Updated: Tuesday, 24 December 2019
When it comes to SEO, website security is rarely among the top priorities for most businesses. If you neglect your website security and leave it open to cyberattacks (a negative SEO attack is one of them), it could affect more than just the functionality of your website. It could also hurt your rankings and harm your SEO. To see why, it’s essential to understand what cyberattacks often do to websites and, more importantly, how Google responds to them.
Website Hacks that Hurt Your SEO
Cyberattacks come in different forms and levels, but the most problematic of these (at least for SEO) come via compromising your website.
Hackers will often try to exploit the security vulnerabilities on your website to gain back end access which enables them to attack you in several ways that can hurt your keyword rankings. We have asked the Brisbane SEO specialist at Resurge Digital for an overview of some of the most commonly seen ways attackers exploit small business websites. You can divide these attacks into two categories:
Attacks That Aim to Exploit Your Website
Hackers will try to gain access to the folders and files on your webserver to insert their own pages. Placing pages in the form of HTML files directly on your web server means that they will not appear in the back end of your CMS (content management system) like WordPress. At the same time, hackers can style these rogue pages to look like a legitimate part of your website. These pages will often masquerade as appointment booking forms that aim to collect personal information or even payment forms which may collect credit card information or also fully process payment amounts, wiring them to the attacker. The worst part is that because the URL of such a page will be a part of your domain, your visitors are unlikely even to realise they are being scammed.
How do They Get In?
In this case, one of the most common ways of compromising your website is through guessing a weak password. Avoid simple passwords like [your-main-service-123] and similarly easy to guess strings and use a strong password instead. If it is easy for you to remember, it is likely easy for a hacker to crack.
Hackers will sometimes try to insert their content into your blog roll to take advantage of your domain authority to build links to their websites in an attempt to improve their rankings. An SEO technique known as link building leverages the fact that sites linked to from known, reputable sources tend to rank better on Google and in other search engines. Legitimate links come from a website being mentioned on other websites without any encouragement. However, since hackers often try to rank-up less-than-legitimate sites, rogue content insertion is one of the few avenues they have left for link building. If you see blog articles that no one at your company knows anything about, where the content is entirely unrelated to your business suddenly appear on your website, you may be a victim of this type of attack. In less severe cases, the hacker will add just a few backdated pieces. In more severe cases, the attacker will replace your entire blog roll with their content and keep on adding new posts until you secure your website.
How do They Get In?
We have noticed that WordPress sites using older versions of WordPress or older versions of PHP are the more vulnerable properties here. Hackers and their bots (malicious programs that automate the hacker’s work) will detect that your website is built in WordPress and attempt to use known security vulnerabilities to compromise your site. These vulnerabilities are often patched in newer versions and keeping your website CMS up-to-date where applicable, and possible* helps to mitigate the risk. Maintainers and vendors of sound content management systems like WordPress, go to great lengths to fix security issues as they are discovered.
*Sometimes, the way your website is built may be dependent on using a specific CMS version and updating it may break your site. It is crucial to have a robust backup schedule. Regular backups let you restore your website to the most recent working state before an attack, or if it breaks during an update. Keep in mind that even if you restore a hacked site to a state before the attack, the security vulnerability the hacker used to get is likely to be still present and exploitable until you can patch it.
Hackers may try to insert backlinks to their websites into your content in an attempt to improve the search engine rankings of those websites. They can also try to redirect your visitors off-site to a malicious scam website in an effort to steal their personal or credit card information. This attack is less conspicuous and harder to find than content insertion because new links on your pages are much harder to notice.
How do They Get In?
Either of the ways described above may be used to facilitate this kind of attack.
Attacks That Aim to Harm Your Website
DoS (Denial of Service) and a DDoS (Distributed Denial of Service) attacks
A Denial of Service attack aims to put your website offline. What better way to hurt an online business than to prevent it from doing business online. Hackers who use this method attempt to send more traffic to your website than your webserver can handle, consequently crashing it. This kind of attack does not require access to your website. In a DoS attack, a single machine is used to spam your site with traffic. In a DDoS attack, multiple computers attempt to access your website from many locations repeatedly. Using a reputable web host who proactively responds to such attacks and blocks malicious traffic can help to mitigate downtime from a DOS or a DDoS attack.
A Negative SEO Attack
A negative SEO attack attempts to build links from malicious websites to your website. Hackers can try to harm your rankings or even get you a Google Penalty by making it look like you are attempting to manipulate your keyword rankings through link building. A negative SEO attack of this kind can be carried out entirely off-site and out of your control or influence. Luckily, Google noticed the negative SEO attack threat a long time ago, and it now provides a disavow tool to give you a way of disassociating yourself from these rogue links. N.B. The disavow tool is an advanced tool, and you should only use it if you are sure you need to disavow links; if you are unsure if what you are doing is correct, contact an SEO specialist for help.
