The light side of whether artificial intelligence is genuinely intelligent or merely advanced technology misrepresented as such.
Home Blog
Open Channels FM: Open Tabs: Lists Over Grids, AI-Assisted Content & A Global Tech Read
Bob Dunn launches “Open Tabs,” sharing business insights while discussing his new design preferences, the importance of human touch in podcasting, efficient content repurposing with AI, and recommending restofworld.org.
WPTavern: #219 – Austin Ginder on How AI Is Exposing Hidden Threats in WordPress Plugin Updates
Transcript
[00:00:19] Nathan Wrigley: Welcome to the Jukebox podcast from WP Tavern. My name is Nathan Wrigley.
Jukebox is a podcast which is dedicated to all things WordPress, the people, the events, the plugins, the blocks, the themes, and in this case, how AI is exposing hidden threats is WordPress plugin updates.
If you’d like to subscribe to the podcast, you can do that by searching for WP Tavern in your podcast player of choice, or by going to wptavern.com/feed/podcast, and you can copy that URL into most podcast players.
If you have a topic that you’d like us to feature on the podcast, I’m keen to hear from you and hopefully get you, or your idea, featured on the show. Head to wptavern.com/contact forward slash jukebox and use the form there.
So on the podcast today we have Austin Ginder. Austin has been involved in the WordPress ecosystem since 2010, and since 2014 has run Anchor Hosting, a business that manages thousands of WordPress websites. While he’s a developer and automation enthusiast at heart, in recent months Austin has found himself at the forefront of a burgeoning crisis in WordPress, security supply chain attacks targeting plugins.
A chance discovery during a malware cleanup on a client’s site, propelled Austin into what would become a wider investigation of plugin vulnerabilities. What he uncovered is both alarming and timely. Bad actors aren’t just hacking sites directly, but are instead infiltrating the supply chain, either by purchasing plugin companies and weaponising them, or by hijacking plugins and pushing out malicious updates. These attacks are subtle, often shifting plugin update servers away from wordpress.org to rogue channels where malware can be distributed, leaving end users in the dark, and their sites at risk.
We trace Austin’s journey from accidental security investigator to creator of the WP Beacon Project, a resource aimed at tracking, documenting, and alerting the WordPress community to known supply chain attacks.
He shares how AI tools have radically changed what’s possible in threat detection and forensics, enabling individuals, and hopefully someday, the larger hosting providers to identify patterns and root causes behind widespread infections.
We get into case studies of specific plugins compromised in recent months, the challenges of auditing over 60,000 plugins in the wordpress.org repo, and the complexities of stopping these attacks once malicious code is in the wild. Austin also discusses his hopes for greater collaboration with hosts and security researchers aiming for better automated monitoring and response.
If you manage WordPress websites, create plugins, or just care about the future of open source security, this episode is for you.
If you’re interested in finding out more, you can find all of the links in the show notes by heading to wptavern.com/podcast, where you’ll find all the other episodes as well.
And so without further delay, I bring you Austin Ginder.
I am joined on the podcast by Austin Ginder. Hello, Austin.
[00:03:40] Austin Ginder: Hey, good to meet you.
[00:03:41] Nathan Wrigley: Very nice to meet you too. I was put in Austin’s way by I think Courtney Robertson.
Thank you Courtney for that because, on a different podcast, which I do, we were talking about an item, which is very much in the news at the moment. It’s all to do with plugins and security. And whenever I say security, any of the people that I have on the podcast, I feel it’s pretty important that person gets a chance to stamp their credentials into the podcast about themselves. Because it’s one of those areas where a little bit of knowledge can go a long way. Tell us about your background, WordPress hosting, security, those kind of things.
[00:04:16] Austin Ginder: Sure. So I’m a developer, first off. I’ve been running a WordPress hosting service since 2014, and I’ve been working in the WordPress space since 2010. A long timer. I love automation. WPCLI commands, bash scripts. I’m in the weeds on a technical basis.
But in terms of security, I wouldn’t call myself a security expert, which is ironic for this conversation because of some of the things I’ve been finding over the last month or so. And it’s all thanks to AI. AI has been my friend. It’s just right place, right time, getting lucky and also just a mix of everything is changing right now in the world.
[00:04:56] Nathan Wrigley: Yeah. Thank you for that. So as you’re about to hear, we’re not gonna be talking at from the perspective of Austin demonstrates how to fix a particular challenge in WordPress. It’s much more of a general thing, and an alert really. It’s a bit of a call to action about a problem which has been systemic in the WordPress ecosystem, well, forever really, since I guess, plugins came along.
And this is all about really change of ownership of plugins, and I could do a job of trying to describe the scenario here, but do you want to just run through what you’ve discovered in the last few weeks, and the three or four incidents that you’ve uncovered and what they mean and how they’ve come about?
[00:05:37] Austin Ginder: Yeah. So in particular, we’re talking about supply chain attacks, and a supply chain attack is a different kind of attack. It’s not a direct, my site got infected with malware or something like that. It runs a little bit more deeper. It’s a scenario where either it can happen a couple different ways.
A hacker might get control over the plugin repo itself, maybe a credential breach, where they sign in and they are acting as the author, and they push out bad code. As a user, you just update your plugin and you don’t realise you’re updating to something that’s harmful for your website.
So that’s one scenario. The other scenario which is crazy to me, but like hackers literally buying companies and then weaponizing the plugins themselves and distributing them through the official channels. So that’s the big story that I was covering this last month. That is just what possesses someone to spend six figures to buy a suite of plugins and then weaponize them and try to get away with it? No, that can’t happen.
[00:06:42] Nathan Wrigley: Except, it does. So let me just reiterate what’s going on there. So if you’ve been to the wordpress.org repository, or indeed you’ve downloaded plugins from third party vendors, maybe a pro version of a plugin or what have you. Usually there is some aspect of the WordPress admin UI, which enables that plugin to be updated by clicking a link or perhaps automated, the update will happen.
Increasingly, I think people are being, have been encouraged to click enable automatic updates. So it just ticks over in the background. Perhaps while you’re asleep, it gets updated to the latest version. This in a universe occupied only by honest people would be absolutely fine. We’d have no problem that.
However, the scenario that you are describing is that kind of invisibly it’s entirely possible for somebody to sell their plugin or indeed maybe even have their plugin repo hijacked in some way. But let’s go with the sell their plugin scenario, because that’s the easiest one to get a hold of. Sell it to somebody.
Obviously, I would imagine in most cases, assuming that person is a good actor, is just going to carry on doing the nice things that the plugin does, updating the code, and doing security updates and what have you. However, there is zero guardrail to stop them putting whatever they want into the plugin.
And so overnight, a plugin which has been working for a decade or more, doing its job, now suddenly is masquerading. And it may be that the functionality of the plugin is also still there. It’s not like suddenly the plugin just stops working, or it’s really obvious what’s going on. It may be that just a few lines of code have been adapted, modified, there’s some backdoor smuggled in to the plugin. An end user would never know that this was going on. Have I summed that up? Is that about where we’re at?
[00:08:35] Austin Ginder: Yeah, these are bad actors trying to hide themselves. They’re sneaky. They don’t do things that are obvious. Like they’re not just uploading malware to WordPress plugin repo. What they’ll do instead is they might slip a third party updater, which is against the guidelines, clearly. But they can do it a little bit more sneaky.
So if they can get a third party uploader put into their plugin, then they can actually hijack the plugin. Meaning you download a plugin from wordpress.org, and you run auto updates, and it updates not from the wordpress.org version to the newest wordpress.org version. It offloads to their own compromised update channel.
And then once it’s on the update channel, wordpress.org has zero visibility, and you’re just running a hijacked plugin and you don’t even know it. Unless you go in and you run a verify command, from the command line or, you’re scanning for things like this. And then after they get the plugin hijacked, that’s when they compromise your site.
They could do SEO spam attacks, or display ads, or poison the search results from Google’s perspective. Many different things that they do to try to recoup their money in the investment.
[00:09:50] Nathan Wrigley: So let me just run that by you again. So just to make sure I’ve understood. So in this scenario, the plugin, it is like a one time thing in a way, but we’ll explore that as well in a moment. The plugin is acquired by somebody else and potentially some of the behaviour that you’ve seen is that the only part of the plugin that they modify is the location of the update server.
Now, typically that would’ve been over at wordpress.org, and every time you click the update button, you are receiving the repo version of it. However, this updated version will then offload to a third party server somewhere. And at that moment, wordpress.org loses all visibility of what’s going on. As far as they’re aware nothing has happened.
You are now just getting updates from elsewhere. You would never see anything. But obviously whatever payload they wish to put into that plugin is completely invisible to wordpress.org.
Now, I suppose the wordpress.org version, there’d be a telltale sign that this was happening because there would be new and modified code to indicate, oh, look, there’s a third party server in play here. But WordPress org has no visibility into what the malicious code being updated onto your website is. Again, is that about where we’re at?
[00:11:07] Austin Ginder: Yeah. Everything on wordpress.org is open source. Even the platform itself is open source, so you can see the full code, how everything operates there. And in addition to that, all of the plugin activity happens on SVN, which is like the raw pipeline.
So all of the data is there and available to anyone to go in and audit the data, but it’s, it’s an after the fact situation. Like after a situation happens, you can go back to the raw data and run a full audit to try to piece together all these missing pieces. And all these missing pieces would’ve been impossible to correlate together if it wouldn’t be for AI. Like now we have a superpower where we could just run AI through it all. If we feed it the right points, we can start to make the correlation after the fact as to what happened.
[00:11:59] Nathan Wrigley: Okay, so essentially what you are saying, I think, is that the work of checking this, prior to AI, let’s go with that, it was just too humanly intensive. There were 60 plus thousand plugins on the wordpress.org repo, going back and having a human inspect every single update, every single file, every line of code is, as you can imagine, a completely unrealistic process.
However, now AI really its superpower is its capacity to take a giant corpus of data, and then do things with that data. It’s almost like it can capture the entirety of the internet in one hit. And so that’s what’s enabled you to weed out this sort of stuff.
I have to ask from a personal point of view, why are you doing this? And I don’t mean that the way it sounds, because obviously it’s philanthropic. I’m extremely grateful that you are doing this. But how did you end up taking this on as a, I don’t know, a hobby, a pet project, a sideline?
[00:12:59] Austin Ginder: This is completely accidental, right? The backstory is in February, I saw a huge shift at my own customers websites, where sites that have been secure for years and years, all of a sudden was getting malware. The short version of it is while I was doing some malware cleanup for a customer, I uncovered one of these big back doors, and it was just like going through the process.
So malware cleanup before AI was always a little bit of a dicey thing. You can check all the boxes, make sure everything looks good, but you never had the certainty that it was all a hundred percent clean. Did I miss something? But with AI it’s very easy to do a thorough, in depth, investigation.
How did this happen? Where did it come from? Is my site actually clean now? It just crawls over all the files with Claude Code and other tools, and it gives you a nice report. When I had some recent, my own customers that got malware, and I ran through the forensics level style that AI can give, it uncovered some things that made me question, maybe I should look upstream, maybe I should look at wordpress.org. And I started to feed that into the AI and sure enough, there was something there and it was story worthy.
[00:14:13] Nathan Wrigley: So presumably that was then bound to a particular plugin. So your customer, something went wrong, you pointed the AI at it, it gave you a report, pointed you to the wordpress.org repo. And that in theory could have been the end of that. You clean up your client website and move on.
