A recent consumer survey conducted by HubSpot Research across the UK, U.S. and Australia found that up to 85 percent of users would leave a website that isn’t secure. What does the word “secure” really mean in this context? Usually, when a company claims that its website is secure, it implies that the website can be considered trustworthy and is protected using tools such as an SSL (Secure Sockets Layer) certificate, encryption, firewalls, and plugins. What is the main purpose of these security tools? Such tools are meant to safeguard personal user information.
So, why is website security so important? As of December 2018, there are 1.94 billion websites and the number of internet users has crossed 4.1 billion worldwide. It will come as no surprise that these figures are set to skyrocket in the coming years, with more than 1.92 billion expected online purchases and over 5 billion Google searches happening every single day! Considering the exponential market growth and opportunities, do you really want to turn away visitors that show up at your virtual doorstep?
Additionally, while an insecure website will drive users away, lack of security will also have a severe effect on your rankings, thereby reducing your website’s traffic. Web security must be an essential and consistent part of your website’s SEO and digital marketing strategy. One of the big indicators of the importance of website security was presented in 2014. Approximately five years ago, Webmaster Analysts announced that migrating your website to HTTPS (Hypertext Transfer Protocol Secure) from HTTP had become a ranking signal in Google’s ever-changing search algorithm.
As a company, we have understood the importance of having a secure and effective website. Our SEO and IT teams continuously work on implementing necessary strategies to create and maintain secure, SEO-optimized websites for our clients. Here are a few tips and strategies for you to ensure that your organization doesn’t lose out on potential visitors!
Are My SEO Rankings in Jeopardy?
With the recent buzz surrounding GDPR, personal data theft, and website hacks, internet users are more conscious about how they interact with different websites. They’re now aware that their sensitive information could be at risk each time they surf the web. Naturally, websites with higher credibility and security will drive more traffic as a result of top Google keyword rankings. An evident question you might ask yourself at this point is: how is web security related to SEO rankings?
Google’s algorithm evaluates several security-related factors before finalizing keyword rankings. No website is too small or insignificant to be attacked. In fact, according to GoDaddy’s small business website security report, one in five SMEs faced a ransomware threat last year, in which hackers held electronic data hostage for ransom. Moreover, when it comes to victims of malware attacks, 58 percent are usually small businesses.
Below we describe how neglecting website security can negatively impact your SEO rankings causing long-term and sometimes irreversible harm to your website:
Watch out for Bad Bots
Bots represent a significant portion of your website traffic. But what are they exactly? Otherwise known as crawlers, spiders and web bots, they are responsible for running simple and structurally repetitive automated tasks on the internet. Most bots are typically benign and perform tasks at a much higher rate of speed as compared to humans.
Unfortunately, certain malicious bots exist those crawl websites for the purposes of data theft, identification of vulnerabilities and content scraping. At least 19 percent of and even if their attempts to attack your website prove unsuccessful, they can still cause lasting damage. When your website is subjected to frequent attacks from automated software, it can hinder the Googlebot from crawling your website properly. Over a prolonged period of time, this can sorely affect your keyword rankings and website traffic and nobody wants that! That’s why we insist on identifying the source of your malicious traffic and blocking their access.
Get Hacked, Get Flagged
Falling prey to malicious software can result in plummeting keyword rankings and SERPs as well as attracting manual penalties from Google. With the creative new ways in which attacks are being carried out and the alarming increase in frequency, detecting these attacks is also becoming more difficult. Oddly enough, 90 percent of infected websites aren’t even flagged! This means that websites could continually be targeted without the knowledge of the website owner. A quote by cybersecurity specialist Misha Glenny goes like this: “There are two types of companies in the world: those that know they’ve been hacked, and those that don’t!”
Having your website blacklisted or flagged obliterates your hard-earned rankings and essentially destroys your website and its reputation. The scariest part is that websites lose about 95 percent of their rankings once they are blacklisted by Google! Thus, we always urge organizations to focus on prevention rather than a “cure.”
A Spammy Problem
Perhaps the most dangerous of all, a website that isn’t protected by the necessary security measures can easily fall prey to SEO spam. What is SEO spam and why should you worry about it? Also known as spamdexing, SEO spam occurs when hackers target websites to manipulate and fraudulently boost rankings in search engines. Sucuri’s Website Hack Trend Report of 2018 surveyed that 51 percent of last year’s website hacks were related to SEO spam. These type of campaigns were up 7.3 percent from 2017, making them the fastest growing family of hackers last year.
