Security | READING TIME: 14 MINUTES | December 10, 2021

Better Secure than Sorry: Safeguard Your Website & SEO Rankings

A recent consumer survey conducted by HubSpot Research across the UK, U.S. and Australia found that up to 85 percent of users would leave a website that isn’t secure. What does the word “secure” really mean in this context? Usually, when a company claims that its website is secure, it implies that the website can be considered trustworthy and is protected using tools such as an SSL (Secure Sockets Layer) certificate, encryption, firewalls, and plugins. What is the main purpose of these security tools? Such tools are meant to safeguard personal user information.

So, why is website security so important? As of December 2018, there are 1.94 billion websites and the number of internet users has crossed 4.1 billion worldwide. It will come as no surprise that these figures are set to skyrocket in the coming years, with more than 1.92 billion expected online purchases and over 5 billion Google searches happening every single day! Considering the exponential market growth and opportunities, do you really want to turn away visitors that show up at your virtual doorstep?

Additionally, while an insecure website will drive users away, lack of security will also have a severe effect on your rankings, thereby reducing your website’s traffic. Web security must be an essential and consistent part of your website’s SEO and digital marketing strategy. One of the big indicators of the importance of website security was presented in 2014. Approximately five years ago, Webmaster Analysts announced that migrating your website to HTTPS (Hypertext Transfer Protocol Secure) from HTTP had become a ranking signal in Google’s ever-changing search algorithm.

As a company, we have understood the importance of having a secure and effective website. Our SEO and IT teams continuously work on implementing necessary strategies to create and maintain secure, SEO-optimized websites for our clients. Here are a few tips and strategies for you to ensure that your organization doesn’t lose out on potential visitors!

Are My SEO Rankings in Jeopardy?

With the recent buzz surrounding GDPR, personal data theft, and website hacks, internet users are more conscious about how they interact with different websites. They’re now aware that their sensitive information could be at risk each time they surf the web. Naturally, websites with higher credibility and security will drive more traffic as a result of top Google keyword rankings. An evident question you might ask yourself at this point is: how is web security related to SEO rankings?

Websites impacted by SEO spam often become infected with spam content or redirects visitors to spam-specific pages. Unwanted content is regularly found in the form of ad placements and injected content for other popular industries such as entertainment or fashion. Hence, not taking the essential steps to maintain your website security can leave it vulnerable and exposed to some of the most commonly known SEO spam tactics which include the following:

  • Building hundreds and thousands of spammy back-links to your website
  • Redirecting pages on your website to other websites
  • Copying your website content and fraudulently distributing it all over the internet
  • Destroying your website’s best back-links

The threats discussed above are scary enough to make any website owner take their security very seriously. The intention behind carrying out these nefarious activities is pretty straightforward: to deliberately manipulate search engine indexes through link spam or content spam, so that websites can rank higher in SERPs than they normally would. Hoping that you’re fully convinced, here’s how you identify if your website security has been compromised or is at risk of getting there.

Wait, What? Did I Just Get Hacked?

A study by GoDaddy found that 73.9 percent of hacked sites are hacked for SEO purposes! We’ll let you in on a little secret: 100 percent security is a myth! This means that even if you’re positively sure you’ve done everything by the book, you could still be at risk if your precautionary measures aren’t regularly updated.

So how and when do you know that the dreaded event has occurred? Most website owners discover that their website’s security has been breached upon seeing Google’s Red Screen of Death. This could be dangerous because it means that your website has been infected with malware for quite some time which could have inevitably damaged its reputation. We’ve taken the liberty of listing down all the top ways to spot whether your website’s security has been compromised.

If Google Says Its Bad, It Probably Is

The most obvious sign that your website may be compromised is if a warning message greets visitors to your website. If you see this message, the first thing you should do is confirm whether your website is hacked with Google’s Safe Browsing tool. Popular browsers such as Chrome, Firefox, and Safari display different types of alerts depending upon what kind of suspicious activity Google finds on your website, but they usually look similar to the one below. This indicates that your site is hosting malware; hackers have gained access and installed malware that could be infecting your website and potentially your visitors as well.

Why Am I Offline?

Website hosting companies regularly scan their servers for malicious code and are alerted to security breaches through their own automated tools. In some cases, they immediately disable compromised websites to contain the spread of malware to other websites on the server. Some of the reasons why your website could be taken offline are:

  • Spam or phishing emails sent from your server
  • Blacklisted website domain by Google, Norton Safe Web, etc
  • Malware code found on the server
  • High CPU usage due to the  presence of malicious script on your website

You’ve Got Mail!