But it sounds like this became much more than that, because over the intervening days and weeks, you found that this was alarmingly, not just a one-off. This was a pattern. And I think the last time I was reading about this, I think you’d found four. I don’t know if four plugins is now up into some other figure or not, but certainly at the time I was reading you’d found four plugins with exactly the same strategy. I don’t know if they were from the same vendor or what have you. Just tell us where you’re at in the middle of May 2026.
[00:15:07] Austin Ginder: Yeah, so I’ve now published four more or less in depth research. Now, I wasn’t the sole finder of all these, but I was the one who actually pointed the AI at it, and got to the root of it. And it uncovered some other things that previous folks hadn’t found. So the crazy thing is all four situations are completely different, and that’s the wild thing.
So the one was, the source was the WordPress Plugin Team. So they saw there was some bad activity happening, with a set of the Essential Plugins package. So that’s like a 30 plus plugins. So they closed down all the plugins. They issued an alert, Hey, your site might be compromised. And they actually put code in the patch of the plugins that would check the wp-config file, was it tampered with by the plugin authors themselves?
So one of my customers saw the notice flagged me. I scanned it, saw it was compromised, and then that’s when I uncovered how big of a deal it was, the Essential Plugins. It was actually a purchase of a company. That was just one of them.
The other three situations, again it’s all kind of part, it stems back to me overhauling my security system for my clients. The other one was flagged by a new security feature I was implementing where I check all of my customers JavaScript embeds.
I’m basically scanning changes over time, hoping to catch like a credit card skimmer, or something else like that for my own customers. Well one of them came back. Something’s weird. It was a widget logic plugin that was embedding some weird sports JavaScript code for one of my sites. And I kept digging and digging into it, and sure enough, it was another supply chain attack on that particular plugin.
So, in all these instances, the WordPress Plugin Team has been fantastic. Very responsive and closing down the plugin, and applying patches, and getting the out there. Yeah, it’s weird. I had no plans to building something like this. I just stumbled upon it and every situation was a different story.
The last one I’ll share is, I was messing around with this idea that, I wonder if I could use AI to hunt through my own customer’s plugins to detect plugins that are running different versions of the code base. You might have Jetpack installed with the latest version, but maybe there’s a variant version Jetpack’s running. That’s the core idea, or the core concept.
So I built this tool with AI to scan my own customers, and it found a variant version of the Quick Redirection Plugin installed. I’m like, what’s going on here? So I dig into it and I had 12 sites running a version of the plugin that wasn’t on wordpress.org. So then I threw it through AI. It told me the difference. And sure enough, like you had to keep digging to get actually get to the answer what happened.
But that was a situation where many, the plugin author themselves offloaded most of their customers to a hijacked version. And my own customers years later were running a hijacked version. So I wasn’t directly searching for this stuff, it just came up, and then I’m like, after you get three of them, it’s alright, now I just wanna see if I can find one.
So I built the scanner and while I was scanning the top 2000 WordPress sites, I found one, and it was active. It was active, meaning the plugin, it’s called Scroll To Top. It was wired in to 20,000 sites, but it wasn’t active. So a lot of these bad actors, they will take their time, get a plugin that’s compromised in a lot of people’s sites, and then when the moment’s right, pull a trigger. And then at that point they can start to flow in bad content or SEO and actually do the compromise.
The one that I actually found was a compromise scenario, from what I can tell, the bad actor hadn’t actually pulled the trigger yet. So it was a success story.
[00:19:13] Nathan Wrigley: Yeah, that is really, kind of makes it more alarming in a sense, doesn’t it? Because once I suppose there’s an active exploit, and people are beginning to report what’s going on here? There’s some strange behaviour on a website, I presume at that point eyeballs will fall on what’s going on and work will be done.
However, as you’ve just described maybe months, weeks, possibly years, a plugin can have incredible functionality. It might gain widespread adoption, because it’s doing this one thing particularly well. Just with this dormant code sitting there waiting for the moment that’s opportune. Maybe there’s some scenario in the real world in which it will become a timely thing to be able to deploy that.
That’s really alarming, isn’t it? Because who knows how many websites are currently sitting there with as yet undiscovered, back doors, or problems that we simply don’t know about because they haven’t been triggered? Yeah, that one is really alarming.
Austin, I’m going to give you a little opportunity because you keep saying my clients, and I don’t think we painted the context of that. Just tell us a little bit about what you do and how that aligns you to have, have an eyeball on so many websites. I think currently, when you say my clients, I think it’s true to say that you’ve got something in the order of 3000 websites that you manage. Now, if you were building those as client websites, that’s a lot of clients. Just tell us what it is that you do, and that might widen the debate a little bit.
[00:20:39] Austin Ginder: No, I don’t do consulting work anymore. So back in 2014, I transitioned into web hosting full-time. I run Anchor Hosting, and my business is, it’s a pretty simple business model. I resell other managed WordPress hosting services, and provide all of the support and maintenance on top of it.
So I primarily use web hosts like Kinsta and Rocket.net. They are larger companies. They have a lot more eyeballs on it. I like to layer as many layers between me and the web host infrastructure as I can, so that I can actually solve what I want to solve. And that’s the WordPress maintenance part.
So I have a little bit more visibility than some. So that is more unique position than most. And I actually would say if there’s any takeaway from this conversation, the takeaway is any hosting company out there that has more data than me, they are sitting on a gold mine and they don’t know it.
Because any site that gets malware, that is the gold. If you can point AI at every malware situation or attack, you can sometimes back channel it to figure out where it actually happened, and start to paint a bigger picture. I would love to get my hands on like a web host that has millions of sites and run some scans, because that’s how you’re going to discover it, weed it out.
[00:21:59] Nathan Wrigley: And there’s maybe patterns going on. I don’t suppose every hacker of WordPress plugins is some kind of evil genius. They might just be, I think what’s often called script kiddies. The idea being that they are taking templates and copying and pasting these ideas far and wide.
And therefore I suppose patterns would emerge and maybe as you said, some of these larger hosts would be able to spot that pattern, and get out in front of these different problems which have, as yet, been undetected.
Okay, so you’ve then taken an additional step. You’ve got yourself a URL, wpbeacon.io. Dear listener, as is always the case, anything that we mention today, so the links to the articles which Austin has written, I will put those in the show notes, but also I’ll link to wpbeacon.io. Just tell us a little bit about that and that, how that’s helping the community.
[00:22:52] Austin Ginder: So WP Beacon was again, an idea I threw together last month. Not a whole lot of planning. But it was just like, okay, I’ve got three of these now. These are basically in depth investigations. Where do you put it? Because this is different than a typical vulnerability database. Like a vulnerability database is really good about endeavour to find bad code.
This is not bad code, this is bad actors. They’re two completely different problems. So I built WP Beacon as like my place to put all these findings. And the idea is actually have it be a legitimate feed for other folks, like another metric or another vulnerability database, but for supply chain attacks in particular.
[00:23:39] Nathan Wrigley: And so I suppose the idea being that people who are, I mean obviously if you’ve got one WordPress website, it’s fairly unlikely that you’ll come across WP Beacon, because you’re not in the business of being in the community or what have you. But if you are somebody that’s, I don’t know, managing multiple clients, half a dozen or what have you’re in the WordPress space, this is the kind of thing you might want to know about.
I suppose you are then hoping to be some sort of gatekeeper of knowledge around whether a supply chain attack has occurred. So let’s say for example, I’m considering putting a new plugin in. I find something on the wordpress.org repo, and it looks fine. Everything about it is screaming, yes, install me. I would go over to WP Beacon. I see that you’ve got a search on the homepage. There’s a list of the number of installations that have been covered, authors, tracked plugins that are being watched and what have you. I would be able to, in some way, interact with that website and gain an understanding of, yep, we’ve got nothing on them. Everything looks fine, or no, hold on, have a second thought. This thing happened last month. Is that again? Is that kind of what’s going on there?
[00:24:45] Austin Ginder: I think end users might find value in it, but I think the better target audience is, this is missing security research that security people don’t have. I see it as that. It’s like when I do a report and I put it up on WP Beacon, those identifiers of these bad actors can then be, action can be taken on that by real legitimate security people.
So I have a friend, his name’s Sal. He used to work at Kinsta. So when I was dealing with one of these cleanups, I was messaging him privately. I’m like, hey, Sal, look what I found. And he is oh, gimme a second. I’m going take their compromise server offline. I’m like, what do you mean? So he whips it out and he gets their domain suspended, website taken offline. And this is like the crucial gap, right?
The research person wants to make people’s site safe. So if you’re out there and you’ve got a hijacked plugin installed and you don’t know about it, you need a research person, and a security person, to take care of the issue for you. And that is like taking down their infrastructure, taking down the bad actors infrastructure.
[00:25:51] Nathan Wrigley: Oh, that is interesting, yeah.
[00:25:53] Austin Ginder: My goal of WP Beacon is just like, this stuff needs to be more visible. We need to be drafting and documenting this is how the supply chain attack happened in this case. And here is all of the identifiers for the security firms to go for, and take down their infrastructure. To give some sort of incentive that like this kind of behaviour isn’t going to be tolerated or a signal to the bad actors like, we’re coming for you. We’re going to find you, we’re going to weed you out.
[00:26:21] Nathan Wrigley: Yeah, so that’s interesting. So connections with hosting companies would certainly be beneficial, wouldn’t it? Because let’s say a bunch of hosting companies are pointing their staff at the WP Beacon data, then you could probably satisfy, I don’t know, 60, 70, 80% of WordPress instal by communicating with the bigger hosts. Because I imagine that’s where the majority of WordPress websites occur. I presume another angle would be the .org repo itself. The team over there, the Plugin Review Team and the Security Team and what have you.
One ray of light, I suppose is that if you fix this, then you have fixed it. Whereas a lot of security problems keep coming back. Well, no, that’s not entirely true, is it? Having said all of that, I was fairly confidently thinking if you can, if you can get the plugin turned off so that it can’t be installed anymore, that’s one thing. If you can switch off the supply chain server, that’s another thing. But there’s going to be loads of different scenarios. It might be that they don’t have a supply chain server. It might be that they’re just defacing your website. And how do we disable that that particular functionality and the plugin?
I believe that wordpress.org has in rare situations deployed the, we will overwrite your plugin. I don’t know how to describe that, but I have a memory that in the past, something so catastrophic had happened inside of a wordpress.org repo, that there is the capacity for WordPress to say, okay, we’re taking command here, and we’re going to rewrite your plugins. I don’t think that’s very common, but I think that is something that can be done.
[00:27:59] Austin Ginder: In these situations, that’s exactly what they did. They reverted a patch, closed down the repos, and their patch is what stands.
[00:28:08] Nathan Wrigley: Right.
[00:28:09] Austin Ginder: So I think a lot of what my, what I’m trying to do is complimentary to what everyone else is doing. And I think it’s a little bit more, it’s an unexplored area, what WP Beacon is exploring. We have all this data, let’s see what we can get out of it.
But I do share your optimism, and also I would love this to just be a solved problem, and six months later we shut down WP Beacon, like it’s not even needed. But that’s just not how the world works, right? What I do hope will come from this is the bad actors that have been operating for years, 10 plus years, we make it harder for them to operate. I think that would be a more realistic success story of this project.