Unfortunately, this form of attack is difficult to detect and has a strong economic engine that is driven by impression-based affiliate marketing. What does this mean? Simply put, hackers try to abuse and take advantage of site rankings in order to monetize on affiliate marketing and other blackhat techniques. This is one of the most-used methods known as Search Engine Poisoning (SEP) and such attacks lead to something known as Dirty SEO.
Learn more about website blackhat SEO repair with Sucuri:
Websites impacted by SEO spam often become infected with spam content or redirects visitors to spam-specific pages. Unwanted content is regularly found in the form of ad placements and injected content for other popular industries such as entertainment or fashion. Hence, not taking the essential steps to maintain your website security can leave it vulnerable and exposed to some of the most commonly known SEO spam tactics which include the following:
- Building hundreds and thousands of spammy back-links to your website
- Redirecting pages on your website to other websites
- Copying your website content and fraudulently distributing it all over the internet
- Destroying your website’s best back-links
The threats discussed above are scary enough to make any website owner take their security very seriously. The intention behind carrying out these nefarious activities is pretty straightforward: to deliberately manipulate search engine indexes through link spam or content spam, so that websites can rank higher in SERPs than they normally would. Hoping that you’re fully convinced, here’s how you identify if your website security has been compromised or is at risk of getting there.
Wait, What? Did I Just Get Hacked?
A study by GoDaddy found that 73.9 percent of hacked sites are hacked for SEO purposes! We’ll let you in on a little secret: 100 percent security is a myth! This means that even if you’re positively sure you’ve done everything by the book, you could still be at risk if your precautionary measures aren’t regularly updated.
So how and when do you know that the dreaded event has occurred? Most website owners discover that their website’s security has been breached upon seeing Google’s Red Screen of Death. This could be dangerous because it means that your website has been infected with malware for quite some time which could have inevitably damaged its reputation. We’ve taken the liberty of listing down all the top ways to spot whether your website’s security has been compromised.
If Google Says Its Bad, It Probably Is
The most obvious sign that your website may be compromised is if a warning message greets visitors to your website. If you see this message, the first thing you should do is confirm whether your website is hacked with Google’s Safe Browsing tool. Popular browsers such as Chrome, Firefox, and Safari display different types of alerts depending upon what kind of suspicious activity Google finds on your website, but they usually look similar to the one below. This indicates that your site is hosting malware; hackers have gained access and installed malware that could be infecting your website and potentially your visitors as well.
Why Am I Offline?
Website hosting companies regularly scan their servers for malicious code and are alerted to security breaches through their own automated tools. In some cases, they immediately disable compromised websites to contain the spread of malware to other websites on the server. Some of the reasons why your website could be taken offline are:
- Spam or phishing emails sent from your server
- Blacklisted website domain by Google, Norton Safe Web, etc
- Malware code found on the server
- High CPU usage due to the presence of malicious script on your website
You’ve Got Mail!
In some cases, if the website is linked to Google Search Console, a sign of a website security breach might be that the organization receives a warning email from Google. Obviously, this means that Google has detected malicious code, suspicious spam content or has reason to believe that your website’s security has been compromised. The message from Google Search Console will look something like this:
Loading At Snail Speed?
Notice that your website has become extremely slow all of a sudden? Also, are you noticing that error messages keep popping up out of nowhere? In such cases, it is likely that malware is eating into your server’s resources. Typically, the targeted pages tend to be login, sign up, checkout and payment ones. If you have an inkling something’s off about your website, it probably is.
Hello Stranger: New, Unknown Admin Users and FTP Accounts
Finding new admin, database and FTP (File Transfer Protocol) users is a strong indicator of website security. If you discover accounts that you definitely haven’t created, they’re most probably created by hackers who probably have unauthorized access to your website and server.
Besides the major ones elaborated above, here are some other telltale signs that your website has been hacked:
- Malware scanner alerts
- Unexpected error messages in your error logs
- Recently modified core system files
- Ads and pop-ups on your website
- Redirections to compromised websites
- Web traffic spikes on non-existent pages
Last but not least, if a customer contacts you about their credit card information being stolen during a purchase on your website, it could signal trouble in the form of cybercriminals conducting fraudulent transactions. To be safe rather than sorry, we strongly encourage our clients to implement proactive security measures and mitigate any future security problems. Now that you’ve read and understood how to identify website security issues, your next reaction should be…
Yikes! How Do I Keep My Website Safe Then?
