You may be wondering what Website Ranking Improvement has to do with Search Engine Security Testing. Few years back I also wondered the same before I came across one smart SEO guy. Combined with his insights in SEO and my background in security testing, I’m convinced that all search engine marketeers should now consider adopting search engine security testing. Here is why..According to Jeff Bezos, CEO Amazon,Internet is a gold rush and all of us know that top ranking in major search engines is equal to a lot of Gold. In this rush, only being good is not enough, you also need to prove to Search Engines (mainly Google) that you are good . Wherever there is money or Gold, there are two worlds, one “white” and the other one “black”. Rather I should say there are 2 hats viz. white and black hat (Also I must mention grey hat, which swings from white to black depending on situations). In this post we will see how an effective vulnerability testing can determine some black hat signals (negative hidden practices by your SEO Company, competitors or your team that can hurt your search engine ranking and traffic).
What can hurt your Search Engine Ranking : The 6 negative signals..
These are few of the signals below one need to check, some can be highly negative (Some of which is plain ignorance. But still one can’t eliminate the possibilities of a competitor doing a compromise with the existing website/webapp vulnerability to hurt your search engine ranking. Let’s see some of the negative signals that can be checked during search security testing:
- Checking for malware distribution (An absolute search engine ranking killer, your site can vanish in matter of days from search engine ranking)
- Redirection to steal your traffic (It can come under the Search Engine Scanner for cloaking)
- Link stealers (When you link to bad sites, you may also be considered bad by search engines )
- Content stealers (The original content is not considered the original but the one that is being discovered first by the search engine, all others are duplicate contents )
- Hidden content injection (Considered bad by Search Engines )
- Creating crawling errors for search engines http://www.google.com/support/webmasters/bin/answer.py?&answer=35120
Let’s take it one by one and see how security testing can help:
#1: Malware injection and Distribution
This may not be considered as a Black hat practice by your own team or the hired SEO Company but it can be a competitor’s black hat mantra to kill competition. Here is a real story I collected from the web:
Peter Kevin (name changed for obvious reasons) had his website infected by a malware but he could not catch it before Google could list his site as an “Attack Site”
Soon Peter could see his ranking going down, visitors getting scared to click on his results because of the warning that Google throws:
Since Peter was advertising, he was losing money on ads and potential sales every day. It was a good amount of money in ads and business at stake.
How security and vulnerability testing can help?
Google also uses a scanner to identify the malware injected sites http://www.google.com/support/webmasters/bin/answer.py?answer=163633 but the consequences of Google finding it before the webmaster can be costly. A good vulnerability test can find such malware injections really quick and help the webmaster correct it before search engines find it. The steps to be taken immediately:
- Send a 503 status message for all pages http://googlewebmastercentral.blogspot.com/2006/08/all-about-googlebot.html
- This is how you can do that in Apache (Sending 503 only to Google bots)
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^.*(Googlebot|Googlebot|Mediapartners|Adsbot|Feedfetcher)-?(Google|Image)? [NC]
# or RewriteCond %{HTTP_USER_AGENT} ^.*google.* [NC]
RewriteRule .* /cgi-bin/error/503.phpSending 503 for everyone
Options +FollowSymLinks
RewriteEngine On
RewriteBase /RewriteCond %{REMOTE_HOST} !^1\.1\.1\.1
RewriteCond %{REQUEST_URI} !^/cgi-bin/error/503\.php [NC]
RewriteRule .* /cgi-bin/error/503.php
#2 Traffic redirection and Cloaking
Redirecting your website to some other sites without you, even getting to know it. There are different levels of redirection here under Traffic stealing:
- Only for specific search engine keywords redirection. There were instances when the traffic was redirected to another website only for certain keywords when it was coming from search engines. This allowed the hacker to get the targeted traffic (quite funny though that how hacker are focusing on quality traffic)
- Only for certain referrals (Generally they avoid redirecting the direct traffic)
- All traffic redirection.
- Only converted leads redirection (This can be business logic vulnerability): Stealing your visitors (leads): There were few instances when the same lead was contacted by many vendors without the knowledge of the original vendor.