One of the bigger findings I found this past week, in the last few days, is this bad operator he’s been operating for the last 13 years. And what happens is his accounts get shut down, his plugins get shut down, and he just tries again. He opens up new accounts, new plugins, and he just keeps trying. We’ve got to make it a little bit harder for them.
[00:29:09] Nathan Wrigley: And also what’s really interesting there is that this is not, for you at least anyway, this doesn’t feel like a finished story. This kind of feels like, for you, now that you’ve put yourself in this seat, if you like, it feels each week possibly something new will be coming along, something that you’ve explored? Is that the case? I would like for you to say no at this point, no, there’s nothing new happening, but I the feeling that there’s quite a lot that you are uncovering on a daily, weekly, monthly basis.
[00:29:37] Austin Ginder: I do think it’s going to be harder and harder to find interesting things based on the raw data, using my technique of just going through and auditing things? That’s a good thing, right? If it’s harder to uncover these problems, that’s a positive indication that something’s happening.
So I think I’ve been extremely lucky by reverse engineering a problem. Like, how does the malware get here? Oh, okay. So then figuring out that there’s a bigger issue at hand. And I also think it’s one of those scenarios that we all think people are searching through the data, but they aren’t. I’ve got a $200 month Claude Code subscription, and I can search through the data with that. It’s actually feasible for individuals to start auditing the data and to get more eyeballs on this in a way that would never been possible before.
Yeah, I would encourage people to think bigger. If you’re an individual, you can take your site, download a backup and run it through Claude Code and do a file by file audit. It might take a few, Claude doesn’t like to do this, but it might take a few wranglings. No, look every line of code and tell me what you see. Do you see vulnerabilities? Do you see malware? Do you see any harmful things there? And an individual can do this, and they can get a very high level detailed report unique for their site.
[00:30:55] Nathan Wrigley: That’s interesting advice. Maybe in the future, some of the pain that you’ve been through with Claude trying to get it to behave in the way that you expect, maybe that be interesting data to put out? What are the prompts which you’ve seen that work and so on?
One thing which dawns on me, and I don’t really have the answer to this, because the wordpress.org repo, for good reason, has been wide open. What I mean by that is, lots of people can submit code. You don’t necessarily have to have a certain type of credential, or be a certain type of business and so on.
However, if you look out there in the broader tech landscape, things like, I don’t know, the Mac App Store or the iOS App Store or Google’s Play Store. I wonder what their approach is to firstly the onboarding of new plugin developers. But then what the inspection is for updates. When code comes through and it’s purporting to make a minor change to a particular app on your phone, what is being done there?
And I’m guessing that in the WordPress space, the fact that it’s run often by volunteers means that those kind of things are just going to be different. And perhaps those things need to be looked at. There needs to be potentially some more friction that’s added, or some more steps. And I know that a lot of work has been done by the Plugin Review Team to automate as much of that as possible, and to put some steps in place to make it so that those submissions get inspected in a more timely way. But I don’t have an answer. I’m certainly no expert. But it would be curious to see if there’s any lessons to be learned from the broader tech community.
[00:32:30] Austin Ginder: Obviously the openness of WordPress is its power. App Store versus Android, right, kind of comparison? We’re more open source. You could just do what you want. There’s pros and cons, right? So how do we make what we have more safe? And I think the answer to that is everything needs a hundred percent code audited.
How do we get there as quick as possible? That’s a token question. Like, how many tokens can we spend to audit everything? I have fairly good coverage now for my own customer base. What I do is whatever leftover usage I have, I’m auditing all of my plugins. And I do it in a way that’s efficient, meaning I only audit this one plugin version once. That gets assigned to a hash, a unique hash. Then I know, oh, okay, so all of my sites using that same variant are covered.
So a hundred percent code coverage is what we need to do now. And then long term, also in concurrently, we need to start auditing any changes that come over the wire. It’s a lot, right? Like wordpress.org is very popular. There’s a lot of code, but I do think it’s in a realm of realistic. If you are able to shave out a lot of the noise, we don’t have to audit everything. We don’t have to see every CSS file you’re changing, or image you’re changing. But we do have to look over every PHP line, every JavaScript line, that there’s nothing harmful in there. And then eventually we’ll start to catch things.
And I don’t think it’s necessarily a one off thing. We don’t have to wait around for Automattic to come up with a solution. The data is out there. Anyone with a laptop and a subscription could just create a mirror and see, what changed over the last, day, and then start auditing that. I think people think it’s too impossible.
[00:34:18] Nathan Wrigley: It feels like a large cliff that you’re staring at, at the beginning of this. And certainly in the past before AI, that cliff was, I imagine, more or less impenetrable But now the way that you’ve described, perhaps AI can be co-opted to do a lot of this work for us?
I wonder what you’ve got, if you’ve got any thoughts on the sort of permissions system. So I know that other, let’s say CMSs and certainly devices like Android devices and iOS devices, they come with permissions based systems. So for example, this code, it’s allowed access to the root file structure. Or it’s allowed access to the camera, or whatever it may be.
And I know that there’s been debate in the WordPress ecosystem recently about whether something like that would be a good idea. At the moment, plugins, all bets are off. If you put a plugin in, it’s more or less got access to anything on your WordPress website.
That’s an absolute strength of WordPress because it enables anybody to do anything. But I suppose given that it can enable any anybody to do anything, it also prevents a very large threat surface as well. I don’t really have the answer to that. I just think that’s a curious thing to raise and see if you’ve got any thoughts.
[00:35:29] Austin Ginder: I guess my initial thought is I don’t necessarily want my WordPress site to feel like my laptop, where I’m constantly clicking things.
[00:35:35] Nathan Wrigley: Yeah. Grant permission for this.
[00:35:38] Austin Ginder: I don’t know what the solution is either. I think some of those ideas are great when you’re thinking about making something from scratch, but they are not as relevant when you’ve already have an existing ecosystem. Like you can’t, I would think it’d be very hard to bring some of those concepts into WordPress at this point. We’re already past that.
[00:35:59] Nathan Wrigley: That ship has definitely sailed.
[00:36:00] Austin Ginder: I want to be in the Wild West. I want to be able to code and do what I want to do. And especially with AI. If I got an idea, I just want AI to go to town, write me up the plugin to my spec, and not have to deal with some of those extra safeguards.
It’d be great if we could find some way to make things more secure from an architectural standpoint, but that’s an architecture problem probably best suited for a new project.
[00:36:22] Nathan Wrigley: The truth is that this will never, ever be solved. I mean security problems online. There will be a no point in the future at which everything is always safe, because humans are ingenious, and there are really credible, credible is the wrong word. There are ways to make money, or to make it worthwhile for the bad actors to be doing the bad things. And so long as those incentives exist, there will be people trying to hijack websites, undermine the security of your computer or phone or whatever it may be. But this is certainly an interesting one.
And it’s such a shame because with the benefit of hindsight, this was so obvious, and yet it hasn’t been a news story. Maybe it has in the past, I’ve certainly not come across it. But this whole supply chain thing is fairly new to me, and fairly alarming in the simplicity of deployment.
You literally purchase, or somehow get hold of, a popular plugin, not necessarily even a popular plugin, a plugin. And then instantaneously every one of those websites is up for grabs in whichever way you would like to grab it. Definitely something that the WordPress community’s going to have to wrangle with.
Okay. I think we’ve hit the sweet spot in terms of time Austin. If it’s all right with you, we will wrap it up there. However, before we go, do you just want to drop a few little bits about where people could contact you? I am more or less certain that somebody listening to this podcast will have thoughts for you about getting in touch, helping out, or what have you. So tell us where you can be found.
[00:37:55] Austin Ginder: You can find me just by searching for my name, Austin Ginder. There’s not many Ginders. I’m on X, that’s my main feed. And you can also read along on anchor.host. I do blog posts there pretty regularly.
[00:38:09] Nathan Wrigley: Okay. In which case I will just point everybody to the wptavern.com website. If you go and use the search feature, search for Austin Ginder. Austin, spelled in the usual way. Ginder, G-I-N-D-E-R. You’ll find the episode and anything that has been mentioned, any links or what have you, we will link to there.
So thank you for chatting to me today about what I wish didn’t exist, but it does exist. Austin, thank you so much.
[00:38:34] Austin Ginder: Thank you. This was a pleasure.
On the podcast today we have Austin Ginder.
Austin has been involved in the WordPress ecosystem since 2010, and since 2014 has run Anchor Hosting, a business that manages thousands of WordPress websites. While he’s a developer and automation enthusiast at heart, in recent months Austin has found himself at the forefront of a burgeoning crisis in WordPress security, supply chain attacks targeting plugins.
A chance discovery during a malware cleanup on a client’s site propelled Austin into what would become a wider investigation of plugin vulnerabilities. What he uncovered is both alarming and timely, bad actors aren’t just hacking sites directly, but are instead infiltrating the supply chain, either by purchasing plugin companies and weaponising them, or by hijacking plugins and pushing out malicious updates. These attacks are subtle, often shifting plugin update servers away from WordPress.org to rogue channels where malware can be quietly distributed, leaving end users in the dark and their sites at risk.
We trace Austin’s journey from accidental security investigator to creator of the WP Beacon project, a resource aimed at tracking, documenting, and alerting the WordPress community to known supply chain attacks. He shares how AI tools have radically changed what’s possible in threat detection and forensics, enabling individuals, and hopefully, someday, the larger hosting providers, to identify patterns and root causes behind widespread infections.
We get into case studies of specific plugins compromised in recent months, the challenges of auditing over 60,000 plugins on the WordPress.org repo, and the complexities of stopping these attacks once malicious code is in the wild. Austin also discusses his hopes for greater collaboration with hosts and security researchers, aiming for better automated monitoring and response.
If you manage WordPress websites, create plugins, or just care about the future of open source security, this episode is for you.
Useful links
wordpress.org plugin repository
Open Channels FM: BackTalk on Decentralized Interoperability, Data Sovereignty, and the Power of Local Community
The challenges of decentralized networks, data sovereignty complexities in hosting, and the importance of local connections within the tech community to foster collaboration and growth.
How to Optimize Your WooCommerce Product Pages for SEO
Getting traffic to your WooCommerce store can be tough when your product pages don’t show up in Google.
Plenty of store owners sell great products but still miss out on search traffic because their pages aren’t properly optimized.
Often, the issue isn’t the product. It’s the way the product page is set up for SEO.
Small details like weak titles, thin descriptions, or missing schema can hold a page back from ranking, even when the product itself is solid.
In this guide, I’ll walk you through how to optimize WooCommerce product pages step by step.
I’ll show you how to improve titles, descriptions, images, and SEO settings so your products have a better chance of ranking and bringing in consistent traffic.
💡Quick Answer: How Do You Optimize WooCommerce Product Pages for SEO?
To optimize your WooCommerce product pages, you need to improve key areas like titles, descriptions, images, and schema. This helps your products rank higher in Google and attract more customers.
Using an SEO plugin like AIOSEO makes it easy to manage these settings without any code.
Why Is WooCommerce Product Page SEO Important?
WooCommerce product page SEO is important because most product pages don’t rank in search results, which means those online stores miss out on free, high-intent traffic.
I’ve seen product pages struggle to rank simply because they use thin or duplicate descriptions, have poorly optimized titles, or are missing key SEO metadata.
