HTTPS has, for the most part, become the “poster boy” of cyber security, thanks in part to Google naming it as a ranking signal and then pushing for it further through changes in the Chrome browser.
But as we know, cyber security doesn’t stop at HTTPS, and HTTPS does not mean that you have a secure website.
In my first post for Search Engine Journal, I wrote about how Google could introduce passive scanning elements in one of its future, more advanced web-crawlers, as well as identify if a website contains malware and other common types of hacks.
SEO pros have always been aware of the negative impacts that a website hack can have in terms of warnings in the SERPs and potential ranking losses, but are the true cost of a website hack and data breach really known?
Having worked in both SEO, and recently foraying into the cybersecurity world, I’ve been fortunate to experience both sides and witnessed various different types of hack and malicious website exploitation.
What’s the SEO Community’s Perception of Cybersecurity?
In order to establish how the SEO community feels about cybersecurity, and how important they perceive it to be – I surveyed them.
In total, 136 members of the SEO community responded and gave their thoughts on the topic.
About the Respondents
Of the 136 respondents, 45 percent have 10+ years experience working in SEO, with 26 percent claiming between 6 and 10 years.
While the cohort is on the experienced side, the distribution between independent, in-agency, and in-house SEO was more evenly spread.
Having had a fantastic response to the survey on Twitter, I can unofficially say that the 136 respondents were from around the world and a mixture of regular, well-known faces in the industry, plus some new faces.
Question 1: As part of your initial website and technical auditing process, do you factor in website security (beyond HTTPS)?
Little over two-thirds of SEO professionals surveyed factor in website security checks (beyond whether the site is on HTTPS).
This is positive, as there is often a misconception that HTTPS secures a website – when in reality an SSL certificate only secures a connection and encrypts data in transit (you can read more about this here).
Establishing a website’s vulnerabilities is a different skillset to SEO. The skills needed are likely to be available in full-service agencies, and for independents and in-house SEO practitioners, there are tools such as Detectify and CyberScanner that can provide the insights needed to advise clients.
Question 2: When onboarding a new client, and website(s), do you establish whether the site has been hacked previously?
One in four SEO pros surveyed don’t actively try to establish whether a website has been hacked previously.
Aside from Google warnings and the business being open about a previous hack, it’s sometimes difficult to determine if there has been a hack.
Now we have 16-months worth of Google Search Console data, we can potentially identify spam injection easier by looking at impression data, but not all hacks take this form and may need specialist tools to help diagnose malware, phishing, and crypto-mining software.
Question 3: In your experience, how detrimental has a website hack been to the organic search performance of websites you’ve been working on? (1 not detrimental at all, 10 badly damaged the site long term)
The effects of a hack on SEO have been debated for a number of years, however as the above data shows in experience the impact of a hack has been felt considerably.
Google has previously said that 84 percent of sites are successful in applying for reconsideration following a site hack, but the impact of a hack is still felt prior to reconsideration.
Question 4: In your experience, how long has it taken a website you’re working on that has been hacked to fully recover within search results?
There are a number of studies looking at the impact of a website hack (such as this Wordfence study from 2015), but few about how long it takes to recover.
Recovery is based on a number of factors, including the severity of the hack, type of hack, and agility of the business to implement changes.
The general consensus among respondents is that it can take weeks to months for a site to fully recover, with one respondent claiming no recover whatsoever.
Identifying a hack, however, is the first challenge, and not all verticals are the same – so sites with extreme traffic variations and seasonality (such as the website for an annual event) will regularly see peaks and troughs.
How a Hack Can Damage a Website
Julia Logan (a.k.a., IrishWonder) shared the below experience with me, from a hacked event website in 2015.
Working on the website of an annual industry event there was an abnormal spike in search visibility outside of their normal pattern. This was down to an influx of parasite pages:
After getting hacked in July 2015, the site got blacklisted by Google. The site was powered by WordPress and was using a number of plugins with known vulnerabilities at the time of the hack. These were:
- Wordfence: There was a known cross-site scripting vulnerability that had been discovered in November 2014 affecting version 5.1.2 and patched in v. 5.1.4.
