Search engine optimization (SEO) is a critical component in the success of your website. Most website owners focus on Google search engine ranking, but Bing has a strong presence in the market as well. Both search engines aim to provide relevant and safe results for their users. One aspect of keeping users safe is to ensure that the sites shown in results are secure.
For this reason, website owners with hacked sites, hacked servers, and sites hosting malware will see a dramatic drop in ranking. The drop in ranking is usually realized after you experience a loss of search engine referrals, and this means severe revenue loss. To avoid damage to site ranking and revenue, you must monitor the site for hacked content and malicious files.
What is SEO?
Before getting into how poor security affects SEO, it’s important to understand SEO and its importance in website marketing. Modern search engines “crawl” your website to find its pages and index content and information. The term “crawling” is given to the automated bots that request pages from your website, usually discovered from sitemaps and internal links you use on your pages.
When a search engine crawls a page, several events happen. The way search engines rank pages is safeguarded, but Google claims that it has over 200 factors used to evaluate content. The content you have should be relevant to a search query, have a call to action that tells users what to do next, and content should not use any blackhat methods that frustrates users or threatens their security. Because malware and hacked sites do both, search engines attempt to detect malicious content and files.
If a search engine detects any malicious content on a site, it applies an automatic penalty factor. The site’s ranking drops far behind other competitor pages, so that users are unlikely to come across malicious pages in results. For serious issues, search engines will remove all site pages altogether from search results and send the site owner a message letting them know that their site contains malware.
Browsers such as Chrome and Firefox have a red interstitial that warns users a site contains malware if it’s detected. If SSL/TLS certificates are expired or incorrectly configured, these browsers warn users that a site could be malicious. A host of other issues can happen outside of search engine ranking. Your site could host cross-site scripting (XSS) vulnerabilities that allow attackers to inject code and steal credit card numbers. It could conditionally redirect users to a phishing site. Or your site could simply be a host for malware file downloads where attackers point users to exploit their devices.
Any hosted malicious content is a threat to end users, so search engines protect them by making it difficult to access a site. This safeguarding protects users, but it’s devastating for the site’s bottom line. For sites that depend heavily on search engine traffic, they can see an extreme drop in readership and revenue.
How does website security affect SEO?
Cleaning up a hacked site is much more difficult than simply fixing bugs on a site. First, you must find the injected code, and then you must secure the vulnerability so that your site cannot be hacked with the same exploit. After you completely fix the site, the real work begins. You might figure out how the hacked content affected your SEO to help remedy the issue.
If you received a notification that the site was hacked and search engines removed you from results, you can send an appeal and tell them that the hacked content has been removed. After the site is clean, search engines will crawl it again to reindex and evaluate content. If it’s not fully cleaned, then it will remain deindexed.
The troubles after being caught with hacked content could persist for months. The first issue is loss in trust from customers. If customers receive warnings that your site is hacked they might turn to competitors to buy products. Any new visitors might think it’s a malicious site, which could mean a permanent potential customer loss when these visitors bounce and find another similar website.
The second issue is loss of trust in site ranking. It can take months to reclaim search engine ranking after losing it to a hacked site. Even after your site is clean and reindexed, you must wait to regain trust and ranking to recover and repair the revenue loss.
How to keep your website secure
Unless the hacker makes himself known, most hacked content is hidden from the website owner. The hacker hides the compromise to get the most out of the malicious content. Conditional redirects, hacked content, or malicious files can be hosted silently without the webmaster detecting it, but there are ways that a site owner can detect if their site is hacked. Here are a few ways you can protect your site and detect if it’s been compromised.
Install SSL/TLS certificate
Encrypted traffic across the internet is the norm, contrary to what it was over a decade ago. It used to be that encryption was only required in financial transactions, but now people are more concerned about data privacy and security. For this reason, search engines look for signals that indicate the site follows cybersecurity best practice. One best practice is to use SSL/TLS on the site to ensure all communication is encrypted. Search engines use HTTPS as a quality factor in their ranking algorithms.
SSL/TLS certificates expire eventually, so you should always have notifications set up to let you know when the certificate must be renewed. If the certificate expires, a warning is shown to users who attempt to access the website. Search engines also downgrade your ranking when a certificate is invalid or incorrectly configured, so always test your certificate in your browser.
Check for X-Content-Type-Options and Content-Security-Policy headers
When your web server responds to requests, it includes headers that give browsers instructions. The X-Content-Type-Options and Content-Security-Policy headers are two cybersecurity directives that help stop attacks such as cross-site-scripting (XSS) and malicious code injection.
The X-Content-Type-Options header uses the “nosniff” directive to stop browsers from automatically detecting and executing malicious code. Before this header, malware creators could inject content into a site that disguised itself as innocent but when translated in a browser, it would allow XSS to execute. The MIME type in server headers describes the content (e.g., txt/html), but some browsers will attempt to translate content types and ignore this header. By setting X-Content-Type-Options to “nosniff,” you tell the browser to strictly adhere to the MIME type in server headers.
Example syntax:
X-Content-Type-Options: nosniff
Content-Security-Policy (CSP) is a bit more complex but still necessary for website hosting security. The CSP directive stops several attacks including XSS, packet sniffing, clickjacking, and data injection. When attackers compromise a site, they inject malicious code such as JavaScript into rendered pages. These scripts could be hosted on off-site servers.