When you fix these issues, your product pages have a much better chance of:
- Showing up in Google for buying-intent keywords
- Bringing in consistent, free traffic without relying on ads
- Unlocking rich snippets like price, reviews, and ratings that help your listings stand out in search results
Unlike blog posts, product pages target people who are already close to making a purchase. That’s why even small SEO improvements can directly impact your sales.
💡 Expert Tip: If you’re not sure how your product pages are performing, the best way to find out is by using Google Analytics to track traffic and conversions.
I recommend MonsterInsights for this. It connects your WooCommerce store with Google Analytics and lets you view your most important eCommerce data directly inside WordPress.
To get started, follow our guide on tracking WooCommerce conversions.
Now, let’s look at my expert tips to improve your product pages SEO. You can also use the links below to jump to a specific tip:
- Step 1: Set Up WooCommerce SEO the Right Way
- Step 2: Write SEO-Friendly Product Titles
- Step 3: Optimize Your Product Descriptions for Search
- Step 4: Add Product Schema (Rich Snippets)
- Step 5: Optimize Product Images for SEO
- Step 6: Improve Category & Tag SEO in WooCommerce
- Step 7: Add Internal Links Between Products
- Step 8: Use Customer Reviews to Boost Product SEO
- Step 9: Optimize Product Pages for Speed and Mobile
- Step 10: Track Your WooCommerce SEO Performance
- How SEO Differs by Product Type
- Bonus: How to Turn SEO Traffic Into More Sales
- More Best Practices for WooCommerce Product SEO
- Frequently Asked Questions About Optimizing Product Pages for Search Engines
Step 1: Set Up WooCommerce SEO the Right Way
Before you start optimizing individual product pages, it’s important to set up your SEO foundation correctly. This helps ensure that everything you do later actually has an impact.
The easiest way to do this is by using All in One SEO. It’s the best WordPress SEO plugin on the market that gives you full control over how your WooCommerce store appears in search engines.
We use AIOSEO at WPBeginner to improve our rankings, and it has helped us achieve steady, long-term growth in search traffic.
If you want a deeper look at its features, you can check out our full AIOSEO review.
First, you need to install and activate AIOSEO on your WordPress site. If you’re not sure how to do this, follow our step-by-step guide on installing a WordPress plugin.
While AIOSEO has a free version, the WooCommerce SEO module and automatic product schema we’ll use in this guide come with its paid plans. You can sign up for the AIOSEO plan that best fits your store.
Once activated, run the setup wizard. It will guide you through the basic SEO configuration step by step, so you don’t miss anything important.
After that, enable the WooCommerce SEO features by going to the All in One SEO » Search Appearance » Content Types page. Then, switch the ‘Show in Search Results’ option in the ‘Products’ section to ‘Yes.’
This unlocks specific optimizations for product pages, product categories, and other store-related content.
Once everything is set up, you’ll notice that your product SEO settings are now available directly inside the WordPress editor when you open a product page.
This is where you can control things like SEO titles, meta descriptions, and other search appearance settings.
By default, WooCommerce gives you very basic SEO options. But with a proper setup, you get much more control over how your product pages appear in Google.
For detailed instructions on setting up your store’s SEO foundation, please see our guide on WooCommerce SEO.
Step 2: Write SEO-Friendly Product Titles
Your product title is one of the most important SEO elements on your WooCommerce page. It helps Google understand what you’re selling and also influences whether users click on your listing in search results.
A simple formula you can follow is:
Primary Keyword + Key Feature + Modifier
For example, instead of a basic title like: “Running Shoes”
You can improve it to something like: “Lightweight Running Shoes for Men – Breathable & Durable”
The second version is descriptive, includes keywords naturally, and gives users a reason to click.
How to Find Product Keywords
Before writing your title, you need to know what keywords your customers are searching for. You can find these by:
- Using Google’s Autocomplete: Start typing your product name into Google and see what suggestions appear. These are common search terms.
- Checking Competitor Pages: Look at the titles and descriptions of top-ranking competitor products for keyword ideas.
- Using a Free Keyword Tool: Tools like WPBeginner Keyword Generator can help you find search terms related to your product and see how many people are searching for them.
For more information, see our guide on doing keyword research.
How to Optimize Your Product Title in WooCommerce
You can edit your product title inside the WooCommerce product editor at the top of the page.
This is your main product name, and it usually appears on your site as the product heading.
However, this is not the only title that matters for SEO.
If you’re using AIOSEO, you’ll also see a separate SEO title field inside the ‘AIOSEO Settings’ box below the product editor.
This is the title that search engines may use in results, and it gives you more control over how your product appears in Google.
Instead of relying only on your default WooCommerce product title, AIOSEO lets you fully customize your SEO title using smart tags, dynamic attributes, and even AI suggestions.
To optimize it properly, scroll down to the ‘AIOSEO Settings’ section. Then, click on ‘View All Tags’ above the ‘Product Title’ field to explore available smart tags.
Next, look for a relevant smart tag like ‘Product Category’ and select it. This allows you to automatically include the product’s category in your SEO title, making it more descriptive and search-friendly.
You can also include different types of product details such as:
- Brand
- Price or sale information
- SKU
Among these, brand and product category tend to perform best because they closely match how people search on Google when they’re ready to buy.
To make this even easier, AIOSEO includes an AI title generator. Simply click the star icon in the ‘Product Title’ field.
📍Note: The AI generation tool is available in the Pro version of AIOSEO.
This will open a prompt where you can choose your tone and target audience, and then click ‘Generate SEO Title.’
AIOSEO will use your existing product title and description to understand what your product is about and generate optimized title suggestions based on that context.
Expert Tips for Writing Better Product Titles
A few simple patterns work well when it comes to writing product titles in WooCommerce.
These aren’t complicated tricks, but small adjustments that can make a big difference in how your products perform in search results.
| Tip | Why It Helps |
|---|---|
| Put your main keyword first. | Google usually cuts off the SEO title around 50 to 60 characters, so the buying-intent term should appear before that cut-off. |
| Lead with the detail that sets the product apart. | The brand, model, or a key spec works better near the front than buried at the end, where it can get cut off. |
| Use the exact words shoppers search for. | “running shoes for men” matches real searches far better than “men’s footwear”. |
| Skip ALL CAPS, extra symbols, and keyword stuffing. | These look spammy and can lower your click-through rates, and stuffing breaks Google’s spam policies. |
Optimize Your Product URL (Slug)
Your product URL, also called the slug, is another small detail that affects SEO. A short, readable slug with your main keyword in it helps both Google and shoppers understand the page before they even click.
When you add a product, WooCommerce creates a slug from the title automatically. You can edit it from the ‘Permalink’ link that appears just under the product title in the editor.
Keep it short and drop filler words, dates, and any auto-generated clutter like random numbers or SKUs.
A slug like /product/p-12345/ tells search engines nothing, while /product/blue-running-shoes-men/ matches what people actually search for.
📍Note: If a product is already published and indexed, then changing its slug changes its URL. Set up a 301 redirect from the old URL to the new one so you don’t lose rankings or send visitors to a broken page. AIOSEO’s Redirection Manager (a paid feature) can handle this for you.
Step 3: Optimize Your Product Descriptions for Search
Once your product titles are set up, the next thing to focus on is your product descriptions.
Your descriptions play a big role in helping search engines understand your product, and they also help convince customers to buy once they land on your page.
Before you start writing, it’s important to understand how WooCommerce structures product descriptions.
There are two main areas:
- The short description, which appears near the top of the product page. This is where you give a quick summary of the product in a few lines.
- The long description, which appears further down the page. This is where you add detailed information and SEO content.
Now that you understand the structure, let’s look at how to actually write and organize your product descriptions for better SEO.
How to Structure Your Product Description
A well-optimized product description doesn’t need to be complicated. In fact, following a simple structure usually works best for both SEO and readability.
Here’s a proven flow you can use:
- Start with a benefit-led opening line. Lead with what the product does for the buyer, not just what it is.
- List the key features and specs. Cover the details a shopper checks before buying, like size, materials, or what’s included.
- Explain who it’s for. Name the use cases or the type of customer, so the right buyer knows they’re in the right place.
- Add social proof or a guarantee. A short line about reviews, ratings, or a return policy helps build trust.
- End with a clear call to action. Tell the shopper exactly what to do next, like ‘Add to Cart’ or ‘Choose your size’.
Once your structure is in place, the next step is making sure your descriptions are actually optimized for scale, especially if you manage multiple products.
💡My Recommendation: Use AI for Product Descriptions
If you’re running a WooCommerce store with even a small number of products, then writing and updating descriptions manually can quickly become time-consuming.
This is where AI tools can really help speed things up while keeping your content consistent. One of the best options for this is Uncanny Automator.
It’s a powerful WordPress automation plugin that connects your WooCommerce store with OpenAI. This means you can automatically generate product descriptions whenever you add new products.
It’s especially useful for larger stores because it removes the need for repetitive manual writing and can save you a lot of time.
Just keep in mind that the free version includes a limited, one-time batch of credits for connected apps like OpenAI, so ongoing automatic generation will need a paid Uncanny Automator plan.
If you’re just getting started or running a smaller store, then StoreAgent is a great alternative.
It’s an all-in-one AI tool built specifically for WooCommerce, and its content feature lets you generate product descriptions with just one click.
The main difference is that StoreAgent generates descriptions on demand rather than automatically: you can run it on a single product or in bulk across many products, but it won’t fire on its own when you add a new product the way Uncanny Automator does. It’s very beginner-friendly and easy to use.
For step-by-step instructions, I suggest taking a look at our tutorial on auto-generating product descriptions in WooCommerce with AI.
Step 4: Add Product Schema (Rich Snippets)
Now that your product content is properly optimized, the next step is to help search engines understand your product in more detail. This is where product schema markup becomes important.
Product schema is like a behind-the-scenes cheat sheet that tells search engines exactly what your product is.
It gives Google extra context, allowing it to display additional information directly in search results, such as price, availability, ratings, and even SKU details.
How to Add Product Schema in AIOSEO
AIOSEO automatically adds product schema for WooCommerce products. However, you can customize it to make your listings even more detailed.
To do this, open your product in the WooCommerce editor and scroll down to the ‘AIOSEO Settings’ box. Then switch to the ‘Schema’ tab.
Here, you’ll see the existing Product Schema already applied. You can click the pencil icon to edit it and add additional details that help Google better understand your product.
You can include extra product identifiers such as:
| Field | What It Means / How to Use It |
|---|---|
| GTIN | A global product identifier (very useful for Google Shopping and product recognition) |
| MPN | Manufacturer Part Number used to uniquely identify a product |
| ISBN | Used only for books and publications |
| Material | The main material the product is made from (e.g. cotton, leather, plastic) |
| Color | The product’s color (helps improve search relevance and filters) |
| Pattern | The design pattern, such as polka dots or striped (if applicable) |
| Size | Use labels like S, M, L, XL instead of physical dimensions |
| EU Energy Rating | Energy efficiency rating (mainly for appliances and electronics) |
| Audience Details | Includes gender, minimum age, or maximum age when relevant |
I strongly recommend filling in as many of these fields as possible, especially GTIN, brand-related identifiers, and key product attributes.
They help improve product visibility and accuracy in search results.
You can also add separate schema types for FAQs and product reviews if you’ve included them in your product page. To do this, click the ‘Generate Schema’ button inside AIOSEO.
This opens the schema generator.
