As cybersecurity becomes an ever-growing problem within the information era, it is crucial to protect your website as not to jeopardise user security/privacy.
For websites, this can range from buying Comodo certificates to installing a full-blown bespoke iptables firewall rule(s) onto your server – don’t worry, many websites do not need to go that far.
Since Google penalises websites for getting hacked, especially significant breaches, it is essential for you and your userbase that your website has enough security to protect itself from any hacks.
HTTPS is a long-standing encryption technology originally developed in 1994 by Netscape, then formally specified by RFC 2818 in 2000.
Hypertext Transfer Protocol Secure, if you want a full explanation, is the encrypted counterpart to HTTP. When browsers initiate a connection with a secure web server, the server sends a public key to your device, performing a handshake.
Once the secure connection is accepted, the browser recognises website as secure. From this, it is almost impossible to intercept data transferred in the connection.
HTTPS has many benefits for UX and SEO. HTTPS builds trust between the website and the user, as the user sees the business as secure (and it also shows a grey padlock to their website) and genuine.
Not having this can lead to decreased click-through and conversion rates, as it may lead to users not trusting your website, and is also a ranking factor to Google. The most popular method to do this is obtaining an HTTPS certificate for your website.
HTTPS doesn’t have to be expensive either! Projects like Let’s Encrypt allow you to get a trusted, TLS 1.3 HTTPS certificate for free, and this can be easily done (as long as the software your site is running on is modern).
A little-known security procedure you can carry out for your website is implementing secure HTTP headers. HTTP headers allow the server to pass additional information (e.g. server, cookies, etc.) to the user on request and response. There are many of these which you can choose from, and these are relatively easy to implement.
The most important one to use is the Content-Security-Policy header, which controls what types of files the user or crawler can load for a given page. Doing this helps protect the website from cross-site scripting attacks.
We recommend this be implemented on all sites; however, please look at what different directives you can use as they apply differently for various websites.
Another useful security header is the HTTP Public Key Pinning (HPKP) header, which tells a web client to assign a specific public key with a particular web server, decreasing the risk of man-in-the-middle attacks.
Like before (and many other security headers) there are many different directives available to use which apply differently to different websites.
Hacked websites in Google
A website hack can have catastrophic damages to your site (and even business) depending on the severity.
When Google identifies your website is hacked and defaced, it sends you an email warning from Google Search Console (assuming you have it installed) to notify you of the malware.
Search engine users are warned that your website has been hacked in the search results, and browsers will also block access to it if it identifies any malware or compromised connections.
All this combined can result in your organic rankings suffering greatly.
The best way to recover in Google (when you’ve fixed everything) is to request a malware review from Google (found under Security Issues in Google Search Console). If successful, your website may regain rankings within 24 hours. If not, we can always help with our bespoke technical SEO expertise.
Although data-compromising breaches aren’t specifically SEO, they do affect user trust and organic traffic.
There have been many cases of websites suffering from data breaches from attackers, which has caused tons of user data to be leaked for hackers to see.
Publicised data breaches have been shown to massively drop user loyalty, trust, and general traffic by 40%.