- How this is done: This can be done at the script level, $_SERVER variable (in PHP) offers a lot of information about the visitor like referral, current IP, which can be use to redirect easily. Also it can be done at the htaccess level, or server httpd.conf level. The most common one is the iframe based redirects http://www.guardian.co.uk/technology/2008/apr/03/security.google , http://www.networkworld.com/news/2008/031308-hackers-launch-massive-iframe.html?fsrc=rss-security
How Search Engine Security test can help?
Vulnerability testing scanner can scan for various level redirects. Also the vulnerability scanner can change its user type to Google Bot (http://www.seoforclients.com/blog/marketing/seo/how-to-browse-and-check-like-google-bot.html ) to see the pages it is rendering. This may not suffice as the scanner will also have to emulate with a proper referral and keywords. Even that may not suffice as the scanner may have to visit the thank you (or conversation) page. A proper vulnerability testing should also find the URL based session id authentication to avoid a possible lead leak.
# 3 Detecting Link Sealers
One of the main incentives for the unethical hacker is to steal your website’s reputation and link power through some vulnerability.
- Link is a major part of Google’s ranking algorithm (Read the journey of search engine algorithm below). There are scanners that run to find website with vulnerabilities to insert links to their websites. Unethical hackers will hack in and edit the High PR pages and add their links. This will increase the PR of the hacker’s site and your PR will be passing on without your information.
- The major problem comes when it redirects (with a 301 redirects) and passes all the link value to another website. Not only link value is passed but also the ranking is passed on to other site. This happens as Google’s every redirected domain as a shift of domain and thus passes all the value from old domain to the new domain http://googlewebmastercentral.blogspot.com/2008/04/best-practices-when-moving-your-site.html
#4 Content stealer – Content is the King, Kill the king
In search engine algorithm content is considered the king and by killing your king, your competitors can win the game altogether. In this case the Copied competitor’s website can rank better than yours, even when your website is the original content developer. This can happen when the hacker delays the indexed of your website’s content and copies the same content to his website and claims the originality. It is difficult for Google to understand who actually owns the content http://www.seoforclients.com/blog/marketing/seo/faq-why-our-competitors-rank-better-than-us-for-our-own-content-video-ranking-too.html
#5 Detecting Hidden content injection
Hidden content is a common black hat practice http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=66353. It was once a super hit formula for Google ranking but now it is considered a bad practice. A good security testing and website scanner shall be able to detect such mistakes as well.
#6 Detecting crawling errors for search engines
As explained in point #4, crawling errors created by some vulnerability can cause major problems in search engine ranking http://www.google.com/support/webmasters/bin/answer.py?&answer=35120 . There are various levels of crawling errors starting from User Agent based blocking at Web Server level to Meta tag based restrictions. A good search engine testing shall be able to scan for all such possibilities and suggest the webmaster for correction.
Since we have already discussed some of the possible issues in search engine ranking due to website vulnerabilities, it will also be helpful to understand how Search Engine Algorithms evolved and how Black hat and white hat world is striving to win the Gold. Let’s look into these details in the second part of this article. Keep out a watch……(To Be Continued)
Great Post Rudra!
Help the webmasters as much as possible. With the growing competition and the money at stake, people are going a little insane with all possible ways to reach the top. Good to know some of the measures and stay safe than being sorry.
Great points Rudra! Being a webmaster and depending highly on ranking for the extra money I find this post to the point. Looking forward for next series.
Hi. I wanted to drop you a quick note to express my thanks. I’ve been following your blog for a month or so and have picked up a ton of good information as well as enjoyed the way you’ve structured your site.
Good post. I learn something new and challenging on sites I stumbleupon on a
daily basis. It will always be helpful to read content from other authors and use a little something from their websites.
Which is the proper weblog for anybody who desires
to look for out about this topic. You realize so much it can be nearly exhausting to argue with you (not that I truly
would need…HaHa). You positively put a brand new spin on a
topic thats been written about for years. Nice stuff, simply great!