From here, you can add FAQ schema for any product-related questions you’ve already answered in your description, and Review schema if your product pages feature genuine customer reviews.
A couple of things to keep in mind: Google now shows FAQ rich results mainly for government and health sites, so a store usually won’t get the expandable FAQ snippet. And it only displays review stars for authentic customer reviews, not testimonials you write or collect yourself.
But the schema still helps search engines understand your page, so it’s a good idea to add it.
Adding these extra schema types helps your product qualify for richer search results in Google, which can make your listings more noticeable and improve click-through rates.
For more detailed instructions, I suggest checking out these guides:
- How to Add GTIN, ISBN & MPN Schema in WordPress
- How to Add Schema Markup in WordPress and WooCommerce
- Beginner’s Guide to Adding FAQ Schema in WordPress
- How to Add Multiple Locations Schema for Local Business in WordPress
How to Test Your Product Schema
Once your schema is set up, it’s a good idea to test it to make sure everything is working correctly. You can do this using Google’s Rich Results Test tool.
Simply enter your product page URL, and it will show you whether your schema is valid and if your product is eligible for rich results.
If there are any issues, the tool will also highlight what you need to fix. You can then use these insights to troubleshoot, review the affected schema fields, and make the necessary corrections.
After making the corrections, you can re-test the page to confirm it’s eligible for rich results.
📍Note: It may take some time for Google to re-crawl your page and recognize the new schema. If you don’t see the changes immediately, try clearing your site’s cache before testing again.
Step 5: Optimize Product Images for SEO
Unoptimized images can quietly hurt your WooCommerce SEO without you even noticing.
Large file sizes slow down your pages, generic filenames don’t help search engines understand your content, and missing alt text means you’re missing out on extra ranking opportunities, especially in Google Images.
Properly optimized images, on the other hand, can improve page speed, boost accessibility, and even bring in additional traffic from image search results.
Product Image SEO Checklist
Before you even upload product images to WooCommerce, it’s important to optimize them properly.
At WPBeginner, our team follows a simple image optimization process that has helped our site load faster, rank better in Google Images, and improve the user experience for our readers.
Here’s the exact approach I recommend when optimizing product images:
- Rename Image Files Before Uploading Them: Instead of leaving default names like IMG1234.jpg, use clear, descriptive filenames that reflect the product. For example, blue-running-shoes-men.jpg. This helps search engines understand the image context better.
- Choose the Right Image Format (PNG vs JPEG): JPEG is best for product photos because it offers good quality with smaller file sizes. PNG is better when you need transparency or sharper graphics. Choosing the right format helps balance quality and performance.
- Compress Images Before Uploading: Large images can slow down your store. For a quick one-off fix, a tool like TinyPNG compresses images without noticeable quality loss. If you’d rather not compress every image by hand, then a plugin like Envira CDN can automatically optimize your product images and serve them from a fast global network as your pages load. Either way, try to keep each product image file size under 100 KB.
- Keep Image Dimensions Consistent Across Your Store: Using the same image size for all products creates a clean, professional layout and prevents layout shifts that can affect user experience.
- Add Descriptive Alt Text for Every Product Image: Alt text should briefly and accurately describe what’s shown in the image. For example, ‘Blue running shoes for men on white background.‘ This improves SEO, helps with image indexing in Google, and also supports accessibility for screen readers.
For a full step-by-step breakdown, check our guide on how to optimize images for SEO in WordPress.
After image optimization, you can upload and manage them properly inside WooCommerce.
If you’re not sure how to do that, I recommend looking at the following tutorials:
- How to Create a WooCommerce Product Image Gallery
- Beginner’s Guide to Adding Product Videos to Your WooCommerce Galleries
Step 6: Improve Category & Tag SEO in WooCommerce
Store owners often ignore WooCommerce categories and tags, but they can be a powerful source of organic traffic when you optimize them properly.
In many cases, category pages can rank more easily than individual product pages because they target broader, high-intent search terms.
To take advantage of this, you need to make sure your category pages are not just empty listings of products. They should also include useful SEO content that explains what the page is about.
How to Optimize WooCommerce Categories for SEO
Start by adding a short but helpful category description that clearly explains what types of products belong in that category. This gives both users and search engines a quick understanding of the page’s purpose.
To do this, go to the Product » Categories page in your WordPress dashboard and click the ‘Edit’ link under any category.
This will open a new screen where you can add or update the category description.
Once that’s done, scroll down to the ‘AIOSEO Settings’ box, where you can configure the SEO settings for the category page.
Here, you’ll be able to optimize key elements such as:
- Category Title: You can use smart tags to build dynamic titles. AIOSEO also lets you click ‘View All Tags’ to insert variables into your title. You’ll see options like site title, separators, and category name to structure it properly.
- Meta Description: This is where you write a short summary of the category page. You can also use dynamic tags like ‘Category Description’ to automatically pull in information.
The same SEO settings are also available for product tags, so you can apply similar optimizations there as well. Just go to the Product » Tags page and repeat the process.
For more detailed guidance, you can check our article on categories vs tags – SEO best practices for sorting your content.
Step 7: Add Internal Links Between Products
Internal links help search engines understand the structure of your WooCommerce store and discover more of your product pages.
At the same time, they improve user experience by guiding shoppers to relevant products instead of leaving them after viewing just one page.
In many stores, even a small improvement in internal linking can lead to better rankings and noticeably higher conversions.
How to Add Internal Links in WooCommerce
Here are the main ways you can add internal links inside your WooCommerce store, along with simple examples:
| Method | How It Works | Example | Why It Helps |
|---|---|---|---|
| Upsells | Suggest a better or upgraded version of the same product on the product page | ‘Premium Running Shoes’ shown under a basic shoe listing | Encourages users to upgrade and increases average order value |
| Cross-sells | Recommend related or complementary products in the cart | ‘Sports Socks’ suggested when adding running shoes to cart | Increases total cart value at checkout |
| Related Products | Automatically or manually display similar products based on category or tags | Showing ‘Men’s Running Shoes’ under a shoe product | Helps users discover more relevant items |
| In-description links | Add natural links inside product descriptions pointing to other products | Linking ‘running gear collection’ inside a shoe description | Improves SEO and keeps users browsing your store |
You can set these up directly in the WooCommerce product editor. Go to the ‘Product data’ section and click on the ‘Linked Products’ tab.
Here, you can search for and select specific products to feature as upsells or cross-sells for the item you are editing.
If you want to take this further, I suggest checking out our following articles:
- How to Show Product Recommendations in WordPress
- How to Display Popular Products on WooCommerce Product Pages
- Beginner’s Guide to Showing Frequently Bought Together Products in WooCommerce
Common Mistakes to Avoid When Internal Linking WooCommerce Products
Internal linking is powerful, but it only works well when done correctly. Here are a few common mistakes store owners make:
- Not Updating Links When Products Change or Get Removed: Broken or outdated internal links can hurt both SEO and user experience. So, it’s important to review them regularly.
- Overloading Product Pages with Too Many Links: Adding too many internal links inside a single product description can feel spammy and distract users instead of helping them.
- Linking Unrelated Products: Internal links should always feel natural and relevant. For example, linking running shoes to kitchen appliances doesn’t make sense and can confuse both users and search engines.
- Using Generic Anchor Text Like ‘Click Here’: Instead, use descriptive anchor text like ‘men’s running shoes’ or ‘winter sports collection’ so search engines understand the context.
For more tips and tricks, see our list of best SEO practices for internal linking.
Step 8: Use Customer Reviews to Boost Product SEO
Customer reviews are one of the easiest ways to keep your product pages working for you long after you publish them.
Every review adds fresh, keyword-rich content to the page over time, which helps search engines see that the product is still relevant. Reviews also build trust with shoppers, so more visitors feel confident enough to buy.
For more ideas, see our guide on how to encourage more customer reviews.
I also highly recommend using Smash Balloon Reviews Feed to display customer reviews on your website. It automatically pulls testimonials from external platforms like Trustpilot, Google, and Yelp, as well as your WooCommerce store.
For details, see our guide on how to display WooCommerce reviews in WordPress.
Step 9: Optimize Product Pages for Speed and Mobile
A slow product page can cost you sales, even when everything else is set up well. If a page takes too long to load on a phone, then many shoppers leave before they ever see your product.
Google also looks at page experience as part of how it ranks pages. It is a smaller, tiebreaker-style signal rather than a major one. But when two product pages are otherwise similar, the faster, more mobile-friendly page tends to win.
Google measures this with three Core Web Vitals: how quickly the main content loads (Largest Contentful Paint), how fast the page responds when someone taps or clicks (Interaction to Next Paint), and how stable the layout stays while it loads (Cumulative Layout Shift).
You don’t need to memorize those terms. The good news is that a few beginner-friendly steps cover most of what they measure.
- Use a Caching Plugin: Caching saves a ready-made version of your pages so they load faster for visitors. This is one of the easiest ways to speed up a WooCommerce store.
- Choose Fast, Quality Hosting: Your host has a big impact on load times. A slow, low-quality server will hold your pages back no matter how well you optimize everything else. See our pick of the best WooCommerce hosting for recommendations.
- Pick a Lightweight Theme: Some themes add a lot of extra code that slows pages down. A simple, well-coded theme gives your store a faster starting point. For options, see our pick of the fastest WooCommerce themes.
For a deeper walkthrough, see our guide on how to speed up your WooCommerce store.
Step 10: Track Your WooCommerce SEO Performance
Once you have optimized your product pages for SEO, it’s equally important to track how those changes are performing.
This is the only way to know whether your optimizations are actually driving more traffic, clicks, and sales, or if something still needs improvement.
Set Up Tracking with MonsterInsights
To make this easier, I recommend using MonsterInsights, which is the best Google Analytics plugin for WordPress.
It connects your WooCommerce store with Google Analytics and shows your most important eCommerce data directly inside your WordPress dashboard.
We use MonsterInsights at WPBeginner because it simplifies analytics and makes it easy to understand what’s happening on our sites without digging through complex reports.
You can learn more in our detailed MonsterInsights review.
Key Metrics You Should Track
Once you have set up Google Analytics with MonsterInsights, here are the most important metrics to focus on:
- Organic Traffic: This shows how many visitors are coming to your store from search engines like Google. An increase here usually means your SEO improvements are working.
- Search Clicks and Impressions: This helps you understand how often your product pages are appearing in search results and how many users are actually clicking through.
- Product Conversions: This is the most important metric for any WooCommerce store. It tells you how many visitors are turning into paying customers after landing on your product pages.
Tracking these metrics over time gives you a clear picture of your SEO progress. Instead of guessing, you can make data-driven decisions to improve your product pages and increase sales.
To properly measure this, follow our guide on WooCommerce conversion tracking.
How SEO Differs by Product Type
Keep in mind that different product types need slightly different SEO approaches depending on how customers search for them and how they interact with your store.
Once you understand these differences, it becomes much easier to fine-tune your product pages for better rankings and conversions.
Simple Products
Simple products are the easiest to optimize because they have just one version with no variations.
For these products, your main focus should be:
- Writing strong, keyword-rich product titles
- Creating clear and helpful product descriptions
- Using relevant keywords naturally in your content
Since there are no variations, the goal here is to make the product page as clear and descriptive as possible so search engines fully understand what you’re selling.
Variable Products
Variable products (like size or color options) need a bit more attention because each variation can influence how users search.
