Google Security SPAM

Seeing Spam? How To Take Care of Your Google Analytics Data

Owning a website is both a curse and blessing. For one, you’re comfortably earning money from what you offer online (be it services or products). However, you also have to contend with hundreds to thousands of bad businesses; which use illegal means to boost their site’s performance. We’re not just talking about hackers – which are dangerous to you and your website – but of opportunists who like manipulating the system with backdoor approaches. One such method is called referrer spamming.

What Is Referrer Spam?

Imagine yourself busy studying Google Analytics (GA) data from your website when you notice something odd. You seem to be getting online traffic from two or three unknown sources. It’s weird – since you have NEVER visited those sites before, nor have you contacted them. Upon clicking the links though, you are redirected to something totally different, or to a 404 page. You begin to worry. Is it possible that you were hacked? What’s happening to your site?

This dilemma is called ‘referrer spam’. It happens when bad bots drive fake traffic to a website; and that activity is recorded by GA. A ‘bot’ is a program designed to do certain recurring tasks with amazing speed and accuracy. Bots can be utilized for a number of functions, such as to index websites. In fact, Google has its own bot that crawls millions of websites and indexes important information for online users.

As much as there are good bots, there are also bad bots. They can do plenty of damage from sending thousands of spam e-mail, to spreading malware and viruses. Then there’s the spam bot, which can be used to send fake traffic to a website. As bots are masters of disguise, they can ‘pretend’ to be a Web browser (like Google Chrome) or a human, and visit thousands of sites; leaving behind an identification trail. This is what GA records – and this is what you see when you open your analytics.

However, it’s all just bait. That ‘website’ just needed something to cling to, to gain traffic and ranking. A bot doesn’t need to enter your site to impact your GA – all it has to do is to exist.

How Do You Get Referrer Spam?

The truth is that ANY WEBSITE can be a target. What spam bots do is crawl the Web for vulnerable websites and leave their traces. Sometimes it’s as simple as giving you fake traffic – other times, it’s more insidious (like giving your PC malware). You may have installed the best anti-malware plugin like Wordfence; but there’s still a chance that smarter spam bots can penetrate the system. That’s not to say that you shouldn’t trust anti-malware plugins. On the contrary, if you don’t have one installed, it might be worse.

Spam bots attack a website’s soft spots. Say your site is hosted on a problematic hosting platform; plus you don’t have a WordPress security plugin. The bot will use this against you and continuously generate fake traffic your way. If bad becomes worse, your device will become part of a botnet (a large group of bots) through malware and it will be used to send spam to the entire Web. You may not even be aware of it, but your PC or laptop may already be part of a botnet. So it’s vital to address the problem immediately as soon as you spot it.

Check your GA reports daily so you can be kept up to speed with what’s going on in your site. Install an anti-malware plugin as well to counter bad bots.

Why It’s Bad For Your Analytics

Referrer spam not only messes up computers, they can mess up your data and emotions. One minute, you’re happy about getting so much traffic – then be downtrodden the next after you find out that those referrals were fake. Website owners only want the truth: especially when it comes to online data. Remember when Facebook removed inactive Likes from business pages? It’s because these things are like a virus; it breeds nothing but lies.

You wouldn’t want to open your Analytics report each time and see only fake traffic, right? We all want what’s REAL. And if Facebook has taken preventive measures to ensure more accurate data, you can, too.

How To Spot Spam

Referrer spam gives off various signs on your GA reports or the site itself. Here’s a few:

  • Abnormal increase in number of referrals;
  • Referrals redirect to 404 pages;
  • Referrals redirect to porn sites;
  • Website is suddenly down;
  • Website is full of ads;
  • You get an e-mail from Google.

It’s important to remain calm once you spot referrer traffic. While on most occasions, they are harmless and just bring fake traffic, others are not so kind. Avoid from opening unknown or suspicious sites without proper anti-malware protection. It’s possible that your site has been hacked AND contains referrer spam as well.

