GA says Homepage has many unexplained homepage extensions that begin with /?kw=.....

Found 50+ instances of this when reviewing Google Analytics/All Traffic/Channels report.   They all are list as separate landing pages for my site.  One is  /?kw=casa, another is  /?kw=sweepstakes.  All lead to my site homepage if you click on them in the GA pages or if typed into address bar. Overall Site traffic is way off as well.  These individual /?kw= pages normally only show 1 or so hits in the last month.  Are these harmful, or should is just filter them from my report view?
Thanks, Gale W.
Gale WPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason C. LevineDon't talk to me.Commented:
Check your site immediately for altered/introduced files and code.  Those inbounds look like triggers to me that could set off bad behaviors.
Ray PaseurCommented:
Are these expected and intended to be part of your web site?  What functionality is assigned to the kw request variable?
Gale WPresidentAuthor Commented:
Thank you both,
These were not set up by us, no idea where they originated.  Odd they do all take you to our homepage, so it's not like they are stealing traffic and redirecting it.  I'll have to dig to learn how to look for altered or added files.  Guessing they would be added to the homepage as that is where they take you?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Jason C. LevineDon't talk to me.Commented:
Well, the home page is the starting point for it.  If you're really lucky, they merely altered the home page code and that's fairly easy to spot.  Usually this stuff is done by altering a called file from the home page so you have a lot of work to do.

And Ray's right...it may not be malicious and something the previous developers did.  So you should expand the search to look for any function in your code that processes the GET variable and does something with it. Since kw could mean "keyword" hopefully this is some SEO grey-hat thing.

But there's more options than just stealing/redirecting traffic.  Your site could be used as an attack vector against other sites or the invocation of the kw code...
Ray PaseurCommented:
Check your home page code carefully.  If you have an original backup, compare it to what is on the server now.  If there is a difference between what you expect and what you have, you might want to consult a security expert for some detailed analysis!
Gale WPresidentAuthor Commented:
Would using Chrome's "view source code" function be sufficient to see what I'm looking for?  
Still getting used to Wordpress editor, which seems to let you see all the site pages code
when editing EXCEPT the home page. GW
Jason C. LevineDon't talk to me.Commented:
Would using Chrome's "view source code" function be sufficient to see what I'm looking for?  

Partially sufficient. The source code is only the rendered stuff.  If the attack is in the PHP code, it has already executed and may send nothing to the browser.

WordPress doesn't really have a "home page" depending on its theme.  Instead there are templates and template parts that combine conditionally based on the page called.

If I were you, I would stop here and do one or both the following:

BEST: Subscribe to sucuri.net and have them do a server-side scan of your site.

DECENT: Install the WordFence plugin and set it to scan your site, plugins and themes.  It's free

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gale WPresidentAuthor Commented:
Thanks again to you both.  Like many things, everyone says how easy Wordpress and Webdesign are--until there's problem.  Good to know smart & generous folks are out there when you need them.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Search Engine Optimization (SEO)

From novice to tech pro — start learning today.