For example, someone might search for “black running shoes size 10” or “red cotton t-shirt medium”.
In WooCommerce, you can optimize these variations by:
- Setting clear attributes such as size, color, material, or style
- Using those attributes in your SEO strategy (especially in titles and descriptions where relevant)
- Ensuring variation names are consistent and descriptive
- Uploading a unique, optimized image for every variation (e.g., a specific photo for the red shirt, and another for the blue shirt)
Inside your product editor, go to the ‘Attributes’ and set variations for your product. This is where you define options like size and color.
Once set, these attributes can also be used in your SEO titles if you’re using AIOSEO smart tags.
Digital Products
Digital products (like eBooks, plugins, courses, or downloads) require a slightly different SEO approach because users are often searching based on intent rather than physical features.
Instead of focusing on size or material, you should focus on:
- What problem the product solves
- What users can achieve with it
- Specific use cases (for example, “SEO checklist template” or “WordPress speed optimization guide”)
The goal is to clearly communicate value and outcomes, not physical characteristics.
Grouped Products
Grouped products combine multiple related items into one product page. For SEO, this gives you a strong opportunity to build internal links and improve product discovery.
To optimize grouped products:
- Make sure each individual product in the group is fully optimized
- Use internal linking between grouped items where relevant
- Highlight how products work together as a collection
This helps both users and search engines understand the relationship between products and improves overall visibility.
By adjusting your SEO approach based on product type, you make your WooCommerce store more structured, more relevant to search intent, and ultimately more effective at driving sales.
Bonus: How to Turn SEO Traffic Into More Sales
Getting SEO traffic is only half the job. Once visitors land on your WooCommerce store, the real challenge is turning that traffic into actual customers.
This is where conversion optimization becomes just as important as SEO. Even small improvements in your store experience can make a big difference in how many visitors end up buying your products.
One tool that helps with this is FunnelKit. It’s designed specifically for WooCommerce stores and focuses on improving the entire buying journey so you don’t lose customers after they click through from search engines.
With FunnelKit, you can optimize key parts of your store that directly impact conversions.
For example, it lets you create smoother checkout experiences, add order bumps to increase average order value, and build upsell flows that recommend relevant products at the right time.
Instead of sending traffic straight to a standard checkout, FunnelKit helps guide users through a more optimized purchasing journey that reduces friction and increases sales.
If you want to go deeper, you can follow our guide on conversion rate optimization for more practical, step-by-step strategies.
More Best Practices for WooCommerce Product SEO
To get the best long-term results from your WooCommerce SEO efforts, it’s important to stay consistent with a few simple best practices:
- Keep Your Product Content Updated Regularly: I recommend reviewing your product pages from time to time to make sure pricing, availability, and descriptions are still accurate. Fresh and updated content tends to perform better in search results.
- Avoid Using Duplicate Product Descriptions: Try not to reuse the same description across multiple products. This includes copying manufacturer descriptions. Since many other stores use that exact same text, writing your own unique description helps you stand out to Google.
- Always Write With User Intent in Mind: I suggest focusing on what the customer is actually looking for when they land on your page. Think about their problem, their goal, and how your product solves it, rather than just stuffing keywords.
These small improvements can make a big difference over time, especially when combined with the optimization steps covered earlier in this guide.
Frequently Asked Questions About Optimizing Product Pages for Search Engines
If you still have questions about optimizing WooCommerce product pages for SEO, you’re not alone.
Here are some of the most common questions store owners ask, along with simple answers to help you get things right.
How do I optimize WooCommerce product pages for SEO?
To optimize WooCommerce product pages for SEO, you should improve your product titles, write helpful descriptions, add product schema, optimize images with alt text, and use internal linking between related products.
Using an SEO plugin like AIOSEO can make this process easier without needing technical skills.
Why are my WooCommerce products not ranking?
WooCommerce products often don’t rank because of weak SEO signals like thin descriptions, poorly optimized titles, missing schema, or lack of internal links.
In some cases, search engines simply don’t have enough context to understand the page or match it with relevant search queries.
Do I need a plugin for WooCommerce SEO?
Yes, using a plugin for WooCommerce SEO is highly recommended. An SEO plugin like AIOSEO helps you manage titles, meta descriptions, schema, and other technical SEO settings without manual coding.
This makes it super easy to optimize your store properly.
Can I do WooCommerce SEO without coding?
Yes, you can do WooCommerce SEO without coding. You can handle most optimization tasks — like editing product titles, adding descriptions, setting up schema, and optimizing images — directly inside WordPress using an SEO plugin like AIOSEO.
I hope this article helped you learn how to optimize your product pages for search engines. You may also like to see our guide on how to sell on ChatGPT with WooCommerce and our list of ways to use AI in WooCommerce.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
The post How to Optimize Your WooCommerce Product Pages for SEO first appeared on WPBeginner.
Open Channels FM: How to Make Your Case Studies Stand Out: The Power of Storytelling
Effective case studies focus on storytelling, positioning the customer as the hero. They highlight challenges, solutions, and outcomes, blending engaging narratives with measurable results to build trust.
Matt: Bee Champion
Spelling bees have gotten a lot more intense. How many of these do you know?
torrone, enthymeme, iguape, Denebola, fais-dodo, cywyddau, pohutukawa, monadnock, émeute, nannofossil, tongkang, Natchitoches, flaith, semele, rusell, sawder, campernelle, Nicol, Zamenis, Tharparkar, tlachtli, madoqua, retiarius, balintawak, tessaraconter, taurokathapsia, rapakivi, uayeb, paroemia, melengket, teraglin, homelyn, chikungunya, bromocriptine (cashaw)
Check out the first 90 seconds of this video where Shrey Parikh gets 32 out of 34 correct to become the 2026 champion. That speed round is called a “spell-off,” and so many of the kids are getting all the words right that they use it to break ties. Lots of words to press. 
Akismet: Introducing the official Akismet Drupal module
For two decades, Akismet has done one thing exceptionally well: keep spam out of WordPress. Now we’re bringing that protection to Drupal. The official module is here, built by the team behind Akismet as a native Drupal module. It guards your site with the same spam-fighting service that keeps comments, contact forms, and signups clean across millions of sites.
Protection where spammers actually go
Spam doesn’t stop at comments, so neither does the module. Once it’s set up, Akismet checks the forms spammers target most:
- Comments
- Contact forms
- Webform submissions
- User registrations
It runs every submission through Akismet in the background and quietly filters the spam out, so you see less of it and your visitors never notice it’s there.
Built for Drupal, the Drupal way
We wanted this to feel like a first-class part of your site, not a bolt-on. The module follows modern Drupal conventions, and plays nicely with other anti-spam tools like Honeypot and CAPTCHA if you already use them. It also adds invisible bot-detection signals that catch automated junk before it ever reaches the API.
Tools for moderators
For the spam worth a second look, there’s a dedicated review queue and one-click actions on every comment. Each correction goes back to Akismet, so the filter keeps getting smarter about your site. An admin dashboard shows your stats at a glance, and built-in GDPR export and erasure tools make honoring data requests straightforward.
Getting started
You’ll need an Akismet API key. Grab one at akismet.com, then install the module with Composer:
composer require drupal/akismet_antispam
Enable it, add your key on the settings page, pick which forms to protect, and you’re done. The module needs Drupal 10.3+ and PHP 8.1+, and it’s released under the GPL. You’ll find the docs and issue queue on the Drupal.org project page.
We’re excited to bring Akismet to the Drupal community. Give it a try and tell us what you think.
How to Find and Fix Duplicate Content Issues in WordPress
Did you know that WordPress can create duplicate versions of your content without you ever realizing it? Every blog post you publish can spawn several extra URLs, which are near-identical copies you never meant to create. And over time, they hurt your SEO by splitting your ranking signals across pages you don’t even want to rank.
When auditing a website, it’s common to find dozens or even hundreds of these duplicate URLs. That’s because category archives, tag pages, attachment URLs, and author archives are all generating thin versions of your content that compete with your original posts.
In this guide, I’ll walk through every common source of duplicate content, how to detect it, and exactly how to fix it based on my experience helping WordPress sites recover their SEO rankings.
TL;DR: I’ll show you exactly how to find and fix duplicate content issues on your WordPress website. You’ll learn how to clean up messy category archives, merge competing blog posts, and use canonical tags to tell Google exactly which pages to rank. I’ll also show you how to safely automate the technical steps using beginner-friendly tools like All in One SEO, so you don’t have to touch a single line of code.
What Is Duplicate Content in WordPress?
In simple terms, duplicate content just means you have two or more web addresses (URLs) on your website displaying the exact same, or very similar, text.
The reason this causes SEO headaches is that it confuses search engines like Google. When Google finds identical pages, it has to guess which version is the ‘master’ copy that deserves to rank. Unfortunately, it doesn’t always guess correctly.
This means a messy, auto-generated link might accidentally rank higher in search results than the main page you actually want people to read. But don’t worry, I’m going to show you exactly how to clear up the confusion and take back control.
Before we dive into the solutions, you might be wondering how these extra pages got there in the first place. WordPress is especially prone to this problem right out of the box.
In fact, a single blog post can often be found using its permalink, a category archive, a tag archive, a date archive, an author archive, and multiple paginated pages, all at separate URLs.
| Source | How WordPress Creates It |
|---|---|
| Category and tag archives | A separate page for every category and tag assigned to a post |
| Paginated pages | /page/2/, /page/3/ for any archive with multiple pages |
| Media attachment pages | A page for every image uploaded to the media library |
| Author archives | A page listing all posts by each registered user |
| HTTP/HTTPS and WWW/non-WWW |
Up to 4 versions of every URL on your site |
| URL parameters | New URL for every filter, sort order, or tracking parameter |
Keep in mind that there’s no direct Google penalty for duplicate content. The real damage is diluted ranking signals. Instead of one strong page earning links and authority, that equity gets split across ten near-identical URLs.
Sites with 50+ posts are especially vulnerable, since the number of duplicate archive URLs scales with every post you publish.
Why Do You Need to Fix Duplicate Content Issues?
Since WordPress creates these extra pages automatically, you might be tempted to just leave them alone. However, ignoring duplicate content can actually hurt your WordPress SEO.
Duplicate content doesn’t just confuse search engines. It actively works against the main pages you want to rank in a few key ways:
- When Google finds multiple URLs with the same content, it picks one to rank, and may not choose the one you want.
- Links and authority earned by your content get split across multiple URLs, weakening each one.
- Thin archive and attachment pages can waste your ‘crawl budget,’ which is the limited amount of time Google spends scanning your site. This mainly affects very large sites, but on any site, trimming low-value pages helps Google focus on the content that matters.
Most of these fixes take only a few minutes once you know where to look.
I’ll cover each source and exactly how to fix it in the sections below.
- How to Find Duplicate Content on Your WordPress Site
- How to Fix Duplicate Content from Category and Tag Archives
- How to Fix Duplicate Content from Paginated Archive Pages
- How to Fix Duplicate Content from Comment Pages
- How to Stop WordPress from Creating Duplicate Image Pages
- How to Fix Duplicate Content from Author Archive Pages
- How to Fix Duplicate Content from HTTP, HTTPS, and WWW Mismatches
- How to Fix Duplicate Content from URL Parameters
- How to Fix Overlapping Content (Merging Posts)
- What About Duplicate Content on Other Websites?