You Are Not Always Attacked By A Real Person
Hackers use sophisticated software that automates their workflows just as businesses do. Malicious bots continuously scan the web for vulnerable sites to compromise and attempt to deploy known security exploits without any user intervention. Even if your website comes under attack, it does not necessarily mean that your business was a deliberate target of a planned attack. However, a negative SEO attack is likely to be deliberate.
Well Ranking Websites Are At More Risk
Websites that rank well for high search volume keywords are at more of a risk of being a target. The logic is simple if a hacker wants to use your site to lure people into giving up personal information, or to build links to a malicious website, using an already well ranking, established and authoritative domain is likely to bring better results.
How Google Penalises Suspected Websites
Google hates spam, malware, and malicious software. If Google were to indiscriminately serve websites that contain, even unintentional, malicious content, it would undermine its reputation as the go-to search engine for reliable information. To fight these, Google places active measures to protect people from them.
- Blacklisting. In the worst-case scenario, if Google detects malicious software or content on your website, it will flag your site and remove it from search results for quarantine. It will remain blacklisted until the identified issues are fixed. Often, if you are a verified owner of your website in Google Search Console, Google will send you an e-mail alert, and you will be able to see the problem in the security issues report. These reports may or may not be useful in identifying the issue but, at the very least, they alert you to a problem when Google detects it.
- User warnings. If your website is flagged, it may not necessarily be immediately delisted. Google will often add a warning next to your link in the search results and web browsers such as Chrome will display a warning to visitors that the site they are about view is compromised. These warnings stay in place until the security issue is resolved and verified as fixed by Google. It is essential to know, that the website owner needs to manually request verification using Google Search Console for Google to take action.
Either of these measures will cause a significant drop in your traffic, conversions, and rankings. If your website is blacklisted, then your website won’t appear in search results. Warning messages, meanwhile, will effectively turn away users from your site and prevent them from accessing it.
Using Good Website Security to Improve Your SEO
While bad website security can harm your SEO, the good news is that the opposite is also true: good website security can improve your SEO.
Aside from preventing your website from being flagged and blacklisted by Google, good website security can boost your SEO by:
- Improving conversions. People tend to trust secure websites more than unsecured websites, especially if they’re purchasing a product or service on your site. The more secure your website is, the more likely they’ll explore and use your website.
- Being trusted by Google. HTTPS has been a ranking signal in Google’s algorithm for years now, and many signs point to it becoming a stronger signal today. Starting in July 2018, the Google Chrome web browser will mark all non-HTTPS sites as “not secure”, making HTTPS even more critical.
Tips for Securing Your Website
Although there’s no way to prevent website hacks completely, there are things you can do to secure your website and make it harder to get hacked:
- Migrate your site to HTTPS. If you haven’t done so yet, make sure to migrate your website from HTTP to HTTPS. SSL encryption will help protect the transfer of data between your visitors and your website.
- Update your CMS and plugins where applicable. By making sure all your CMS and website plugins are up to date, you can ensure that your website is protected against the latest online threats.
- Scan your website regularly. There are many web security tools that you can use to test and evaluate your site for known vulnerabilities and common attacks.
- Create back-ups. Back-ups can help you protect information and rebuild your website in the event of a hack.
- Use secure logins and passwords. The more secure your logins and passwords, the more difficult it will be for hackers to steal them. Consider using a password manager to generate a unique password for each of your online accounts, including your website. Remember though, your passwords are only as secure as your password manager’s master password – you will still need to make sure you can create and remember at least one very strong password for this approach to work effectively.
- Secure your computer systems. Make sure that your computer doesn’t have spyware and other malicious software that can steal your information (such as your passwords) that would allow hackers to access your website.
Protecting Your Business with Good Website Security
In today’s world, good website security isn’t a want – it’s a need.
Without it, you’re leaving your business vulnerable to cyberattacks that not only harm your business and users but your company’s SEO as well.
If you’re not sure how to protect your website against a negative SEO attack and improve your SEO, then consult with an SEO specialist who can provide the information and solutions you need. You should also consider getting managed IT services from our team here at Connected Platforms. With managed I.T. services in place, we can tailor your system’s infrastructure to be as secure as possible.
You’ve spent time and money on your website to get it in the best position to reach customers and achieve results. The worst thing you can do is to leave it open to attacks that could undo all the work and investment you put it into it.