In some cases, if the website is linked to Google Search Console, a sign of a website security breach might be that the organization receives a warning email from Google. Obviously, this means that Google has detected malicious code, suspicious spam content or has reason to believe that your website’s security has been compromised. The message from Google Search Console will look something like this:

Loading At Snail Speed?

Notice that your website has become extremely slow all of a sudden? Also, are you noticing that error messages keep popping up out of nowhere? In such cases, it is likely that malware is eating into your server’s resources. Typically, the targeted pages tend to be login, sign up, checkout and payment ones. If you have an inkling something’s off about your website, it probably is.

Hello Stranger: New, Unknown Admin Users and FTP Accounts

Finding new admin, database and FTP (File Transfer Protocol) users is a strong indicator of website security. If you discover accounts that you definitely haven’t created, they’re most probably created by hackers who probably have unauthorized access to your website and server.

Besides the major ones elaborated above, here are some other telltale signs that your website has been hacked:

  • Malware scanner alerts
  • Odd looking JavaScript in your website code
  • Unexpected error messages in your error logs
  • Recently modified core system files
  • Ads and pop-ups on your website
  • Redirections to compromised websites
  • Web traffic spikes on non-existent pages

Last but not least, if a customer contacts you about their credit card information being stolen during a purchase on your website, it could signal trouble in the form of cybercriminals conducting fraudulent transactions. To be safe rather than sorry, we strongly encourage our clients to implement proactive security measures and mitigate any future security problems. Now that you’ve read and understood how to identify website security issues, your next reaction should be…

Yikes! How Do I Keep My Website Safe Then?

Regardless of whether you have taken basic security precautions or not, most websites experience an average of up to 58 attacks every single day! With web security breaches being such a common issue, how can companies ensure that their websites are safe and secure for users? If you hate hearing the phrase “I told you so,” we suggest you take these preventive measures to ensure that your website isn’t in harm’s way.

Go SSL or Go Home

In 2017, Google began tracking websites that had forms for users to fill but lacked a basic security feature known as the SSL certificate. So, what is SSL and why does your website need to have one? Simply put, Secure Sockets Layer is a standard security technology which helps establish a secure, encrypted link between a browser and a web server. It serves as an indicator for small businesses to communicate with their customers that they accept payments securely, protect password logins, and secure all their web forms. The certification helps to ensure that all the information passed between the two remains secure

Watch the following video to know everything about SSL and why your website needs it:

In case you don’t have one yet, here’s what you can do. First, determine what kind of SSL certificate you would need for your website. If you host content on multiple platforms on separate domains and subdomains, you may require different SSL certificates. The cost of SSL certificates may vary; custom certificates, are readily available for a few hundred bucks.

Additionally, WordPress offers many plugins for website owners to obtain SSL certificates and install them. A few helpful plugins are Really Simple SSL, WP Force SSL, and Insecure Content Fixer, among others. Let’s Encrypt is another open-source, free and automated HTTPS provider that is also relatively simple to set up for tech-savvy folk.

HTTPS: Adapt or Suffer

Neil Patel’s study of over 10,000 of top domains found that HTTPS was not working correctly in over 65 percent of them and over 90 percent had a sub-optimal HTTPS implementation. Today, more than half of the websites ranking organically on Google SERPs are HTTPS. Since HTTPS is a trust signal for users, it will inevitably impact people’s confidence in your website. Whether they’re logging in, making a payment, or simply entering their email address, having a URL that starts with “https” and a soothing grey padlock is enough for the average consumer to feel safe.

In order to perpetuate the industry-wide push to promote the use of encrypted HTTPS,  Mozilla Firefox and Google Chrome deemed HTTP websites “Not secure”  in 2017. Google also set a deadline for when it would start displaying explicit warnings to users about sites that weren’t secure.

Wondering why your website has been flagged “Not Secure” in Google Chrome? Learn more here:

Are Security Plugins the Answer to My Problems?

Older versions of plugins and extensions can leave your website exposed to security vulnerabilities, that can cause website security breaches. What do security plugins do? For example, WordPress security plugins such as All in OneSucuri Security and Wordfence can monitor and scan your website for potential security breaches. They also have firewall features that help block suspicious visitors permanently. It’s important to review, research, and update every plugin and script that you use. While it might be a little challenging to stay updated with the latest versions of the plugins, it definitely beats becoming an easy target.