- How to Verify Your Fixes Are Working
- Frequently Asked Questions About Duplicate Content
- Additional Resources for WordPress SEO
Before You Start: The fixes in this guide all use All in One SEO. You can start with the free version (AIOSEO Lite), which is enough to follow most of the fixes in this guide, or use All in One SEO Pro for advanced features like the Redirection Manager and index status reports.
Once it’s installed, see our step-by-step guide to setting up All in One SEO to configure it.
How to Find Duplicate Content on Your WordPress Site
Before fixing anything, you need to know what you’re dealing with.
I recommend starting with two tools used together: All in One SEO‘s built-in Site Audit and Google Search Console.
Using AIOSEO’s Site Audit Tool
AIOSEO includes an SEO Audit Checklist that scans your entire site for duplicate content issues automatically. It checks for canonical tag problems, missing redirects, SSL/HTTPS configuration issues, and more, and scores your overall site health in real time.
To run an audit, go to All in One SEO » SEO Analysis in your WordPress dashboard. You’ll see a health score with issues sorted by priority and impact.
The Advanced SEO Audit section is the most relevant for duplicate content. It specifically flags canonical tag errors and redirect problems.
If your site is set up correctly, then you will see a green checkmark confirming that ‘Your page is using the canonical link tag,’ just like in the image above.
However, if there is a problem, you will see a red ‘X’ warning you that the tag is missing, along with a helpful ‘How to fix’ dropdown pointing you in the right direction.
The Security SEO Audit section checks your SSL certificate and HTTPS setup, which I’ll cover in section 5.
Using Google Search Console
Google Search Console shows you exactly which URLs Google has discovered and what it decided to do with them.
Go to Indexing » Pages in the left menu and look at the ‘Why pages aren’t being indexed’ section.
The entries you’re looking for are ‘Duplicate without user-selected canonical’ and ‘Duplicate, Google chose different canonical than user.’ These are your confirmed duplicate content problems, meaning that Google found them and made a judgment call you may not agree with.
The URL Inspection tool is also useful for spot-checking individual pages. Enter any URL to see which canonical Google is using, when it last crawled the page, and whether the page is indexed.
For a full walkthrough on navigating these reports, see our ultimate guide on how to use Google Search Console.
Pro Tip: If you use AIOSEO (Elite plan), you can actually see these Google Search Console indexing reasons directly in your WordPress dashboard using the ‘Index Status Report’.
How to Fix Duplicate Content from Category and Tag Archives
WordPress creates a separate archive page for every category and tag you assign to a post. This means that a post in three categories appears in three archive listings, three different URLs with nearly identical content. When you add tags, the problem multiplies.
Category archives usually provide real organizational value and are worth keeping indexed. Tag archives are typically the problem. They’re too granular, overlap with categories, and rarely earn meaningful traffic on their own.
To fix this, you should noindex your tag archives because this removes them from Google’s index without deleting the pages or affecting your site structure.
How to Fix Archive Duplicate Content
AIOSEO gives you per-taxonomy noindex controls directly in the dashboard. Here’s how to noindex your tag archives.
First, go to AIOSEO » Search Appearance » Taxonomies in your WordPress dashboard.
Click the Tags tab, then set ‘Show in Search Results’ to No and click ‘Save Changes’.
This adds a noindex meta tag to all tag archive pages. Google will stop indexing them on its next crawl, and they’ll stop competing with your actual posts.
For a deeper dive, see our guide on how to remove archive pages in WordPress.
For categories, I recommend keeping them indexed if they serve a real navigational purpose.
However, if any category has only one or two posts, then noindex those in the same way. Thin category archives are rarely worth indexing.
As a general guideline to prevent duplicate content, think of categories as your book’s table of contents, and tags as the specific index at the back. Try to limit yourself to 1-2 categories and no more than 3-5 highly relevant tags per post.
How to Fix Duplicate Content from Paginated Archive Pages
As your WordPress site grows, you’ll naturally have more content than can fit on a single screen. WordPress handles this by using pagination. It automatically breaks your blog archives and long articles into multiple pages like /page/2/ and /page/3/.
While this is great for the user experience, it creates a technical challenge for SEO. Because these pages often have similar titles and overlapping content, Google may view them as duplicate versions of the same page.
If not handled correctly, this can dilute your ranking signals and, on larger sites, waste crawl budget, so your older content gets crawled less often.
To fix this, you will need to add a self-referencing canonical tag on every paginated page because this tells Google that each page in the series is a unique part of the archive. This makes sure that all your older posts still get crawled and indexed properly.
To learn more about how this works for long articles, see our guide on how to split WordPress posts into multiple pages.
How to Add Canonical Tags to Paginated Content
You don’t need a paid plan to fix this. The free version of AIOSEO handles pagination canonicals automatically. Once the plugin is active, it immediately starts adding the correct tags to every archive page on your site.
To confirm it’s working, you can use the URL Inspection tool in Google Search Console. Simply enter a paginated archive URL (like yourdomain.com/category/tutorials/page/2/). In the report, you should see that the ‘User-selected canonical’ matches exactly the URL you entered.
If you aren’t using Search Console yet, then you can also check manually. Open any paginated page on your site, right-click, and select ‘View Page Source’. Use the search function (Ctrl+F or Cmd+F) to look for rel="canonical". You should see a line of code like this:
<link rel="canonical" href="https://yourdomain.com/category/tutorials/page/2/" />
If you recently migrated from another SEO plugin, make sure to run AIOSEO’s SEO Analysis tool to verify that there are no conflicting canonical settings from your old setup. You can find it by going to All in One SEO » SEO Analysis in your WordPress dashboard.
How to Fix Duplicate Content from Comment Pages
Comments can create their own duplicate URLs in two ways.
If you turn on ‘Break comments into pages’ under Settings » Discussion, WordPress starts publishing paginated comment URLs like yourdomain.com/post-name/comment-page-2/.
Threaded comments also add a ?replytocom= link to every Reply button, which can generate many crawlable near-duplicate URLs on comment-heavy posts.
These days, WordPress adds canonical tags to paginated comment URLs on its own, just like it does for multi-page archives. So, this is much less of an issue than it once was.
For most blogs, the simplest fix is to uncheck ‘Break comments into pages’ under Settings » Discussion if you don’t actually need paginated comments. You can see our full guide on how to paginate comments in WordPress for more detail.
If you’d rather keep comment and archive pages out of search entirely, then AIOSEO has global ‘No Index Paginated’ and ‘No Follow Paginated’ controls under AIOSEO » Search Appearance » Advanced.
How to Stop WordPress from Creating Duplicate Image Pages
On many WordPress sites, every image you upload gets its own attachment page, which is a separate URL with almost no content.
Since WordPress 6.4, brand-new installs disable these pages by default. But sites created before 6.4, or upgraded from an older version, still have them turned on.
On a site with 200 posts, you likely have 500 or more of these thin pages that Google has to crawl and evaluate.
You can learn more about why this happens in our guide on how to disable image attachment pages.
Attachment pages add little value and can dilute your site’s overall quality signals. In my tests, disabling them is one of the fastest duplicate content wins available. And it only takes about 60 seconds to configure.
The exception is photography or portfolio sites where attachment pages contain real content: descriptions, EXIF data, or licensing information. If that’s you, then skip this fix.
How to Disable Attachment Pages
AIOSEO can automatically redirect attachment page URLs to the parent post, sending visitors and link equity to the relevant content instead of a dead-end image page.
Here’s how to set it up.
First, navigate to AIOSEO » Search Appearance and click on the ‘Image SEO’ tab.
Look for the ‘Redirect Attachment URLs’ setting. To make sure you get the best SEO results, select ‘the Attachment Parent’ option.
Don’t forget to click the ‘Save Changes’ button at the top or bottom of the page to lock in your settings.
This is the recommended choice because it keeps users on your website. When someone clicks an image link in search results, they are sent directly to the article where that image lives, providing context and keeping them engaged with your content.
If an image is unattached (meaning it was uploaded directly to the media library and isn’t part of a specific post, like your site logo), AIOSEO is smart enough to handle it. You can choose to have these images redirect to your Home Page or the Attachment file itself.
For most sites, redirecting unattached media to the homepage is the best way to keep visitors within your site structure.
How to Fix Duplicate Content from Author Archive Pages
WordPress creates an author archive for every user registered on your site. On a single-author blog, the URL /author/your-name/ shows the exact same posts as your main blog index, just at a different web address.
This is a serious duplicate content scenario. The author archive and the blog index are effectively identical, competing for the same rankings.
If you’re the only person writing for your site, having both indexed is unnecessary. For some, it might even be worth considering how to remove the author name from WordPress posts entirely to simplify the design.
How to Noindex Author Archives
To stop Google from indexing these redundant pages, go to AIOSEO » Search Appearance » Archives in your WordPress dashboard.
Click the ‘Author Archives’ tab, set ‘Show in Search Results’ to ‘No’, and click the ‘Save Changes’ button.
On multi-author sites, the situation is different. Author archives can have real SEO value, especially when different authors cover specialized topics.
In that case, keep them indexed and ensure each author has a complete bio on their profile page. To make this bio visible to your readers, you can see our guide on how to add an author info box in WordPress.
If you keep archives indexed, then AIOSEO’s Author SEO feature (Plus plan and above) also lets you add author (Person) schema markup that highlights each author’s credentials and expertise.
This gives Google clearer signals about who is behind your content, which supports E-E-A-T (Experience, Expertise, Authoritativeness, and Trustworthiness), which is Google’s content-quality framework.
For more details, see our complete guide to author SEO in WordPress.
How to Fix Duplicate Content from HTTP, HTTPS, and WWW Mismatches
Your homepage and every page on your site are technically accessible at four different URLs:
http://example.comhttps://example.comhttp://www.example.comhttps://www.example.com
Without redirects in place, Google may crawl and index all four versions.
This is one of the most serious duplicate content issues because it multiplies across your entire site, not just a handful of archives. Every page, post, and product is affected.
To prevent ‘Ghost URLs’, you need to make sure that every visitor (and every search engine bot) is forced into a single, secure version of your site.
This solves two problems at once: the HTTP vs. HTTPS conflict and the WWW vs. non-WWW duplicate content issue.
Set Your Preferred URLs in WordPress
Before doing anything else, you need to tell WordPress exactly what your ‘official’ URL is. Go to Settings » General and look for the WordPress Address and Site Address fields.
Make sure both URLs are identical and include your preference for HTTPS and WWW. For example: https://www.example.com.
If you aren’t sure which version to pick, see our guide on WWW vs. non-WWW — which is better for WordPress SEO. The most important rule is to pick one and never change it.
Once these are set, All in One SEO will automatically use this official version for all your site’s canonical tags.
Enforce the Redirect at the Server Level
Setting the URL in WordPress tells the site how to behave, but you still need to force the browser to follow those rules.
Here are the options:
- The Firewall Method (Recommended): If you use Sucuri, then you can enforce this at the DNS level before traffic even reaches your site. In your Sucuri dashboard, go to Settings » HTTPS/SSL and toggle on ‘Force HTTPS’.
- The Plugin Method: If you aren’t using a firewall, then you can use WPCode to safely add a redirect snippet. This is much safer for beginners than editing a
.htaccessfile manually.
For complete instructions, see our guide on how to properly move WordPress from HTTP to HTTPS.
