When you think about optimizing your site for search engines, you probably have keywords, tags, content and competitor analysis at the top of your priority list.
Would you be surprised if I told you that security issues could pose at least as much ranking risk as careless keyword analysis, bad site organization, or a lack of structured markup?
This is not just speculation. We recently migrated and rescued a business site that had been severely compromised, and part of the fallout from the exploit was a nasty mess in the Google indexes that needed a cleanup.
Allow me to retrace our steps with you – and as we proceed from discovery to solution, I will offer some suggestions for keeping your website SEO-friendly and hack-free.
Alarm Bells Ring
One recent morning, we received a call from a client who was experiencing an unusual number of site errors, mainly in the 500-group. At the time we did not host the site and our access for troubleshooting was limited. They wanted to resolve the issue on their own, and after leaving them to it, we were informed they had found and fixed the problem.
Nevertheless, the site errors continued, and several days later, during a routine site index checkup, we ran across a strange anomaly. The site was not very large – probably 30-50 pages of content – but Google was suddenly reporting about 30,000 indexed pages on that domain.
Like It’s 1999
What we were seeing was what you might call an old-school cloaking hack. If you aren’t familiar with the term, it refers to exploiting a site so that the site looks the way it should to the average browser on the internet, but to search engine traffic, the site appears to be whatever the attacker would like (and it’s usually a spoof of a site loaded with links). This attack was more common in the early days of the Internet, and to some readers it might be a shock to find out that black-hat cloaking is still around.
On the Operating Table
When the client asked us for help, our first step was to determine the pathway to a more secure (hardened) site and a clean Google index. Here is what we did, stated briefly along with a few tips:
1. Determine site structure and components.
This may be a no-brainer if you built your site, but a tech will need to know if the site was built using a CMS / framework, and whether there are databases or other assets in use in addition to the files on the webserver.
Tip: Make sure that you or someone conversant with your business knows your site, what it’s made of, how it works and can get to it in an emergency.
2. If possible, locate and remove the exploit.
Whether this is feasible depends on too many factors to enumerate in one article. In some cases, the bad code will have been inserted obviously at an entry point to a CMS or web app (i.e., the primary index.php file). In most cases though, once a site has been exploited in a single location, the hackage multiplies, replicates and re-inserts itself at many other entry points, making any sort of ‘quick fix’ impossible.
For our client, the vector of attack seemed to be an old plugin that had not been updated by its author in over two years, and the ‘virus’ had multiplied too widely to be quickly removed.
Tip: Do all you can to avoid being exploitable. More on this below.
3. If necessary, do a large-scale clean-up (or restore from backup).
In the case at hand, this is what was ultimately required. The site was built on the WordPress framework and contained too many compromised files for a simple repair. Because of the extent of the damage, we had to rebuild the site and all of its plugins and components from the ground up. We also went through the site database by hand to ensure that no latent nefarious code was waiting for its opportunity to be accidentally triggered.
Tip: Keep regular, rotating (daily if possible) site and database backups. You never know when you will need access to something a few days or a couple of weeks old to save yourself a lot of troubleshooting/maintenance time if you find yourself on the receiving end of a cyber attack.
4. If appropriate, change the site environment.
In the process of this rescue operation, we migrated the site to one of our servers, where we could be more certain of the security settings and test more thoroughly for problems – that is, do better preventive maintenance.
If you have read this far, preventive maintenance to guard against SEO-punishing hacks is probably something you’re interested in. So please, read on:
After the Ordeal: Securing Your Site
If your site or app hasn’t been exploited, chances are that at some point you will. I’ll give you 5 ways to greatly reduce that chance:
- If your site uses a CMS/framework (such as WordPress, Joomla, Magento, or Rails), know the potential security issues specific to the framework and mitigate those first. If you can’t do this yourself, consider hiring a professional to handle this properly. Online security is a complex, changing field and requires a lot of time and skill to keep up.
- Keep your site components/plugins and your server software up-to-date. These days, up-to-date means checking weekly or every few days in some cases. If there’s old code running on your site that will no longer be patched for security, find its replacement. If you don’t run your server, make sure your host has optimized their configuration with security in mind.
- Make sure that file permissions on your site are set as strictly as possible while allowing the site to function.
- If your site has user and/or administrator logins, do not use common names for these (and the admin side) and enforce a high (>8) password length and a significant level of password complexity.
- For both SEO ranking reasons and user security reasons, set your site up over HTTPS with an SSL (SHA-256) certificate.
Okay, I said five, but I’ll give you a bonus tip that just came to mind. You should also be looking at your site in Google Search Console and Bing Webmaster Tools, among others, to be sure that your indexes are in order, and do so often. It might be the only signal that your site has been compromised.
Remember, web security protects more than confidential user information – though of course that is paramount – and more than your site’s visibility. It also protects your search engine rankings and reputation.
Time spent on securing your online presence is not time wasted. Attend to it right away, and if you need help, contact us today!