How To Protect Your Analytics Data

You may be thinking right now that you could just use filters to block referrer spam from affecting your GA results. But that DOES NOT remove the problem – it’s still there. What filters do is just omit those results. It does not block nor eliminate them. Here are a couple of ways to combat referrer spam:

  1. Run a scan. This means scanning your device AND your site for malware and/or injected spam.
  2. If results come up with ‘potential threats’, quarantine those and keep your CMS up-to-date.
  3. If your results come out clean, check with your web hosting platform. Are they experiencing problems?
  4. If your website is down, verify that you are not on Google’s Blacklist.
  5. Confirm that you are using the latest version of WordPress (or whatever CMS you are using).
  6. Create a backup. This ensures that you save all vital data should you need to remove something.
  7. Consider changing your password and secret keys.
  8. To remove referrer spam, block spam bots using this helpful tutorial.

For hacked WordPress websites, see this complete guide

on how to detect and spot malicious files. It might seem overwhelming, especially for those without coding knowledge; but don’t worry. CMS communities like WordPress have forums where you can always ask for more information.

It’s a good idea to assume that things will go wrong at any moment – so backup your files from the onset. This will come in handy because you will need to take down your site once it’s confirmed that it is hacked. Backup your database (this contains all your pages, posts and other crucial website components) and store them in at least two devices in case the other one gets corrupted.

Do the same practice BEFORE upgrading to the latest version of your CMS.

Regular Maintenance For Constant Prevention

NEVER assume that just because you have an expensive hosting platform or the latest anti-malware system that your website will be safe forever. People are smart; and that means smarter bots to manipulate the Web. Do the three-step approach to regular website maintenance to ensure that your data stays safe AND accurate. These are:

  1. Stay up-to-date with the latest software versions.
  2. Always backup your data.
  3. Enable anti-malware protection on your device and on your website.

It’s hard work owning a website. This requires you, the website owner, to constantly be on your toes watching out for bad guys. Referrer spam is here to stay. And in the future, who knows – perhaps spammers will develop better techniques to cheat the system. But where there’s light, darkness can’t prevail. That light is KNOWLEDGE.

Always keep learning and discovering new things. If things go wrong, don’t panic. Everything has a solution.

About the author


Al Gomez

Al Gomez is a Digital Marketing Consultant for Dlinkers & Sagad. He has over 12 years’ client digital marketing experience and has proven track records of successful projects and expertise in various marketing channels. He is passionate about solving online marketing problems like generating leads and an increase in sales.


Click here to post a comment
  • Hi Al

    There is actually a lot of ghost referrer spam happening at the moment. There are no real visits to the website, but the spammer actually tries out all tracking ids and sends fake visits directly to Google Analytics. The only solution to this is adding filters in google analytics.

    We struggled with manually adding filters for the new hosts that are always appearing, so we built an automated solution for this.

    Best regards

    • Thank you for the comment, Pascal. The trouble with Google Analytics filters is that it only HIDES the problem – as what we sadly experienced ourselves. When you remove those filters, the spam is still there. One strategy that we found useful was to block the website’s IP address. It’s more time-consuming yes, but it gets rid of the problem for good. Hope that helps!

    • Hi Al

      I forgot to link to the tool, it can be used at – its free.

      Your mentioned method only works for non-ghost referrer spam (e.g where there are real crawlers accessing your website. Those you can block, but there is also ghost referrer spam, this does work quite differently. They actually never access your website, they just try out all Google analytics tracking IDs and send fake visits directly to Google Analytics (the same way as ga.js or analytics.js does it). So the only solution to this is using filters, because you can’t block them.

      Best regards

  • Hi Al,

    I agree with Pascal. It’s been happening a lot recently. Here’s a very short how to guide I wrote on Linkedin to remove the ghost spammers from their analytics last May 27.

    Ghost spammers are attacking. Who you’re gonna call?

    Hope it helps!


  • Hello Havi and Pascal,

    Thank you for the link, Havi! That was indeed useful.

    As for ghost referrals – yes, they are a challenge to block completely. So until we find an actionable approach to totally eliminating them (not just hiding them from Analytics), we would need to content ourselves with filtering them from our data.

  • Referrer spam has been the latest problem for those who are counting on google analytics reports for analyzing the visitors they receive on their site from different sources.