After making these changes, check Google Search Console’s Pages report after a week or two. Any indexed pages from the non-preferred domain version should gradually disappear from the coverage report.
Pro Tip: I’ve seen sites get stuck on page 2 of Google simply because their backlinks were split between the www and non-www versions of their URL. Google treated them as two different sites with half the authority each.
Once the website owner enforced a single canonical domain, the ranking signals consolidated, and the site moved to the top of page 1 almost overnight.
How to Fix Duplicate Content from URL Parameters
URL parameters are the ‘query strings’ that appear after a ? in a web address. These are things like ?sort=price, ?color=red, or ?sessionid=abc123.
While these are useful for sorting products or tracking marketing campaigns, each unique combination technically creates a new URL with identical page content.
These duplicates most commonly come from two sources:
- eCommerce Filters: Options for price, size, or color on large product catalogs. A single product page with ten filter options can easily generate 50 or more duplicate URLs.
- Campaign Tracking: Parameters appended by email or social media campaigns (like UTM codes). To learn how these work, see our guide on how to set up email newsletter tracking in Google Analytics.
Duplicate parameters are a huge reason why large sites leak ranking power. Instead of Google focusing on one strong page, it gets distracted by dozens of filtered variations.
How to Handle URL Parameters
All in One SEO (AIOSEO) automatically adds canonical tags to these parameterized URLs. It points them back to the clean URL (the main page link without any of the extra tracking or sorting codes at the end).
This process saves your crawl budget. Instead of Google wasting time crawling 50 different versions of the same product, it focuses all its energy on your main, authoritative page.
Note: If you intentionally want a specific product filter to rank in Google, like ‘red running shoes’, you will need to create a dedicated landing page for that term instead of relying on URL parameters.
To verify this is working, use the URL Inspection tool in Google Search Console on a messy, parameterized URL.
Make sure that the ‘Google-selected canonical’ points to the clean version of the URL. As long as you have AIOSEO installed, it works smoothly with WordPress and WooCommerce to make sure these tags are handled correctly without any manual configuration.
If you run an online store, then you can see more tips on this in our ultimate WooCommerce SEO guide.
How to Fix Overlapping Content (Merging Posts)
While most duplicate content is created by WordPress settings, sometimes the issue comes from the content itself. This happens when you accidentally cover the same topic twice.
If you have two articles targeting the same keyword, they will compete against each other in Google search results. This is known as keyword cannibalization.
Instead of one page ranking high, Google gets confused and splits your ‘ranking power’ between both pages, often leaving both of them stuck on lower search result pages.
You can visualize how duplicate content damages your ranking power by thinking of it like a pie. Your total SEO value (or link equity) is divided by the number of duplicate URLs. The more duplicate versions you have, the smaller the slice of ranking power each page gets.
Spotting Overlapping Content
The most reliable way to find these overlapping posts is by using AIOSEO Search Statistics (the Elite plan).
In your WordPress dashboard, go to AIOSEO » Search Statistics and look for the ‘Keyword Rank Tracker’.
To see if your pages are competing, simply click on a keyword in the Rank Tracker and select the ‘Keyword Ranking Pages’ tab.
If you see multiple URLs listed there for the same term, it’s a sign that Google is struggling to decide which page to rank. So, you should consider merging them or using a canonical tag to point to the primary version.
For a step-by-step walkthrough on setting this up, see our guide on how to check if your blog posts are ranking for the right keywords.
Merging and Redirecting Your Posts
To fix overlapping content, you should combine your related articles into a single, comprehensive ‘Ultimate Guide’.
Start by picking the winner. This is the post that already has the best rankings or the most high-quality backlinks.
Next, copy any unique tips, data, or media from the weaker article into the winning post.
Once your main post is updated and comprehensive, I recommend changing the weaker version’s status to ‘Draft’ instead of deleting it right away. This keeps your content safe just in case you need to reference it later.
The final and most important step is setting up a 301 redirect. This tells search engines that the old page has moved permanently to the new one. You can do this quickly using the Redirection Manager in AIOSEO.
By pointing the deleted URL to your new combined post, you ensure that all the original ranking power is consolidated into a single, authoritative URL. For a step-by-step look at this setup, see our beginner’s guide to creating 301 redirects in WordPress.
What About Duplicate Content on Other Websites?
So far, I’ve focused on the duplicates WordPress creates on your own site. But sometimes another website copies your work, either by scraping it automatically or by republishing it word for word.
Google does not penalize you for being copied. It simply picks one version to show and filters out the rest.
The risk is that Google does not promise your original wins. If a higher-authority site copies you, then its version can sometimes be the one that ranks.
Make It Harder to Scrape Your Content
By default, WordPress publishes a full-text RSS feed, and many scrapers simply auto-republish whatever appears in it. You can limit what they grab by sending only an excerpt.
Go to Settings » Reading, find ‘For each post in a feed, include’, and select the ‘Excerpt’ option.
Keep in mind that this is a deterrent, not a guarantee. A determined scraper can still copy your page HTML directly. Plus, switching to excerpts means legitimate RSS and email subscribers see shortened posts instead of the full text.
What to Do If Someone Steals Your Content
If you find your content republished without permission, then you have a few realistic options. Our guide on how to find and remove stolen content in WordPress walks through each one in detail:
- Contact the site owner or host. Ask them to remove the content. If the owner ignores you, then their web host will often act on a clear copyright complaint.
- File a copyright removal request with Google. Google’s legal removal tool lets you report the copied page. This removes it from Google search results only, not from the other website itself.
- Report it as spam. Scraped content is a named violation of Google’s spam policies, so you can report it, though Google does not promise it will take action on any single report.
One more note for anyone who syndicates posts on purpose, such as republishing to a partner site or Medium. The current recommendation is for the partner to add a noindex tag to their copy, or link back to your original, rather than relying on a cross-domain canonical tag.
Our guide on content syndication in WordPress covers this in more depth.
How to Verify Your Fixes Are Working
After making these changes, it is important to be patient. Canonical and noindex changes take time to propagate, and Google doesn’t revisit every page on your site overnight.
Give it 1–2 weeks before expecting to see major shifts in your reports.
In Google Search Console, revisit the ‘Pages’ report under the Indexing section. You should see the count for ‘Duplicate without user-selected canonical’ start to decline. For a deeper look at these reports, see our guide on how to use Google Search Console effectively.
If the count stays flat after two weeks, then you can use the URL Inspection tool on a specific page to confirm that Google has picked up the new canonical tag.
You should also use AIOSEO‘s SEO Audit Checklist. Simply run a fresh audit after your changes to confirm that any ‘Advanced SEO’ or ‘HTTPS’ issues have cleared from the report.
For more details on this, see our guide on how to create an SEO report for your WordPress site.
For ongoing monitoring, AIOSEO’s Post Index Status feature (Elite plan) provides a color-coded status for every page.
This makes it easy to catch new duplicate content issues at a glance before they can affect your rankings.
Finally, if you use Sucuri, their security scanner can flag mixed content warnings, like HTTP images loading on an HTTPS page, that might still be causing duplicate URL issues behind the scenes.
Frequently Asked Questions About Duplicate Content
Managing duplicate content can feel like a technical maze, but it is one of the most effective ways to boost your site’s ranking power.
Here are answers to the most common questions our readers ask about identifying and fixing duplicate URLs using All in One SEO.
Does duplicate content result in a Google penalty?
There’s no direct algorithmic penalty for duplicate content. Google typically picks one version to rank and filters out the rest. The real cost is diluted authority. Instead of one strong URL earning ranking signals, those signals get split across several near-identical ones.
Which is better for duplicate archives, noindex or canonical?
Use noindex when the page has no standalone SEO value. Tag archives and author archives on single-author sites are good examples. Use canonical when the page is useful to visitors but overlaps with a higher-priority URL, as is the case with paginated archive pages.
Do I need a paid AIOSEO plan to fix duplicate content?
Most of the essential tools for managing duplicate content, such as noindexing archives, redirecting attachment pages, and automatic canonical tags, are available in the free version of All in One SEO. The SEO Audit Checklist, which helps identify these issues, is also included for free.
However, the full Redirection Manager (including manual 301 redirects, 404 error tracking, and automatic redirects) requires the Pro plan or higher, and the Post Index Status report requires the Elite plan.
How can I quickly verify if my canonical tags are working?
There are two fast ways to check. First, you can right-click any page, select ‘View Page Source’, and search (Ctrl+F) for rel="canonical". Alternatively, you can use the AIOSEO SEO Toolbar or a browser extension like ‘SEO Minion.’
These tools show you the canonical URL in one click without you having to dig through the website’s code.
How long before I see results after fixing duplicate content?
Most sites see measurable improvements in Google Search Console’s coverage report within 2–4 weeks. Ranking improvements can take longer, typically 4–8 weeks, depending on how frequently Google crawls your site and how competitive your target keywords are.
Pro Tip: If you have fixed a major duplicate issue on a high-priority page, you can use the ‘Request Indexing’ feature in Google Search Console to ask Google to recrawl that specific URL immediately.
Does duplicate content affect my visibility in AI search engines?
Most likely, yes. AI search engines like ChatGPT and Perplexity tend to favor authoritative, clearly-sourced pages when generating answers. If your content is split across multiple duplicate URLs, these systems may struggle to identify your page as the primary source, which can cost you AI-driven traffic.
What is the difference between a trailing slash and a non-trailing slash URL?
To Google, example.com/post and example.com/post/ are technically two different pages. If your site allows both to load, it creates a duplicate content issue.
All in One SEO helps prevent this by automatically setting a canonical version, but you should also go to Settings » Permalinks in your WordPress dashboard to ensure your custom structure consistently includes or excludes the trailing slash (/) to avoid confusion.
Additional Resources for WordPress SEO
I hope this article helped you learn how to find and fix duplicate content in WordPress.
You may also like to see some other guides for improving your WordPress SEO:
- Ultimate WordPress SEO Guide for Beginners — a step-by-step walkthrough of every major on-site SEO setting in WordPress, from permalinks to sitemaps.
- How to Add Your WordPress Site to Google Search Console — get your site verified so you can monitor indexing issues, crawl errors, and keyword performance.
- What Is an XML Sitemap? How to Create a Sitemap in WordPress — help Google find and crawl all your important pages faster, which matters more once duplicate URLs are cleaned up.
- Beginner’s Guide to Creating 301 Redirects in WordPress — learn how to redirect old or duplicate URLs so their ranking signals consolidate on the right page.
- The Ultimate Guide to Boost WordPress Speed & Performance — once crawl budget is freed up from duplicate pages, a faster site helps Google index your content even more efficiently.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
The post How to Find and Fix Duplicate Content Issues in WordPress first appeared on WPBeginner.
Matt: Maybe
I think I heard this parable somewhere in the 14 hours of Alan Watts lectures someone recommended to me in 2017, but here’s a beautiful 2-minute version I’d love to share for everyone going through something.
I really appreciate the love and support I received after the WP23 post, and I do want to tell people I’m okay, the post was part catharsis and part giving voice to what I see and hear privately from people who aren’t public figures.
On weekends, I like to look back on the week and find a silver lining or learning from things that were challenging. It helps reframe things. After it was reported that I had 21 hours of depositions over 3 days, people were like “wow that must have been terrible,” but actually, while the prep and process were intense, I found it energizing and I learned a ton. Will post more about that later. You never know where things will lead.