Technology is always evolving. Whether that is the devices we have in our homes and pockets, or the websites we visit.

In the world of SEO, we are used to change. Google’s algorithm updates several thousand times a year for example (not all are notable), so it is vital that we are always on our toes.

Google also announced in 2019 that Googlebot will now use the latest version of chromium, meaning it will now recognise any changes to programming languages that were not being picked up in previous chromium versions.

Although many of these programming languages change to improve efficiency, they also change to improve security, especially when nefarious organisations or individuals have exploited the code to gain unauthorised access to organisations. This can take the form of user account controls, accessing sensitive data and much more.

So, how does this impact SEO?

Why Website Security is Important for SEO

A hacked website can destroy organic visibility for a website.

In some cases, reducing visibility to near zero:

Traffic drop of a hacked website

For a bit of context, this website had content and links injected on the majority of pages targeting terms completely unrelated to the website. As a result, the website got blacklisted by search engines, including Google (more on this later).

I contacted the owners of this website closer to the time of the hack, making them aware of it (they had no idea they had even been hacked initially!). They have since worked with a cybersecurity company to tighten their website security – but are still feeling the impact of it today.

This sort of hack is common – a GoDaddy study in 2017 found that nearly 74% of hacked websites they analysed were done for SEO.

Most common reason websites are hacked
The second most common hack is done for spamseo

A common misconception is that hackers will only target large corporations, but unfortunately, this simply is not true. The example shown earlier in this post was a small, independent charity in Manchester.

The scary truth is that a lot of SEO related hacks are done automatically. Scripts will search the internet searching for a website using vulnerable software, automatically gain access and inject links, without the attacker even needing to visit the website.

Google Clampdown

Google are doing brilliant work in clamping down on unsafe websites – and this is only set to increase!

When on the search results, if your website has not been completely blacklisted, you may find results such as this:

An example SERP result of a hacked domain

This can be just as damaging as getting blacklisted as it’s a huge deterrent for users. Nobody wants to click on a website with a warning like that!

Google also advise that users do not click on websites that are displaying these warnings.


The main reason hacked results plummet in traffic levels is blacklisting by search engines and antivirus software.

A blacklist is essentially an online penalty box, where the penalty is that you would no longer find that website in the search results. This is one of the harsher penalties but is not uncommon to see.

This can have a devastating impact on a business, who are suffering the financial loss from a hack or the expenses of getting it fixed, but then will struggle to make money online due to the lack of presence within search results. One article suggests that 60% of hacked SMBs go out of business within 6 months with a lack of online traffic possibly being an attributing factor.

Types of Attacks that Impact SEO

Although every attack will impact SEO one way or another, some are a little more direct than others:

Denial of Service

DoS or DDoS (Distributed Denial of Service) is generally when an attacker targets a website by flooding the website with traffic from bots. This can result in an internal server error if mitigations are not in place, or a serious slowdown of the website.

If a website is knocked offline or is running extremely slowly with frequent timeouts, this is a poor user experience, and as a result, it is possible that Google may deindex the website temporarily. That is if Google can even crawl your website anymore! As this not only effects real users, it has an impact on “friendly” bots. It also goes without saying that this will dramatically harm the amount of revenue your website will be generating during this period.

In short bursts, this should not have long lasting impacts on SEO. However, denial of service attacks that last an extended period CAN have a detrimental impact on rankings when it is back live.

If you suspect your website is being targeted by a denial of service attack, we recommend that you get in touch with your hosting provider as soon as possible.

Thankfully, this black hat SEO tactic is not very prevalent anymore due to improvements in services that offer protection against DDoS attacks.

Link Injection

This black hat tactic is a more commonly used method these days, in which attackers will find compromised websites and inject external links on pages throughout the compromised website.

There will often be links pointing towards malicious websites hosting malware, or to throwaway sites that a black hat SEO may be trying to rank quickly. These links will often be cloaked for search engines to see, but not for users to see – sometimes making it difficult to know they are even there in the first place.

If Google see these links on your website, they will associate your website with the websites that you are linking to. This can result in a loss of rankings, or more likely, getting blacklisted.

