Unknown URL on My WordPress Website: Using Bing Webmaster Site Explorer
When using the Site Explorer feature in the Bing Webmaster Tools web application, WordPress owners often encounter a frustrating discovery: a list of "Unknown URLs" that do not appear in their page list or sitemaps. These mysterious links can range from harmless technical artifacts to serious SEO threats like the "Japanese Keyword Hack."
If you see URLs in Bing that you didn't create, here is the technical workflow to identify their origin and protect your site's search visibility.
1. Common "Harmless" Sources of Unknown URLs
Not every unknown URL is a sign of a hack. WordPress is a dynamic web application that generates various virtual paths for its own functionality:
- REST API Endpoints: URLs containing
/wp-json/are part of the WordPress core and are often crawled by Bingbot. - Comment Pagination: If you have "Break comments into pages" enabled, URLs like
/sample-page/comment-page-1/will appear. - Feeds: Paths ending in
/feed/or/rss/are automatically generated for your content. - Attachment Pages: WordPress traditionally creates a unique URL for every image uploaded to the media library.
2. Identifying Malicious "Ghost" Pages
If the Site Explorer shows URLs with random characters, pharmaceutical terms, or foreign languages (e.g., /wp-content/tmp/xyz.php), your site likely has a security vulnerability. These are often "Ghost Pages" that only appear to search engine crawlers while remaining invisible to standard visitors.
- Check the "HTTP Status": In Bing Webmaster Tools, look at the status code. A 200 OK status on a URL you don't recognize is a red flag.
- Verify the Source: Click on the URL in Site Explorer and check "Discovered from." This shows which page Bing found the link on, helping you trace the infection.
- Use "Inspect URL": Use Bing's inspection tool to "Live URL" test. This shows exactly what the Bingbot sees vs. what a browser sees.
3. Technical Auditing for Webmasters
To find where these URLs are coming from on the server-side, webmasters should perform the following checks:
- Audit the .htaccess File: Look for unusual rewrite rules that redirect traffic to obscure scripts.
- Scan for "Orphaned" Files: Use a security plugin like Wordfence or Sucuri to compare your core files against the official WordPress repository.
- Check Theme Functions: Look at
functions.phpforwp_insert_postcalls that might be programmatically creating "Unknown URLs" on every page load.
4. How to Remove Unknown URLs from Bing
Once you have identified that a URL is illegitimate or unwanted, you must signal to the Bing Search web application that it should be removed.
- 410 Gone Status: If the URLs are malicious, don't just delete them (404). Use a plugin to return a 410 Gone status. This tells Bingbot the page is permanently removed and speeds up de-indexing.
- URL Block Tool: Use the "Block URLs" feature in Bing Webmaster Tools to temporarily hide the URLs from search results while you clean the site.
- Robots.txt: Use a
Disallow: /path/rule to stop Bingbot from wasting your crawl budget on technical paths like/wp-json/.
Conclusion
Finding an Unknown URL in Bing Webmaster Tools is a critical moment for SEO health. Whether it is a harmless technical feed or a sophisticated hacking attempt, the Site Explorer is your first line of defense. By auditing your status codes and tracing the discovery source, webmasters can maintain a clean, high-ranking WordPress site that serves users rather than bots or bad actors.
