Got your file size optimised, your links all present and correct, and in line with Google’s best practices?
Great! Now how about your security?
When looking into why your rankings aren’t doing what you hoped they would, are you missing out on looking after the security of your site? And did you know foregoing all the security stuff could lead not only to your ranking being impacted but in extreme cases, Google could remove your website completely?
It doesn’t matter how many great links you have or how fantastic your content is. If your site has security issues then you’re NOT going to be on Google’s ‘nice list’ and the results you’re looking for just aren’t going to happen.
With this in mind, I’m going to take you through all of the implications of having a less-than-secure site, as well as giving you some guidance on fixing some of the more common security errors. Obviously not everything will apply to every site, so take what you need and leave what you don’t – think of this article as a ‘Pick’n’Mix’ of website security advice.
The Issue: Hacked sites:
This is the number 1 issue, and for good reason. If your website security is weak it can lead to your website being hacked. Simple as that. There are many potential consequences of this but four key ones, which include:
- Inserting links
- Adding affiliate pages
- Deleting all your content
- Adding code to your site to steal visitor info
And hacking affects even the best of us. Over the years I have been victim to two of these, which I’ll go through to show you how it happens and how to get past it.
This is probably the least common tactic and a fairly new one. Basically, the hacker gets into your website an adds links from your website to their website to boost their organic rankings.
They either add new posts to your site or are REALLY sneaky and add content to existing posts. More sophisticated hackers even only show the links to Googlebot, but the end result is all the same – they are acquiring more backlinks to their website.
This method is one I haven’t fallen victim to. But, like I said, it’s pretty new and I have improved my security in recent years. I also do weekly checks whereby crawling the sites I check the external links to make sure nothing appears that I wasn’t expecting.
There is a theory that too many external links – especially to spammy sites – can demote the original site’s rankings.
Adding Affiliate Pages
This is the probably the most common and one I have been victim to twice – no one is perfect, after all – not even me. Basically, in these situations, the hacker gets onto your site and adds a lot of pages onto your site. These pages then contain affiliate links to products where they make the money off. So, they’re effectively making money off your traffic – and if that doesn’t get your back up, not much will!
They usually then use black hat techniques and spam these pages with thousands of spammy links in the hope to get these pages to rank quickly and make money, realising that the webmaster will eventually notice and clean up the hack.
The big issue is; even after detecting and fixing what’s been done, you still have THOUSANDS of irrelevant and spammy links pointing to your domain.
Removing all your content.
This one is pretty rare -in the main, anyone who gets into your site is usually more interested in adding affiliate pages to your site and making money.
Here’s a cautionary tale for you about just such a hack.
When I left University, I created a camping and caravan directory site – this was 2009 and there weren’t many good directories – I wouldn’t advocate trying to break into that market now as it’s a bit swamped. My directory grew to a considerable size, and the site and was the second biggest in the UK, getting a decent amount of traffic – bear with me here, I’m not just blowing my own trumpet!
I woke up on Xmas eve 2010 to find out someone had hacked into my website and deleted all the content and changed the homepage to promote their message. What made it worse was that it was a hate group.
I didn’t have the knowledge then that I do now and couldn’t contact the hosting company (as it was Xmas eve) so I just changed the DNS and took the site down. (Merry Christmas indeed).
A few after Christmas, it got worse. The hosting company came back to me and said that all the files including the backup files had been deleted. My pretty great, and pretty successful website was gone overnight. Just vanished. (And a Happy New Year)
So, essentially, a site which was ranking well in Google, driving a decent amount of traffic during the camping season, suddenly disappeared with no content and no backup (I only had the backup on the server – rookie mistake).
As you can see, these three examples of being hacked can have massive impacts on your organic performance.
Adding code to your site to steal visitor info
This one is more serious and affects more than just your rankings and Google performance. It can also have devasting consequences for your visitors.
The hacker inserts code onto your site to either install malicious programmes onto your visitor’s machines or tricks them into giving their personal information.
As well as adding you to Google’s Blacklist (more on this later), these will slow down your site and your rankings will suffer.
There are other things which hackers can do which include stealing personal information from your site, but these types directly impact your Google performance.
How to secure your site?
Now we have talked about the consequences, let’s examine how to prevent your site from becoming hacked.
Please remember, these are general guidelines and every site is different.
