Web security is a major headache keeping businessmen awake at nights. Imagine waking up to the reality of having your client’s website hacked. Not only does that mean your business as an SEO expert goes away, but also that getting the website back on track will be an onerous task.
Traditionally, website security has been kept separate from SEO, apart from a few basic responsibilities on the part of SEO experts (such as not establishing links to and from malicious websites). Because the lines separating different aspects of World Wide Web and business are diminishing, no SEO expert can ignore website security anymore. This guide is an attempt to scrape past the surface of this discussion and bring out some valuable insights in the process.
Why Bother?
Well, imagine having your or your client’s website accompanied by an unsavoury warning from Google, alongside the search result.
This generally happens when Google’s bots believe that your website might have harmful code that could, for instance, install malware on the computers of visitors. The reasons could run deeper, though. You’ll find an equivalent notification in your Google Search Console account too.
This is just one of the potential security related warning that Google could publish alongside your search results. Google’s support portal contains an extended list of other messages; here’s an illustration.
I would never risk my computer’s security by visiting such a flagged website; will you? Nobody will, and that will take all your SEO work down a deep pit! Instead, take complete control of each of the aspects of site security that link closely with SEO.
Have A Secure Website Via HTTPS
It’s clear that Google treats HTTPS websites as a lot more secure than others. This is how HTTPS protocol makes web info exchange more secure.
Since 2016, Chrome browser explicitly marks non-HTTPS web
sites as unsecure. That’s reason enough for every SEO expert to push their clients into doing everything necessary to immediately move to the HTTPS ecosystem.
Now, is your client’s website secure? Here’s a 2-step check:
i) Make sure the SSL certificate is properly installed on the server
Type https://www.[yourwebsitename].com and hit Enter. If you see a lock icon appear in the taskbar, it signifies the SSL is recognized. Else, you’d see an error message such as this:
ii) Make sure the website’s URL are being pushed to their HTTPS versions
Type http://www.[yourwebsitename].com and hit Enter. If your server configuration in terms of redirect rules is properly set up, the page will be automatically redirected to https://www.[yourwebsitename].com. If it doesn’t, there’s a problem that needs immediate addressing.
Note: Though WordPress is considered very secure, an exceptionally large number of website based on the platform have been hacked in the recent past. Ensuring HTTPS protocol activation for your WordPress websites, hence, can’t wait any longer. Using plugins such as Really Simple SSL, the above 2-step process becomes even easier to manage for WP, as explained in this very descriptive tutorial on how to use HTTPS on WordPress.
Content Security Policy
Webmasters deal with a lot in terms of having to secure the website against possible attacks especially when content gets updated frequently like in the case of content repurposing or regular addition of new products as in e-commerce sites. Two of the commonest form of attacks that can happen are data injection attacks and Cross Site Scripting attacks. Any additional security layer that can help mitigate or report such an attack is worth the efforts. Content Security Policy (CSP) is precisely that layer. It can effectively block out external scripts as well as inline scripts from untrusted sources.
As an SEO expert, you can easily go out of the way and check whether CSP is in place for your client’s website. CSP is implemented via an HTTP header containing rules for all kinds of data assets. For example, an HTTP header to allow CSS and scripts only from default source (Self) will look like (allowing Google Analytics script as an exception):
Content-Security-Policy: default-src ‘self’; script-src ‘self’ https://www.google-analytics.com;
How To Prevent A Site From Getting Hacked?
Don’t blame your clients if they want your help in keeping hackers away, even though that’s not a primary responsibility of an SEO. Think of it as an opportunity; you put in 5% extra, and in turn, significantly improve the client’s websites’ immunity against hackers, which eventually keeps on getting you their business.
Here’s a quick list of site security best practices that help you make your clients’ website hacker proof.
- Check whether the CMS software, or the website builder code, is upgraded to the latest version.
- Educate your client/their website admins about spam, brute force attacks, cross site scripting, SQL injections, etc.
- Change passwords often.
- Not use any unsecured or unproven 3rd party tools to link to the client website for analysis, etc.
- Don’t publish server level technical information in error pages; error pages should say something like ‘page not found’.
- Enable validation of inputs on the browser side as well as server side, to ensure malicious codes don’t infect the server.
- If your client website allows users to upload files, recommend safekeeping controls to ensure no scripts are uploaded alongside.
- Use a mix of web security tools to safeguard your clients’ websites; more on this later in the guide.
What To Do If Your Client Site Is Hacked?
Alright; the worse has happened, now what? Your response will depend on the nature of the security flaw, which could well be indicated by the warning message that Google appends to your website’s search result.
To check the details, log in to Search Console, go to the Security Issues section, and check the details of the URLs that appear to be compromised, along with the specifics of the kind of security breach for each URL.
Here, you’ll need to clearly communicate to your clients so that they know they need to bring in web developers and programmers to take care of the security problems with the website. Also, recommend them to contact the web hosting provider too, who can offer valuable insights and contacts, based on knowledge of other websites that might have faced similar problems.
Google, in its official help video for webmasters whose website may have been hacked, recommends them to seek technical expertise to sort out the technical issues. The amount of time taken to get over the hack will depend on:
- The level of tech expertise of your client’s team
- Amount of content affected (site-wide spamming, for instance, needs more time for removal)
- Extent of damage/complexity of the hack
How To Keep Your Rankings Safe If Your Client Site Gets Hacked?
Quick and comprehensive actions – that’s the golden rule to remember to make sure the hack doesn’t cause an SEO nightmare for the website.
Note: If the entire site has been hacked, take it offline by asking your web host to configure it so that a 503 error page is returned for access made outside the infected directory. Don’t go for robots.txt disallow, because that won’t block the website for users who visit using your URL (only stops the web crawlers).
If you are aware of the compromised URLs, the task is easier:
- First, remove the infected URLs from the index using the Remove URLs option in Search Console.
- Then, do a quick scan for crawl errors, and re submit your website’s site map.
- Once the website admin and the security team have removed the malware and acted upon the issues highlighted in Search Console, I recommend you submit your website to the Search Console Security Issues report for a review.
- A successful review would be indicated by such a message in your Search Console:
Also, depending on the nature of the security breach, you will need to restore your WordPress website to an older version, or even consider moving the website to a more secure hosting provider.
Top Tools To Strengthen Web Security
Tools can automate your clients’ websites security monitoring and help avoid major security breaches. Here are some tools that I recommend:
Incapsula: a network security and optimization firm that offers a suite of tools such as a CDN (Content Delivery Network), a Web Application Firewall (WAF) and Advanced Persistent Threats (APT) protection tools that helps to secure your website from password thefts, DDoS and hacking attacks.
Comodo cWatch: For 24×7 website surveillance, PCI compliant scanning, and reliable malware detection and removal.
Grabber: An open source alternative if you don’t want to spend anything; it detects and reports cross site scripting and SQL injections, apart from offering JS source code analysis and backup file checks.
Zed Attack Proxy (ZAP): A penetration testing tool that allows you to proactively simulate ‘hack-like’ activities on a website, to expose its security flaws, for proactive remedial action.
Concluding Remarks
SEO experts depend on the sustenance and growth of client websites to grow themselves, and that makes secure a vested interest for all SEOs. No security will soon escalate into a drop in traffic, which will pose questions on your effectiveness as an SEO expert. Better site security means more traffic for your clients’ websites, which means more business for you.