Before going into why a hacked website is bad for your rankings (and your business as a whole), it’s important to understand and ask why hackers hack in the first place.
Hackers can exploit website vulnerabilities (or create their own entry points) for a number of reasons, ranging from someone looking for an ego boost by taking control or ownership of someone else’s property, or to steal passwords and financial information to either sell on, or to exploit themselves. Then there are also hacktivists, who seek to steal information in order to make it public – often to embarrass or highlight wrong doings of the data subject.
Typically, when we talk about hacked websites and their SEO impact, we tend to focus on spam injections where the hacker creates additional URLs and pages for pharmaceuticals and sporting goods (usually) with the aim of ranking the pages for those terms – leveraging the perceived authority and ranking potential of the host domain.
It’s a common practice that still goes on today and can be easily avoided, and is known as an URL injection.
Google have made a big push for websites to move to HTTPs through various blog posts, its search algorithm, and now through its Chrome product. In the past Google have also displayed warnings to users within search results pages, and red warning screens when it suspects the site has been infected with malware.
How much does a website hack hurt rankings?
There have been a number of studies conducted into the effects of a website hack on rankings, and while they vary from minimal impact to apocalyptic consequences, when you aggregate the studies and average out the data there are some trends.
Here’s what we know:
For the most part (50% of the time) there is no visible impact to organic search performance, but the more interesting statistic is that 30 percent of studies correlate that there is a negative impact resulting in a performance loss of around 25 percent.
Regardless of a business’s size, a 25 percent loss in organic search performance can hurt. But this won’t be the only loss now that the GDPR regulations have come into play.
The new GDPR regulations enforce a fine of 4 percent annual turnover (or €20m – whichever is higher), which could have a colossal impact on the majority of businesses.
Google can blacklist your website
Google have the term “quarantining”, which means that Google have recognized that your website has been hacked or infected with malware, and have taken measures to protect users from harm – through warning messages like the below:
Which is probably the biggest red flag possible to users; that, or they might just remove the website from search results.
Understanding how a website can become vulnerable
A lot of businesses typically pay for some form of penetration testing or security audit when they first commission the development and launch of a new website. The mistake here is that a lot of businesses see this as job done and move on.
However, unless you’re running your website on a bespoke platform, chances are you’re using an open source platform (such as WordPress, Magento, Drupal, OpenCart), so you’re always liable to be at some degree of risk. As these platforms are open source, any vulnerabilities or exploits discovered are posted publicly and opportunistic hackers keep an eye out for these announcements.
These platforms also make use of plugins and modules (often developed by third parties) and when these become outdated or not maintained properly they can act as back-doors for hackers to exploit. In February this year more than 5,000 websites, including a large number of Government websites were hacked through an outdated screen reader plugin.
Websites also change over time – whether it be the addition of forms, design elements, PPC landing pages, they’re not static structures.
The only way to ensure that a website remains secure over time is to actively monitor and audit it. Employing the services of a penetration tester or third party security tester once and then when questioned pointing to an outdated pass certificate won’t be sufficient starting with May 25th (legally), and from a business ethics perspective it isn’t good enough for users currently.
Prevention is better than the cure
Fixing a hack or exploited vulnerability can be costly in terms of development costs, but also costly in terms of fines, lost revenue from performance, and lost customers from negative publicity.
Removing malware code from your site could also mean rebuilding content assets, which is another cost.
This is why prevention is a lot better than the cure in terms of cost and reputation. Investing in real-time monitoring and auditing solutions allows you to create an audit trail (which is required under the new GDPR regulations), and allows you to see vulnerabilities before they become serious issues and exploited.
Note: The opinions expressed in this article are the views of the author, and not necessarily the views of Caphyon, its staff, or its partners.