Don’t Leave Home Without Updating Your Theme

Within the WordPress framework (one of the most commonly used frameworks in the world), 80 percent of websites are hacked simply because themes are not updated to match the latest security requirements. One of the most optimal ways to secure your WordPress themes is to update them regularly. New WordPress improvements are constantly being released. These help significantly reduce potential security threats. Here, we’ll reiterate that it’s much easier to prevent security issues rather than fix websites once they’ve been attacked. One of the ways to do so is to update your WordPress themes immediately as the new version is made available to users.

Google’s Got Your Back

Any mention of a solution to ensure website security is incomplete without talking about Google Search Console. For website owners, Google’s free webmaster tools offer invaluable resources that you should definitely take advantage of. This tool will help you do everything improving your overall site performance by detecting issues that could prevent it from being displayed in organic search results or indexed by Google.

Setting up Google Search Console is a relatively simple process. You can access it by logging in with your Google account, but ensure to use the same one used for any other Search Console tools. When you’re logged in, look for the red button that says “Add a Property”. After this, Google will ask you to verify whether you’re the owner of the website. The easiest way to do this is to link your Google Analytics account with Google Search Console using your tracking code as your preferred method of verification. Once this is done, you’re good to go! You can now access all of Google Search Console’s features and functionalities to monitor your keyword rankings, traffic and security. Recently, Google has also added a ‘Security Issues’ tab in Search Console that will report harmful activities such as site hacks and malware.

Get help for hacked websites with Google Search Console here:

Here are the best ways to use this useful and highly effective tool to your advantage:

  • Check the owners who have access to Google Search Console
  • Check spam backlinks
  • Identify website security issues
  • Check messages for malware or hacking alerts
  • Check for manual action penalties
  • Closely monitor all your keyword rankings for sudden drops
  • Use URL Inspection for checking suspicious URLs

Is There Anything Else I Can Do?

We have already highlighted some of the main precautionary measures you can take above. Here’s a list of all the additional preventive measures that you might want to consider to avoid unpleasant surprises in the future:

  • Keep your software updated
  • Use a password manager or secure passwords and change them frequently
  • Take a backup your website regularly
  • Invest in a malware scanner
  • Be careful about who has access to your website
  • Reduce website vulnerabilities
  • Use a content delivery network (CDN)
  • Monitor traffic surges
  • Route traffic through a web application firewall

Ok, I Still Got Hacked. What Now?

So the inevitable happened. You did everything you could but your website still got hacked. Without saying “we told you so,” let’s dive headfirst into some quick fixes for maximum damage control.

  • Stay calm!
  • Take a back-up of the complete website
  • Implement SSL certificate if not present
  • Check core files of the website for hacked code, manually or using Sucuri
  • Remove the malicious files and scripts
  • Remove all unwanted plugins
  • Add the necessary security plugins
  • Change all the credentials for CMS, FTP, and C-Panel
  • Update the theme of the website
  • Activate the firewall
  • Remove all suspicious accounts and infected URLs from Google Search Console
  • Scan for crawling errors
  • Update your sitemap and resubmit it to Google using Google Search Console
  • Implement HTTP Strict Transport protocol security by Sucuri
  • Check messages on Google Webmasters
  • Submit website to Search Console Security Issues for review once all the measures above have been implemented
  • Wait and watch!

The Curious Case of the Japanese Hack

Imagine waking up one day to see thousands of Japanese spam pages connected to your website causing you to lose all of your hard earned top keyword rankings. Indeed, this is every website owners nightmare. Recently, one of our new B2B clients had their website hacked, just a few days after coming on board. Without an SSL certificate, the website fell prey to a Japanese SEO spam attack. The attack created auto-generated Japanese text on the client’s website. This caused several problems such as decreases in keyword rankings, service pages appearing in Japanese in SERPs, unwanted URLs and 404 redirects, all of which happened during the course of one weekend.

About the author
Shweta Dabholkar Sr. Content Writer An aspiring novelist with several years of writing experience in digital marketing and SEO. BBA in Finance, PGD in International Business and Creative Writing, as well as an MA in English.
Contact us directly
Reza Ghazizadeh Client Success Manager Reza has' extensive" experience in digital marketing, IT, and complex business development. Leads SEO and Google Ads projects for big and small clients.

Meet the marketer

Discover the people behind our success in “Meet the Marketer” – a video series where we interview our own talented employees. Get to know the team that drives our innovation and creativity at GO MO Group.

Related insights

Industry-specific insights make a difference. We bring experience from over successful 100 client projects to each new case to develop and implement optimal digital marketing strategies for all of our clients.