A few years ago Google announced that it was going to assess the presence of the HTTPS security protocol as a positioning signal. At the time, this announcement brought to the table the debate as to whether the security of a website influenced its positioning. However, in many cases the security measures implemented in a website for SEO reasons are summarized in the installation of a SSL certificate.
But, does the relationship between SEO and the security of a web start and end with the HTTPS protocol? The reality is that poor web security can lead to many problems and, sometimes, to annihilate the positioning of a website. Consider months and months, even years of SEO optimization work destroyed by not investing in the protection of our website. The economic losses in these cases are real, as GoDaddy explains in his study of security of small business websites, exceeding in some cases the $ 5,000 mark.
We are going to analyze the relationship between SEO and security, the negative consequences that a bad or ineffective security practice on our website can produce and how to act to detect, prevent and solve positioning problems derived from it.
What is the relationship between SEO and the security of a website?
Leaving aside the HTTPS protocol that we will discuss later, there is no direct or causal relationship between the organic positioning and the security of a website.
Where is the relationship between SEO and web security established then? Mainly in the negative consequences that result, for example, from a malicious code injection attack on our website. During this type of situation, most search engines, with Google at the forefront, will eliminate our whole website from their results.
If, in addition, we are not able to react quickly, detecting and solving the problem in an agile way, the losses of organic traffic will be prolonged in time and it will be more difficult to recover from the fall.
For this reason, we can affirm that between SEO and the security of a website there is a relationship, supported mainly by the penalties of the search engines in which we can incur due to an attack on our website.
Negative consequences for SEO of not taking care of the security of a website
As we have seen, the lack of security measures on a website can lead to very negative consequences for SEO. The main ones are summarized below:
- Website de-indexation. The most drastic measure that Google will apply if it detects that our website has been infected by some type of malware, social engineering or similar attack is the complete de-indexation of the website. Obviously, we will stop getting organic traffic. And if our Internet business bases an important part of its visits in SEO, the consequences can be devastating.
- Labeling of the Snippet in the results. Another of the actions that Google applies when detecting that the security of our website has been compromised is to add a warning text for users in the Snippet of our website that shows in the results pages. Although it does not prevent access to the web itself, the presence of this text will have a deterrent effect on users, who will prefer to access another portal rather than an infected one.
- Perception of users. Although indirectly, if our brand image is damaged by the attack on our website, it will adversely affect SEO. Think, for example, in the impression that a banking portal would leave if thousands of its users visit the website and find a security warning. The trust in the company would be diminished and the search of brands would decline.
- Crawling problems. Attacks on a website, especially those of brute force or DDoS, can harm performance and even put our server down. This means that if at this time Google's bots try to track our website, they will not be able to do so.
Can security be considered as a positioning factor on Google?
No. Although the attack on a website may have negative repercussions on organic traffic, it is not a positioning factor as such. With one exception: the presence of the HTTPS security certificate, endorsed by Google as a positioning signal.
How to monitor the security of your website?
Knowing the damaging consequences of an attack on our website, we must implement resources that allow us to detect when our portal has been infected. Mainly, for two reasons.
On the one hand, due to the obvious threat to security that can affect both our website and the users who visit it.
On the other hand, if we can detect the infection before Google, we can avoid associated penalties.
Here are some of the methods that will allow you to analyze your website and detect if an infection has occurred:
- "site:" search operator: With a simple query we can verify if our website is indexed on Google (for example, site: latevaweb.com). If not, one of the possible causes is an attack to our website.
- Search Console: The Google tool for analyzing search traffic includes a section called "Security Issues" that informs us of any issues detected by Google.
- Periodic crawling of the website. If we frequently crawl our website, we can detect if there are contents generated by an attack, including Spam pages.
- External tools. Some companies offer external monitoring services that inform us when an attack occurs on our website. Even some hosting providers incorporate this type of tools.
- Safe Browsing by Google. This portal, in addition to pleading for good practices in the field of web security, incorporates a tool to analyze if a website is affected by any threat. And if we want to go a step further, we can also use the Safe Browsing API to automate this verification via code.
- Loss of organic traffic. Although it seems obvious, if we find that we have lost visits from Google or other search engines, one of the possible explanations is the hacking and subsequent penalty of our website.
Basic measures to improve the security of your website
After learning to detect when our website has been attacked and our organic traffic has been affected, we can implement security measures to prevent these situations.
Obviously, it would be virtually impossible to cover all actions on web security that we can apply taking into account all the variables involved: server technology, programming language, hosting provider, content manager system, etc.
In regard of this, we will list some of the most basic security measures to apply in almost any type of website:
- HTTPS: the installation of an SSL security certificate is a very common practice. In fact, most hosting providers offer it for free. Keep in mind that this type of certificate usually only includes the main domain of our website, with and without www. There are more advanced certificates that cover an entire website. Once enabled, you must verify that it has been implemented correctly.
- Configuration of the .htaccess file: without going into technical details, through this file we can protect some sensitive points on our website. For example, restricting access to certain files and folders on the server, or specifically blocking suspicious User-agents.
- CDN: the use of a content distribution network can help increase the security of your website. Usually, these services incorporate measures such as firewalls or protection from Denial of Service attacks.
- Security of the users who edit the web: an area usually forgotten is the incorporation of security measures in the computers that have access to the manager of the website or its source code. A virus in a computer of the developer in charge of uploading a new page to a website can result in the infection of our entire portal.
- Appropriate passwords: "123456" or "password" are some of the most common passwords in recent years. We must avoid this type of practice in all the access points to our website.
- Update technology: Updates that affect the server or content management systems are important. A high number of websites are infected due to using very old versions of CMS, plugins, or server modules.
- Security audits: Online tools such as Mozilla Observatory analyze our website in search of common vulnerabilities. Solving them will prevent many of the most common attacks.
How to recover from a Google penalty?
Whether we have implemented security measures on our website, or if we have completely ignored this field, we can reach the fateful day on which our website is infected. Even worse, when Google penalizes it.
If we are in this situation, we will have to follow a series of steps to recover from the penalty:
- Eliminate the infection. Our priority must be to eliminate any code introduced by the attack. If we are fast, in some cases we will prevent Google from detecting the problem. Even as we work on the solution, we can send a response code 503, which will tell Google's crawling spider that the web is temporarily unavailable.
- Prevent future attacks. If we detect a security hole, we will need to implement the necessary measures to prevent an attack from happening again.
- Sign up at Search Console. If we have not done it before, we will have to incorporate Search Console to our website.
- Monitor Search Console. In the Security Issues section we will be told if Google has detected any infection on the web and, in some cases, the affected pages. If so, we will have to use the reconsideration request form to indicate to Google that we have already solved the problem, how we did it and ask for the indexation or removal of the alert. We need to incorporate specific details of the process so that Google can have all the possible information on our case.
- Carry out a crawl test. It is highly recommended to verify that, once the infection has been eliminated, the website can be crawled correctly.
- Waiting. Google's review process may take days, even weeks. In this space of time, we can consider incorporating alternative sources of traffic to reduce the impact of the penalty on our website.
Even if we follow these last steps, we may never recover the positioning we had achieved. The negative impact that may have a partial or total drop in organic traffic caused by a Google penalty makes it imperative to work on the security of a website. At La Teva Web, a SEO agency in Barcelona, we have experienced cases of these characteristics: from partial infections that impair the brand image, to complete de-indexations that nullify the capture of traffic from entire sites.
Although Google only establishes the direct link between HTTPS and positioning factors, the reality is that SEO and web security are related.