to use some non-tech ways to fix the consequences of website proxy mirroring and punish scammers.

Non-tech methods to fix the consequences of proxy mirroring

If someone uses your content, brand identity elements (logo), and website design, it breaks local and international copyright laws. 

First, you may report search engines about copyright infringement. Google Search allows content owners to send requests about sites that violate copyright law and their rights. If the Google team approves the request, the scammer’s website will be deleted from the search index. The problem is Google can’t make crooks delete the content from their sites. On the other hand, scammers’ sites won’t drive traffic from Google Search.

Second, you can contact a hosting provider and send an “abuse report.” Many hosting providers cherish the reputation and help you.

To know who is the hosting provider of the scammer’s site use one of the WHOIS services. Then, go to the hosting provider site and fill out the form for the abuse report. A hosting provider may force a scammer to delete your content from its website. The disadvantage of this method is the ability of scammers to use many domains. 

As you can see, using non-tech methods to fix proxy mirroring issues is only partially effective with using tech methods.

Conclusion

Proxy mirroring is a scammers’ technique that can lead to losing traffic, purchases, and clients for a business. This is why owners of business sites need to detect these issues and fix them as quickly as possible. Unfortunately, many business managers do not know about this technique and do not pay enough attention to website security. As you can see, our web design agency also faced proxy mirroring, but our team has the experience, and we fixed all issues. This article described tried and true methods you can use to fix website proxy mirroring issues too. If you still have questions or face issues the article didn’t describe, you may contact us to get a free consultation about website security.

Comments ( 0 )

Leave a Reply

Your email address will not be published.

Contact us:

Thank you for your message. It has been sent.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.