Regardless of whether you have taken basic security precautions or not, most websites experience an average of up to 58 attacks every single day! With web security breaches being such a common issue, how can companies ensure that their websites are safe and secure for users? If you hate hearing the phrase “I told you so,” we suggest you take these preventive measures to ensure that your website isn’t in harm’s way.
Go SSL or Go Home
In 2017, Google began tracking websites that had forms for users to fill but lacked a basic security feature known as the SSL certificate. So, what is SSL and why does your website need to have one? Simply put, Secure Sockets Layer is a standard security technology which helps establish a secure, encrypted link between a browser and a web server. It serves as an indicator for small businesses to communicate with their customers that they accept payments securely, protect password logins, and secure all their web forms. The certification helps to ensure that all the information passed between the two remains secure
Watch the following video to know everything about SSL and why your website needs it:
In case you don’t have one yet, here’s what you can do. First, determine what kind of SSL certificate you would need for your website. If you host content on multiple platforms on separate domains and subdomains, you may require different SSL certificates. The cost of SSL certificates may vary; custom certificates, are readily available for a few hundred bucks.
Additionally, WordPress offers many plugins for website owners to obtain SSL certificates and install them. A few helpful plugins are Really Simple SSL, WP Force SSL, and Insecure Content Fixer, among others. Let’s Encrypt is another open-source, free and automated HTTPS provider that is also relatively simple to set up for tech-savvy folk.
HTTPS: Adapt or Suffer
Neil Patel’s study of over 10,000 of top domains found that HTTPS was not working correctly in over 65 percent of them and over 90 percent had a sub-optimal HTTPS implementation. Today, more than half of the websites ranking organically on Google SERPs are HTTPS. Since HTTPS is a trust signal for users, it will inevitably impact people’s confidence in your website. Whether they’re logging in, making a payment, or simply entering their email address, having a URL that starts with “https” and a soothing grey padlock is enough for the average consumer to feel safe.
In order to perpetuate the industry-wide push to promote the use of encrypted HTTPS, Mozilla Firefox and Google Chrome deemed HTTP websites “Not secure” in 2017. Google also set a deadline for when it would start displaying explicit warnings to users about sites that weren’t secure.
Wondering why your website has been flagged “Not Secure” in Google Chrome? Learn more here:
Are Security Plugins the Answer to My Problems?
Older versions of plugins and extensions can leave your website exposed to security vulnerabilities, that can cause website security breaches. What do security plugins do? For example, WordPress security plugins such as All in One, Sucuri Security and Wordfence can monitor and scan your website for potential security breaches. They also have firewall features that help block suspicious visitors permanently. It’s important to review, research, and update every plugin and script that you use. While it might be a little challenging to stay updated with the latest versions of the plugins, it definitely beats becoming an easy target.
Don’t Leave Home Without Updating Your Theme
Within the WordPress framework (one of the most commonly used frameworks in the world), 80 percent of websites are hacked simply because themes are not updated to match the latest security requirements. One of the most optimal ways to secure your WordPress themes is to update them regularly. New WordPress improvements are constantly being released. These help significantly reduce potential security threats. Here, we’ll reiterate that it’s much easier to prevent security issues rather than fix websites once they’ve been attacked. One of the ways to do so is to update your WordPress themes immediately as the new version is made available to users.
Google’s Got Your Back
Any mention of a solution to ensure website security is incomplete without talking about Google Search Console. For website owners, Google’s free webmaster tools offer invaluable resources that you should definitely take advantage of. This tool will help you do everything improving your overall site performance by detecting issues that could prevent it from being displayed in organic search results or indexed by Google.
Setting up Google Search Console is a relatively simple process. You can access it by logging in with your Google account, but ensure to use the same one used for any other Search Console tools. When you’re logged in, look for the red button that says “Add a Property”. After this, Google will ask you to verify whether you’re the owner of the website. The easiest way to do this is to link your Google Analytics account with Google Search Console using your tracking code as your preferred method of verification. Once this is done, you’re good to go! You can now access all of Google Search Console’s features and functionalities to monitor your keyword rankings, traffic and security. Recently, Google has also added a ‘Security Issues’ tab in Search Console that will report harmful activities such as site hacks and malware.
