louannpope

It turns out that this is referrer spam that is not actually hitting our websites. That’s why it’s showing up in Google Analytics but not Wordfence. Here’s an explanation from Samuel Wood (Otto) at https://wordpress.org/support/topic/a-non-existent-page-is-showing-up-on-my-analytics/page/4:

This isn’t a WordPress specific thing. This isn’t even specific to individual WordPress plugins. Like you said, your “personal website is CodeIgniter” and you can see it there.
Here’s a quick primer on how Google Analytics works.
So, you get setup on GA and get a code from them. The code looks like UA-number-1 or some such thing. That number is your “account number” on GA. Now, this code and a bit of javascript go onto your webpage. Now, somebody visits your page, and their browser runs that javascript code.
That javascript code is what “records” their visit. It makes their browser talk to Google Analytics. Specifically, it makes certain types of HTTP requests that Google records information about, and then GA displays summaries of that information to you.
Pretty basic, right? Still with me? Okay, now, if all it is is this Javascript sending the “visit” to them, then anybody can fake that. Anybody at all. All I have to do to make your GA show false information is to send my fake information directly to GA.
I don’t need to visit your site at all. I don’t need to run javascript at all. I just need to reproduce those HTTP requests, which are public and so anybody can see them and how they work. They’re even fairly well documented, publicly, by Google themselves.
So, now, let’s say I’m a spammer jerk. I want to get people to see my spammy site. So, what do I do? I write a small bit of code to send thousands upon thousands of these fake requests to GA, and I simply cycle through all the UA numbers, in order, at random, whatever. I send a fake visit, with a fake referrer, and my spammy domain name. And guess what? It shows up in your Google Analytics screens.
You see this spam like any other normal visit. Because as far as GA is concerned, it was a normal visit. All they’re recording are those HTTP requests, which normally come from the GA javascript code. But a request is a request, and making a fake one is very, very easy.
That is what is going on. All I need is your UA number and with only a minor bit of effort I can fake a visit to your site without ever actually connecting to your site at all. That fake visit can have any domain name and any referrer in it that I choose.
This is an attack on Google Analytics, to promote whatever site is showing up. You cannot block it on your server, because your server is not involved at all.

So at least it doesn’t appear that our websites are in danger. Given that, it’s completely messing up my stats to see this referral spam in Google Analytics. It turns out there are two things we can do to get rid of them. Neither fix will change anything retroactively, meaning the hits that have already occurred will still show up, but they’ll fix everything from the time you apply the fix going forward.

Fix #1
Google has built-in capability to filter out known bots. Although this only works for bots that Google is aware of, it’s a good idea to turn on this filter.
How to: In Google Analytics, go to Admin Home, select All Web Site Data in the View column on the far right of the screen, and click View Settings. At the bottom of the screen, check the box beside Bot Filtering > Exclude all hits from known bots and spiders.

Fix #2
Since it appears that Google isn’t aware of these particular Russia spam referrers, we’ll have to filter them out manually for now.
How to: In Google Analytics, go to Admin Home, select All Web Site Data in the View column on the far right of the screen, and click Filters. Click the New Filter button. Enter a name for the filter (I gave it the oh-so-creative name “Exclude referral spam”). For Filter Type, choose Custom. Select Exclude. For Filter Field, choose Campaign Source (I have no idea why this field works but the Referral field doesn’t in this case). For Filter Pattern, I entered the following: darodar\.com|econom\.co|ilovevitaly\.com
The backslashes before the periods are necessary so that they are known to be periods rather than wildcards. The vertical bars act as OR. So my pattern filters out darodar.com, economy.co, and ilovevitaly.com. Click on Verify this Filter and it will show you the before and after of your recent traffic (hypothetically if you’d had this filter before). If that looks good, click Save.

I hope this is helpful to others. It drove me crazy until I found this info online. I applied both of these fixes last night and haven’t seen any referral spam since.