Tag Archive for: site security

HTTPS
Between the countless public hacks, identity thieves, and an increasing awareness of how vulnerable personal information is, protecting customer’s personal data has become a hot-button topic over the past year.

Perhaps this may be why an increasing number of sites are switching to the more secure HTTPS web security protocol. In fact, a new report from Moz suggests the more than half of first page listings on Google are using HTTPS.

While Google has suggested site security could potentially influence a website’s ranking, Moz says the steady growth of HTTPS suggests the rise is more likely attributed to sites making the switch – not an algorithm update. Google has also stated that it has no plans to increase the weight of HTTPS on rankings in the future.

To verify the findings, Moz worked with Rank Ranger who produced almost the exact same results using its system.

Dr. Pete Meyers, who reported the findings for Moz, believes up to 65% of front page results on Google could be using HTTPS by the end of the year. This is entirely possible, given that Chrome is set to begin marking non-HTTPS pages as non-secure if they ask for personal information such as a password or credit card information.

Interestingly, the growth of HTTPS appears to be fairly equal across markets. The results suggest approximately half of the biggest names in Google search results have adopted the security protocol, while newer pages are using HTTPS because it is inexpensive and easy to use.

As part of its #NoHacked campaign to raise awareness and prevent site hacking, Google released its latest annual review of hacked sites this week. As the data shows, site hacks will continue to be a major issue for webmasters for the foreseeable future.

From 2015 to 2016, the number of hacked sites grew by 32%. According to Google, hackers are becoming more aggressive but many webmasters are also letting down their guards. Instead of proactively keeping their site and security up to date, a significant number of webmasters are letting their sites become vulnerable and outdated. These sites are easy targets for hackers.

While the number of sites getting hacked is on the rise, Google is willing to show forgiveness to those affected. The company says it approved 84% of reconsiderations requests from webmasters who have cleaned up their site from any hacking. However, Google also says it was unable to inform over half (61%) of affected site owners because their sites were not verified in Search Console.

What To Do If Your Site Has Been Hacked

In addition to the report, Google has also released several new documents aimed at educating webmasters about what to do if your site gets hacked and how to protect yourself.

These new help documents recently released by Google include:

The company has also released help documents focused on specific types of common site hacks, such as Gibberish Hacks, Japanese Keyword Hacks, and Cloaked Keywords Hacks.

How To Prevent Site Hacks

As always, an ounce of prevention is worth a pound of cure. Google’s top recommendation for facing the epidemic of site hacking is to avoid letting it happen in the first place. Specifically, they suggest keeping all software and plug-ins on your site up-to-date and keeping an eye on any announcements from your Content Management System (CMS) provider.

Also, be sure your site is verified in Search Console so Google can notify you in the event your website does get hacked.

Giving your visitors a place to comment on content or in a forum on your site is a great way to encourage interaction and build a bond with potential customers. But, it can be a headache trying to keep any sort of open comment area clean from spammers, trolls, and other sorts of nogoodniks.

This creates two different problems. If visitors see your pages and blog posts are followed by nothing but spam and other types of website vandalism, they’re likely to think less of your brand and potentially move on to someone else. Additionally, you can even get penalized by search engines like Google if it detects an abundance of spam or malicious links or code on your site.

So what can you do to keep your forums and blog comments clean of those seeking to use the opportunity for their own ends without shutting it all down? Google recently offered a few tips to make sure the only comments and posts your visitors see are from real humans interested in building a valuable discussion around your brand and products:

  • Keep your forum software updated and patched. Take the time to keep your software up-to-date and pay special attention to important security updates. Spammers take advantage of security issues in older versions of blogs, bulletin boards, and other content management systems.
  • Add a CAPTCHA. CAPTCHAs require users to confirm that they are not robots in order to prove they’re a human being and not an automated script. One way to do this is to use a service like reCAPTCHA, Securimage and  Jcaptcha .
  • Block suspicious behavior. Many forums allow you to set time limits between posts, and you can often find plugins to look for excessive traffic from individual IP addresses or proxies and other activity more common to bots than human beings. For example, phpBB, Simple Machines, myBB, and many other forum platforms enable such configurations.
  • Check your forum’s top posters on a daily basis. If a user joined recently and has an excessive amount of posts, then you probably should review their profile and make sure that their posts and threads are not spammy.
  • Consider disabling some types of comments. For example, It’s a good practice to close some very old forum threads that are unlikely to get legitimate replies.
  • If you plan on not monitoring your forum going forward and users are no longer interacting with it, turning off posting completely may prevent spammers from abusing it.
  • Make good use of moderation capabilities. Consider enabling features in moderation that require users to have a certain reputation before links can be posted or where comments with links require moderation.
  • If possible, change your settings so that you disallow anonymous posting and make posts from new users require approval before they’re publicly visible.
  • Moderators, together with your friends/colleagues and some other trusted users can help you review and approve posts while spreading the workload. Keep an eye on your forum’s new users by looking on their posts and activities on your forum.
  • Consider blacklisting obviously spammy terms. Block obviously inappropriate comments with a blacklist of spammy terms (e.g. Illegal streaming or pharma related terms) . Add inappropriate and off-topic terms that are only used by spammers, learn from the spam posts that you often see on your forum or other forums. Built-in features or plugins can delete or mark comments as spam for you.
  • Use the “nofollow” attribute for links in the comment field. This will deter spammers from targeting your site. By default, many blogging sites (such as Blogger) automatically add this attribute to any posted comments.
  • Use automated systems to defend your site.  Comprehensive systems like Akismet, which has plugins for many blogs and forum systems are easy to install and do most of the work for you.