It all starts with a good host. There are many things to check but something like SFTP (Secure File Transfer Protocol) is a good start, so that when you – or your minions – are editing your site, it’s done securely.
Ideally, your host should offer 2FA (two-factor authentication) so that it’s more difficult for hackers to gain entry to your website.
Keep up to date
This applies to EVERYTHING. If you’re using an off the shelf CMS like WordPress, then keeping themes and plugins up to date is important. But, even if your site is custom-built keeping that site up to date is just as important.
There are known vulnerabilities with certain JQuery versions, so making sure you update often is important.
This one is obvious, but many people have fallen victim to this so it’s always good to be reminded. When creating users and especially admin for your site, enforce that they choose strong passwords. They need to pick something which is not easy to guess or work out (Please remind them not to use the name of their cat and their birthdate – or worse ‘password123 users, I see you).
Chrome now suggest a strong password which is a great feature, or you can use websites to generate these passwords.
Every hacker knows that WordPress’ login in page is /wp-login but its super simple to change to something unique. While this won’t stop sophisticated attackers, it does remove the low-level attempts.
This can apply to any site. Don’t use URL’s like “admin”, “login” etc.
It’s very unlikely that you will be on the only person working on your website – remember those minions I mentioned earlier? You’re likely to have product owners, content writers and editorial staff to name just a few. But, when adding a new user, it might be best to give careful consideration to whether they NEED full administrator functionality. Could they do what they need to with lower-level permissions, just in case some gets access to their account?
A good practice is to remove people from access as soon as they leave your business, or their contract comes to an end.
It’s also worth doing a regular audit to see who has access and whether they still need the same permissions.
Remove readme.html file (WordPress only)
When you install WordPress as a new install, the readme.html is automatically added. Hackers have a script that crawls the web looking for this file – they then realise it’s a WordPress site and start their insidious and frankly, really annoying process of trying to get in.
While it might not stop all attempts, deleting the readme.html file can at least deter some hackers, and it’s such a simple trick.
Blocking Known Hacking Countries
Some countries have a reputation for hacking into sites. I don’t want to list them here as feel it’s unfair on probably 99% of the population for the actions of the 1% but if you are using WordPress you can add a plugin like WordFence which will block certain countries from visiting your site.
If you are not using WordPress you can do similar in your htaccess file.
Another good feature of these types of plugins is that they log all the IPs addresses that have attempted so you can block them.
This information can also be found in your server logs so it doesn’t matter how your website is built; you can still do the same analysis.
Review your plugin and third-party integrations
Plugins are one of the easiest ways for hackers to get into sites, especially ones that are popular and haven’t been updated in a while. This can also be said for third party integrations.
Do you need these plugins/integrations? If not, why not remove them?
An Easy Solution for WordPress Sites
This will cost you $20 per month, so there is a cost to you –don’t roll your eyes – but it’s one I think is well worth the investment. The software is Cloudflare.
Choosing the ‘Pro Plan’ and then under ‘Firewall’ – ‘Managed Rule’ there is a dedicated WordPress Option.
This covers some of the elements above as well as much more to help keep your website secure.
If you don’t fancy forking out for this, the free option is great, and still worth installing on your site as you will get some additional benefits to speed up your site and make it more secure.
What to do if I have been hacked?
Great question and something that needs a bespoke plan.
You can tackle some of the steps above to remove a hacker but once they are in, it’s usually too late and they bury themselves deep down in your site.
Sometimes you just need to swear (under your breath if there are kids about), delete your site and start again. Yes, it’s annoying, but often it’s more time consuming trying to find them and remove the A$%&£..
Yet another good tip – never try and restore and old back up unless you are 100% certain you know the date they got in. Otherwise, they could have been sitting there dormant for months before starting to make changes – meaning they are still on your site.
Google’s Black List
I said earlier I’d explain what this is. There is a list of domains which Google and other sites maintain which is a list of sites which has been hacked. If Google suspects you have been hacked it will let you know in Google Search Console, but once you are on this list you have to firstly remove the hack and threat and then prove to Google and others that your site is now secure – easier said than done.
As you notice I didn’t cover having an SSL certificate, I assumed as it’s 2020 all websites are now HTTPS (I know some aren’t, but they should be).
So, while website security isn’t a direct ranking factor, a failure to secure your site will mean all your hard work could be wasted. So it could fit into the category of indirect ranking factor and it could certainly affect your site.