A hacked website with malicious text within the meta description
Google has picked this up within the meta description but is nowhere to be found on the site when using a non-Google user agent

Be aware that it might not always be a stranger doing this; it could be an agency or company you have parted on bad terms with! When parting ways with a third party, we always recommend removing their access.

Link spikes from black hat seo
Links to a black hat website using link injection – Source:

If this ever happens to your website, a cleaning operation will need to take place in which you will remove the malicious links and patch access point. Once this has been completed, you can request Google to review. More information can be found here.

For a more technical view on how this works and the methods used, read this post from Sucuri.

Man in the Middle Attacks

A man in the middle attack can take many forms, but in this instance, this is when an attacker can intercept and relay communications between two parties – sometimes because the messages are unencrypted. This allows them to inject new messages.

One way to defend yourself against this is to install an SSL certificate on your website if you have not already. This means that your website’s communications are now encrypted when in transit, so anybody in the middle will see nothing but encrypted traffic that they cannot decrypt without the necessary keys.

In terms of SEO, Google has announced that having a HTTPS website is a ranking factor – so installing one is highly recommended not only for security, but for SEO as well. This is really easy to do, and there are lots of resources online on how to. Some hosting companies may charge a fee – however, there is a manual, free option from let’s encrypt.

If you have not got a valid SSL certificate already and need an additional push; HubSpot found that 82% of a consumer survey would leave a website that was not secure. That is a lot of potential revenue to be missing out on!

Credit Card Skimming

This is when code has been injected into a file at the PoS (this is then often obfuscated to make it harder to detect – sometimes even disguised as Google Analytics code!) which then sends card details to the attacker. This can be done by gaining access to the target system or, more likely, exploiting a vulnerable plugin which then means the attacker has simultaneously compromised multiple websites at once.

Although this does not have a direct affect on SEO rankings, having malware that exports credit card data at the point of sale can have devastating impacts on a business. This can be in the form of huge fines (think GDPR fines) or a massive lack of consumer trust.

British Airways was fined £183 million after a breach stole credit card details of 380,000 customers (technical writeup here for the interested!) and Marriot were also fined £99 million after personal data of over 339 million guests were stolen by hackers.

Is one CMS worse than others?

Yes and no. No system is hack-proof, contrary to the claims of many companies.

However, CMSs that are not receiving updates any more are extremely vulnerable – in which case we would recommend switching to an up to date CMS.

Popular CMSs are going to be a target to hackers due to their size and number of users, however this often means that there are larger teams out there to patch vulnerabilities.

Plugins, however, are a different story.

Anybody could make a plugin and upload it to a marketplace. Most plugins will be fine; however, we recommend that only necessary plugins are installed on a website (for security and speed purposes) as these can be devastating.

That said, even the big plugins are vulnerable – including Yoast. We are not saying to go remove Yoast from your website, but to make sure that everything is running on the latest version to ensure you are not vulnerable to exploits such as the above.

One plugin I wholeheartedly recommend is Wordfence. It can be a bit annoying and fiddly to set up initially but is very much worth it!

Finally, strong password management will go a long way in securing your website – avoiding the use of common passwords (check haveibeenpwned to see if your password is vulnerable – you’d be surprised at how often it is), passwords at around 9 characters or above reduce the change of brute force attacks massively and the sporadic use of symbols and capitalisation will help a lot.

Whose Responsibility is Website Security?

As an SEO agency, we do not deal with cybersecurity as a service. But as an external third party, we often have access to website CMSs, development environments, analytics, FTP, and many other sensitive areas. Information that could be very valuable in the wrong hands.

So, this begs the question, who is responsible for website security?

Personally, I believe it is with all stakeholders, internally or externally. GDPR (and the potentially massive fines they bring) is something that impacts us all and should be adhered to, as the repercussions could destroy a business.

However, many believe the onus is on the business to keep their website safe and secure.

Either way, we are always keeping an eye out for any potential security risks as the SEO impacts from a hacked website can be huge!

If you have been hit by a hack and are struggling to recover to previous levels of organic traffic, give one of our experts a call or contact us online!