Normally, a web browser has a same-origin security feature that only allows scripts to run from the local site, but scripts such as CSS and JavaScript code are often hosted on CDNs or other third-party cloud hosts. A CSP gives browsers a list of allowable third-party sources that can be trusted. It might be that the site owner only wants locally hosted files to be trusted, so the CSP will lock down scripts to only the ones hosted on the local domain.
The following is an example of a CSP that tells the browser only self-hosted scripts should be trusted:
Content-Security-Policy: default-src 'self'
The following example is a CSP that trusts the external domain “mydomain.com” and all its subdomains to host script files:
Content-Security-Policy: default-src 'self' mydomain.com *.mydomain.com
Check content for hidden Pharma spam
Hackers use CSS styles to hide content on a page. For example, an attacker might inject pharma links inside a div tag with the visibility style set to hidden. When search engines crawl a page, the bots can see the content but humans viewing it in a browser cannot. You could search pages for malicious content by viewing source code in the browser, but here is an easier way using search engines.
Because search engines crawl and digest hidden content, you can use them to find pharma hacks on your site. You can use the “intext” directive in Google to find pharma content on your own site. For example, type the following into Google where “yoursite.com” is your own domain:
site:yoursite.com intext:cialis
In the above example, Google will display any page on yoursite.com that contains the text “cialis.” If you find pages in search, click on the link and then look at the page source code in the browser, you should find it, unless hackers take it to the next level by conditionally showing the content.
In some cases, hackers display malicious content only to specific users. Usually, they base it on the referrer or user-agent. If the user typed your site directly into their browser, the content won’t show. This will hide malicious content from site owners who type their site into a browser to check their sites. If the user clicked a link in Google, the content might show instead. Some hackers only display content when the user-agent is Googlebot, so hacked sites with injected links only display for Google’s crawlers. If this happens, you likely have a hacked .htaccess file.
Check for cloaked URL redirects
Conditional URL redirects are similar to hidden content. The attacker only redirects users who come from search engines. This strategy hides the compromise from site owners and tricks users into thinking search engines redirected them to the correct site. Most users do not check the domain in their browsers, so it’s a perfect strategy for phishing.
Websites that use query string parameters to redirect users are vulnerable to this exploit if they do not have a whitelist of approved domains. For example, it’s common for developers to redirect users to a specific page after they authenticate into the site. The redirect page can be seen in the query string parameters. Attackers will use this page to redirect users to their own pages and trick users into clicking a link that points to your site.
Malicious redirects are useful in phishing and identity theft, so search engines detect phishing sites and warn users before they access the site through search engine results or in the browser. Always use a whitelist of approved domains whenever your site pages redirect based on input from query string values, or any user-generated input for that matter.
Install security plugins
WordPress hosts a large number of sites on the internet, so it’s a favorite target for attackers. Attackers write scripts that test WordPress sites for SQL injection, XSS, code injection, malicious URL redirects, and many others. The core of WordPress is generally secure, but site owners add plugins unknowingly introducing vulnerabilities to their site. After attackers find exploit opportunities in a plugin, they code scripts to scan the internet, detect sites vulnerable to the exploit, and automatically compromise the site.
WordPress security plugins help detect these attacks and stop them. They do not guarantee that the site will never be hacked, but security plugins stop brute-force password attacks, SQL injection, directory traversals, malware uploads, and several others. Security plugins in addition to taking the right steps in protecting your site will reduce the chances of it being hacked and protect search engine ranking.
Keep software updated
One common reason websites get hacked is outdated software. After you install WordPress, you can’t leave it unattended and unmaintained, or it’s sure to be compromised eventually. The core of WordPress is regularly updated, and these updates include security patches. WordPress core is generally secure, but plugins are not.
Before installing a plugin, make sure the developer actively maintains and updates it. As researchers find security flaws, developers patch their code to remediate vulnerabilities. If the developer does not maintain code, then vulnerabilities will remain on the site unless you patch the code yourself. Unless you want to patch plugins yourself, always choose plugins with active developers who take security vulnerabilities seriously.
Follow password complexity and length guidelines
When you set up your site and install WordPress, you’re prompted to enter an administrator password. Weak passwords make your site vulnerable to brute force attacks. Note that security plugins will help mitigate these attacks, but you should not rely on them to fully protect your administrator account with a cryptographically poor password.
Passwords should follow complexity and length rules. The length of your password should be at least 10 characters, but a 10-character password with only lowercase letters is still weak. Your password should include numbers, uppercase letters and special characters. If you have a hard time remembering complex passwords, use a password vault to store them.
Install a full security solution
Security plugins stop some attacks, but they are ineffective at fully monitoring your site for ongoing threats and certain suspicious activity. They are mainly available for content management systems such as WordPress, but they don’t have availability for sites without prepackaged software such as a custom application running on your server. For full monitoring and security of your site, you need an application that can oversee every aspect of the server and the website.
The benefit of a Linux malware scanner is that you can find threats before search engines find them. These scanners often automatically clean injected code or warn administrators of threats that could indicate a compromise of the server. Administrators can act quickly and determine the vulnerability and exploit possibility to preserve the site’s SEO ranking.
Conclusion
Hackers have several modes of attack that can exploit a web server and hosted applications. To preserve SEO ranking and search engine trust in a domain, server administrators should install a full solution such as Imunify360 that will detect, block, clean, and register attacks on host web applications. Instead of being reactive and harming SEO on a site, Imunify360 will help you be proactive and stop exploits, injected pharma links, hacked content, conditional redirects from XSS, and many other web-related threats that harm websites and damage reputation.