Google HTTPS Warning

Google is making some changes to protect users’ sensitive information online, and it could lead to your site being marked as non-secure by Google’s web browser at the end of this month.

Google released a warning that as of the end of January 2017, Chrome will mark sites without HTTPS as non-secure if they collect private information like passwords or credit cards.

Google #NoHacked HTTPS

“Enabling HTTPS on your whole site is important, but if your site collects passwords, payment info, or any other personal information, it’s critical to use HTTPS.”

The company has encouraged implementing HTTPS in the past by making it a (very minor) search ranking signal. Now, from the sound of the alert, the company says an entire site will need to be HTTPS if any pages collect payment or sensitive information.

Switching over to HTTPS is an easy process, but you should begin preparing to make the switch now if your site fits the criteria. Otherwise, you are likely to be flagged as non-secure in February and lose a large amount of your web traffic.

Google is launching a new set of algorithm changes intended to remove hacked sites that spew spam from the search engines. According to the company, the changes will affect approximately 5% of queries and has already begun rolling out.

Google says it is cracking down on hacked spam to protect both searchers and site owners, but the move could have consequences for legitimate site owners unaware their site has been hacked. These sites are dangerous to those who visit them as they can lead to malware downloads, marketing of illegal goods, or completely redirecting people to unintended, low-quality sites.

For queries with a particularly large amount of hacked spam present in the SERPs, Google says you may see an overall reduction in the amount of results shown. According to the announcement, this is because Google is working to make sure users only see the most relevant results for their queries.

In some particular searches, as much as a quarter of the search results have been removed.

Google has said these changes will be part of an ongoing effort to continuously refine its algorithms to improve SERPs and cut out bad content.

google-security-360A few weeks ago, Google announced they would begin favoring sites who switch to HTTPS in search results. At the time of the announcement, most of the SEO community was skeptical at best and few believed the HTTPS ranking factor would have any effect on rankings whatsoever. Well, it has been a couple of weeks and we have the verdict.

The skeptics were absolutely right.

SearchMetrics decided to evaluate whether HTTPS had any discernible effect on search results of any form. According to Marcus Tober of SearchMetrics, there is no data to prove HTTPS has any effect on Google rankings after the launch of the ranking factor.

In a nutshell: No relationships have been discernible to date from the data analyzed by us between HTTPS and rankings nor are there any differences between HTTP and HTTPS. In my opinion therefore, Google has not yet rolled out this ranking factor – and/or this factor only affects such a small section of the index to date that it was not possible to identify it with our data.

Tober shared his data along with his report, and it all matches all the anecdotal evidence available as well. Site owners across the web rushed to update their site to the new favored HTTPS, but there is nary a single story I could find suggesting it had any ranking influence at all.

At the time of the announcement, Google did suggest that switching over could possibly influence rankings, but they also called it a “very lightweight signal” so there’s no need to grab your pitchforks. But, these results may have some lessons for those who were expecting and easy and quick ratings boost with minimal work.

google-security-360In the past, several Google employees have suggested they would like to see site security included as a ranking factor within their search engine. Now, Google has followed through and announced that going HTTPS, or adding a SSL 2048-bit key certificate on your site, can potentially give you a small ranking boost.

Don’t expect to propel yourself to the top of the search results by adding HTTPS, as Google refers to it as “a very lightweight signal” within the larger scheme of things and only affects “fewer than 1% of global queries.” However, it was also implied that the new ranking signal may get beefed up in the future in an attempt to encourage all site owners to increase the security on their sites.

The change should come as little surprise to anyone who heard Matt Cutts, Google’s head of search spam, publicly endorse the idea of making SSL a ranking factor just a few months ago.

Unlike many ranking changes that Google makes, the risk of drawbacks is small. Google has been saying that switching to HTTPS should not have an effect on SEO for years, so long as you take a few steps to guarantee your traffic stays steady. Mostly, such steps relate to communicating to Google so it understands how to read your site.

Google has also said they will be releasing for information and resources for webmasters deciding to adopt HTTPS, but for now all they offer are these tips:

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out our site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.