Influx of spam sites using Hugo themes


#1

Has anyone noticed the large influx of random spam sites using Hugo themes? I have a theme with a “developed by” link in the footer and I’ve tracked a few referrals to my site through Google Analytics from what looks to be spammy bot-generated content farms. They’ve always been there but in the past 2 weeks traffic has really amped up.

image

I also notice these domains regularly spam Reddit (e.g. <links removed>).

They all have similar style domains and subdomains and each site seems to be a Hugo site with a different theme grabbed from our big themes repository.

Is this a problem that anyone else has noticed and is there anything we as a community can do to prevent this?


#2

Hi there @Toma

First of all I edited your post to remove those links you shared (they were dead Reddit links anyway but in any case they were not needed here)

Second I had a quick look and I saw that at least a couple of these domains are hosted by Digital Ocean.
See: https://www.digitalocean.com/company/contact/#abuse

Maybe you should let them know that they host compromised sites.

Other than that I don’t think that there is anything we can do on our end.
Your theme is hosted publicly on Github and anyone can download and use it.


#3

Hey @onedrawingperday. I’m just wondering if anyone knows where this huge influx of spam blogs using Hugo themes is from. It’s not just my theme - if you were to do a google search of those domains, you’ll get search results with hundreds of different subdomains and they all look to be Hugo sites using different public Hugo themes.

It’s weird to me that none are Gatsby.js or Jekyll sites, but maybe this is concentrated with one content farm specifically using Hugo and there are probably other content farms using other static site generators.

I’ll be keeping my theme in the public domain but wish there was a way to combat this type of abuse.


#4

If I was going to create a lot of spam sites (I’m not), I would pick the tool that would get me the result fastest and simplest. This is both a curse and a blessing. I don’t see how we can fight that battle.


#5

As I said above I had time only for a cursory look but I also noticed that most of these spam sites use Caddy Server which is also written in Go. I suppose that whoever is doing this likes to work with a Go tool set.

If you do not want these sites displayed as referrals in your Analytics console I suggest that you create a filtered report to exclude them. (There are articles about creating filtered reports, so search for this).


#6

I was thinking the same thing. It’s an unfortunate side effect of Hugo becoming popular and easy to use with a plethora of themes.

Besides just removing the credit link in the footer that links back to my own site, I’m trying to think of ways to make my theme more difficult to set up. Maybe the theme’s config file has an essential setting commented out so it doesn’t work right off the bat. Something that doesn’t add difficulty for a user but might trip up a bot using a repetitive setup.


#7

Please do not do this. Your theme is fine, fighting spam isn’t your battle to fight, it’s done elsewhere, but you do your part by making it easy for people to publish their authentic thoughts, thus generating more content for actual consumption.

Also, bots will win unless you want your job to be fighting bots. But we don’t want that! We want more themes! :slight_smile:


#8

I would be concerned about the spammy links.

I would suggest you add no-follow to your footer link on those themes. Also, only having the footer link on the homepage is best.

If you really want to keep a follow link, then I would do a link audit, and disavow spammy sites. Something like Semrush (linked to majestic via api) , or ahrefs will suffice.