- WordPress SEO by Yoast: There was a known SQL injection vulnerability that had been discovered in March 2015, affecting versions 22.214.171.124 and below.
Prior to the hack, the site’s directories had not been closed from listing their content. As a result, a number of theme and plugin related directories’ index pages got into Google’s index, making the site an easy target for potential bulk platform-based/plugin vulnerability-based hacking.
After the initial site cleanup, these indexed directories still posed a threat – the server had been configured to serve up a 404 response for them, however having URLs like these indexed could lead to further hack attempts.
It was decided to not close them from indexing via robots.txt as that would still be a telling footprint (besides, these folders contained CSS files which Google insists on being indexable) but to remove them from Google’s index manually via the URL removal request form.
The hackers had also taken control over the site’s SMTP services and had been using them to send out spam emails, leading to the site getting blacklisted with all main email spam databases. This was critical because as an event site, they had a legitimate need to send out emails to their subscribers/event participants, damaging the business’ core function.
The parasite pages had to be manually removed from Google’s index to speed up the index cleanup. However, it took multiple attempts and email correspondence to remove the site from the email spam databases. The site was then also migrated to HTTPS.
What About GDPR?
The upcoming GDPR regulations have thrust the cybersecurity debate into the public eye and raised awareness, although a lot of businesses from my experience are still yet to grasp the importance of securing digital assets.
Question 5: On a scale from 1 to 10, 1 being not at all, how prepared do you believe your clients are to be secure and comply with the upcoming GDPR regulations?
As you’d probably expect, the feeling is that a lot of companies are still progressing toward being wholly compliant, with few almost at the end.
Compliance comes in different formats for different businesses, depending on the amount of data and the type of data that they process.
A recent study by Deloitte estimates that only 15 percent of organizations they surveyed would be compliant with GDPR regulations come May 25. The data collected here shows ~44 percent of respondents scored 1-4 on the scale.
GDPR doesn’t just affect organizations based within the European Union, but also those outside of the EU who deal with EU countries.
Question 6: On a scale from 1 to 10, 1 being not at all, how prepared do you believe your U.S. clients are to be compliant with the new EU GDPR regulations?
From the 124 respondents to this question, there is even less faith that the U.S. clients of those surveyed would be ready to comply with GDPR and the new European laws.
Speaking with fellow SEO Ryan Siddle from MERJ about the topic of GDPR and how prepared businesses are, he had the following to say:
Medium and large businesses generally have more data and people working with it, usually at a slower pace. Costs are high as they need legal counsel to read, understand, plan and act in accordance with legislation. Legacy systems may not be compatible with new requirements. The software may require dramatic changes to meet them, with months of dry run testing to ensure data integrity.
It is not always possible for small businesses to spend tens of thousands of pounds on legal counsel. Small businesses focus on revenue growth and wait for the larger businesses to act first. The larger businesses digest the information and communicate actionable information to their affiliates and partners.
Who’s Responsibility Is Cyber Security?
Speaking with a number of companies over the past few months has shown me that there is a lot of misinformation and misconception surrounding who is responsible for maintaining the security of a website.
Under GDPR, the business themselves will be on the end of any fine given and not their development company (although some business owners I’ve spoken to believe it is in their development contract to shoulder the fine).
Question 7: Who do you believe is responsible for making sure that a website is secure?
Out of the 136 respondents, 64 percent believe that the security of a website is down to all stakeholders, with just under a third thinking the responsibility lies solely with the business.
While under GDPR the fines sit with the business, both the online and offline compliance processes are the responsibility of all stakeholders, including external agencies.
As an external agency, we often have access to website CMSs, analytics, FTP, and other sensitive areas so the onus is on us to use two-step authentication and have our own security policies in place.
From talking to a number of SEO professionals while conducting this survey, and from seeing trends in the industry it’s clear that website security is a topic that’s going to be here for a while.
It’s also important that as an industry we help educate clients about the potential risks, not only to SEO but also to their businesses.
More Website Security Resources:
Graphs made by Dan Taylor, April 2018
Hacked screenshot by Dan Taylor, April 2018
Sistrix screenshot by Julia Logan, April 2018