Get help for hacked websites with Google Search Console here:
Here are the best ways to use this useful and highly effective tool to your advantage:
- Check the owners who have access to Google Search Console
- Check spam backlinks
- Identify website security issues
- Check messages for malware or hacking alerts
- Check for manual action penalties
- Closely monitor all your keyword rankings for sudden drops
- Use URL Inspection for checking suspicious URLs
Is There Anything Else I Can Do?
We have already highlighted some of the main precautionary measures you can take above. Here’s a list of all the additional preventive measures that you might want to consider to avoid unpleasant surprises in the future:
- Keep your software updated
- Use a password manager or secure passwords and change them frequently
- Take a backup your website regularly
- Invest in a malware scanner
- Be careful about who has access to your website
- Reduce website vulnerabilities
- Use a content delivery network (CDN)
- Monitor traffic surges
- Route traffic through a web application firewall
Ok, I Still Got Hacked. What Now?
So the inevitable happened. You did everything you could but your website still got hacked. Without saying “we told you so,” let’s dive headfirst into some quick fixes for maximum damage control.
- Stay calm!
- Take a back-up of the complete website
- Implement SSL certificate if not present
- Check core files of the website for hacked code, manually or using Sucuri
- Remove the malicious files and scripts
- Remove all unwanted plugins
- Add the necessary security plugins
- Change all the credentials for CMS, FTP, and C-Panel
- Update the theme of the website
- Activate the firewall
- Remove all suspicious accounts and infected URLs from Google Search Console
- Scan for crawling errors
- Update your sitemap and resubmit it to Google using Google Search Console
- Implement HTTP Strict Transport protocol security by Sucuri
- Check messages on Google Webmasters
- Submit website to Search Console Security Issues for review once all the measures above have been implemented
- Wait and watch!
The Curious Case of the Japanese Hack
Imagine waking up one day to see thousands of Japanese spam pages connected to your website causing you to lose all of your hard earned top keyword rankings. Indeed, this is every website owners nightmare. Recently, one of our new B2B clients had their website hacked, just a few days after coming on board. Without an SSL certificate, the website fell prey to a Japanese SEO spam attack. The attack created auto-generated Japanese text on the client’s website. This caused several problems such as decreases in keyword rankings, service pages appearing in Japanese in SERPs, unwanted URLs and 404 redirects, all of which happened during the course of one weekend.
So what did we do? Akshat Bharani, Team Lead: SEO (pictured above), spearheaded the plan of action to counter the keyword hack. “Overcoming these types of challenges makes us stronger as a team of course, but the most vital aspect here is to take immediate action and safeguard the client’s interests. For me, the most gratifying moment is to hear the client express their relief and gratitude when we solve the technical challenges they face,” he says.
The first part of Akshat’s plan was for our IT team to activate the web-based Sucuri Firewall which thoroughly scanned the website from top to bottom. The IT team members also checked the core files of the project manually, where they discovered the corrupted code causing the hack and got rid of it. Some of the emergency measures taken by the team included:
- Updating the website theme
- Changing the usernames and passwords for CMS, FTP, and cPanel
- Installing security plugins like All-in-One
- Removing unnecessary plugins
Since hackers can target websites through plugins, it was necessary to update the website plugins immediately. Over the course of two months, GO MO Group succeeded in painstakingly reducing the number of additional spam pages from 1,100 down to zero, restoring the website to its original state. Currently, the issue has been resolved from our end and we’re patiently waiting while Google reindexes all the pages.
Two Peas in a Pod: Website Security Directly Affects SEO
Security is an on-going process in this ever-evolving industry of SEO. Google’s Webmaster Blog has hinted at a fully secure web in the future: “As migrating to HTTPS becomes even easier, we’ll continue working towards a web that’s secure by default.” Other SEO factors are obviously important and will play a key role in your rankings, but if you prioritize improving the security elements of your website, then you’ll come out on top, literally!
Similar to a homeowner’s approach while setting up a security system, being proactive is the best strategy when dealing with website security. So whose responsibility is web security ultimately? It’s important to have your IT and SEO teams work closely to ensure that a proactive security strategy is in place, that is frequently reviewed and updated.
Website security is an ever-expanding topic so we welcome all feedback and suggestions regarding our approach. Please get in touch with us if you have any input.