Cybersecurity experts in recent years noticed the rise of a new way of attacking websites, known as search engine optimization (SEO) poisoning. Simply put, it involves the creation of a malicious site and applying SEO techniques to boost its chances of ranking at the top of search results. As the site adheres to good SEO practices, visitors are likely to think that it’s reputable.
One of the latest examples of SEO poisoning attacks occurred in early November 2024. Users searching for details about legally owning Bengal cats in Australia learned they were hacked after going to a high-ranking site hiding malware. Upon clicking, the malware installs itself into the user’s device and begins compromising the stored data. (1)
To save you the trouble, importing Bengal cats into Australia is illegal as of March 2025.
Such cases highlight the key role SEO plays in enhancing website security. If quality—and malware-free—content ranks higher in search results, it can push malicious ones down to obscurity and prevent users from accessing them.
The Connection Between SEO and Website Security
SEO wasn’t initially introduced out of a need for more secure websites but rather for better content quality. Google realized that site owners could manipulate the search engine algorithm simply by spamming search terms and links in their content. Back then, ranking high was a matter of which site mentioned the search term or keyword more often.
As its algorithm got better at discerning quality content, Google began exploring other non-content-related factors. In 2014, it announced that HTTPS (more on this in a second) would be a ranking signal. It was the company’s way of urging owners to improve their websites’ security and contribute to a safer Internet.
Five years later, it took its stance a step further with updates to its Chrome browser that automatically blocks mixed content. This refers to HTTPS pages that still house insecure HTTP resources. Think of it as erecting a fence but leaving a door or window unlocked. (2)
Today, hacked content is punishable with penalties from search engines, not only because it doesn’t provide helpful information to users but also it poses a security threat. An example is content injection, which is divided into three common types. (3)
|
Injection Type |
Description |
Common Method |
|
Code |
Inserts malicious code into the target pages to change their content |
Adds lines of malicious code typically made via JavaScript |
|
Page |
Adds unnecessary pages to the site that violate current SEO guidelines |
Deliberately fills the page with spam to undermine the content’s ranking efforts |
|
Hidden |
Manipulates parts of pages that can’t be detected for changes right away |
Hides links or text using CSS or HTML, showing irrelevant pages |
Penalties, both automatic and manual, can lead to the page’s or site’s search engine ranking dropping by the dozens. More serious violations result in the entire site being deindexed from search results. Either way, the content will be buried in oblivion.
Nothing can be more crushing to businesses than their customer base forgetting that they exist. That’s why a forward-thinking SEO agency Brisbane business owners trust or similar experts in your area take as many factors into account as possible. The success of a marketing campaign lies in how many people see and share it with others.
Granted, site security doesn’t provide as much of a ranking boost as content quality. However, in an environment where the top-ranked result changes nearly daily, every advantage helps. Visitors are more confident accessing a site with the latest security measures, leading to improved site metrics like dwell time and paid and organic traffic.
Encrypt Connection With HTTPS
The most popular first step in improving SEO and website security simultaneously involves a secure link between the browser and the server. Without this, cybercriminals can easily intercept valuable data while in transit or within the network.
This attack is known as a data breach, and it has proven crippling to businesses time and again. According to IBM’s latest Cost of a Data Breach report, the global average cost of one sits at USD$4.88 million. Certain industries such as energy, financial, and healthcare have above-average costs. (4)
Preventing data breaches begins with encrypting the connection with Hypertext Transfer Protocol Secure (HTTPS). A successor to the legacy HTTP, it benefits from the addition of Transport Layer Security (TLS, hence the “S” in HTTPS) that masks data to reduce the risk of interception by cybercriminals.
TLS works by producing a pair of keys: a “public” key that encrypts the data on the sender’s side and a “private” key that decrypts it on the receiving end. In doing so: (5)
- The sender and receiver don’t have to share a common key.
- The receiver’s key can be kept close to their person always.
- The sender can’t dispute that they never sent any data (non-repudiation).
- Identification features such as digital signatures can be safely employed.
Not only does Google consider HTTPS a ranking signal, but its stance has extended beyond the search engine. For instance, Chrome now flags pages that use HTTP as not secure, if not dangerous, and urges users to think twice about accessing them. This can have severe repercussions for website traffic.
To adopt HTTPS, you’ll need to purchase a TLS/SSL certificate from a Certificate Authority (CA). The CA must also sign and validate this digital certificate to work for your domain and that domain alone. If you need multiple domains and subdomains covered, there’s the Unified Communications Certificate for that.
The good news is that many CAs are also web hosting services, streamlining the process. You can directly ask your chosen service for a certificate and even install it via its platform.
Even with the certificate installed, visitors might still be led to the HTTP version of the site or page. There are two ways to redirect traffic to HTTPS pages: through a third-party plugin or by editing the .htaccess file to include the right lines of code. The codes vary by server.
Fix Hacked Content
Google considers hacked content as spam and can therefore result in a penalty. The owner may not, by and large, be blamed for getting their site compromised, but ensuring security is their responsibility, nonetheless. As such, fixing the problem is also their duty.
According to web.dev, Google’s online resource on web development, cybercriminals find their way into the website using the following common techniques: (6)
- Weak passwords: Be it through brute-force attacks or educated guesses, weak passwords are often a hacker’s ticket into a site’s admin privileges. A strong password for such an account should be way more complex than something like “admin1234.”
- Missed security updates: Web server and content management system (CMS) software running older versions are missing crucial updates that protect from the latest threats. As a result, they serve as backdoors to let hackers in. The same applies to plugins.
- Insecure themes and plugins: Apart from outdated ones, installing themes and plugins from outside a CMS can be a security risk. It isn’t unusual for some of these to possess malicious code that injects itself onto the site or page upon installation.
- Social engineering: Old-fashioned deception remains one of the most dangerous tools cybercriminals have at their disposal. They can assume the identity of a legit authority (e.g., office manager, sales rep) and ask for the victim’s information.
- Security policy holes: Poor security practices like enabling weak passwords and admin access for almost everyone leave weak spots in your network security. One member’s mess-up is enough for malicious actors to be let in.
- Data leaks: Configuration errors can make confidential data visible to the public. This can happen if the site doesn’t have a robots.txt file, which restricts the URLs Google’s crawlers can visit and index.
While there are visible signs such as strange content and pop-up ads, site owners still have to pinpoint the security issue at its source. Those whose sites are registered with Google’s Search Console are provided a report of hacked pages. The system can’t accurately show hacked content for cloaked links, but there’s the URL Inspection Tool for that.
The solution for hacked content depends on the problem itself. For example, an unfamiliar admin can suggest that it has your password. Changing it to a more secure password will be to your best interest, not to mention conducting an audit to find compromised pages.
Use a Content Delivery Network
A business that serves clients and customers worldwide needs its website to be accessible no matter where they are. In this case, a dedicated hosting server alone won’t be enough to manage the immense number of requests. Too many at once can lead to major downtime.
Aside from a server, websites that cater to broader audiences should take advantage of a content delivery network (CDN). It creates and stores copies of a page’s content so that it loads quickly when a local request comes in. If someone in India wants to access a U.S.-based website, an India-based CDN should be able to open it with ease.
Google confirms that a CDN improves SEO and website security through the following: (7)
Increased Crawling ThresholdGoogle designed its crawling mechanism to increase crawl activity for pages backed by a CDN. It starts by crawling the content stored in the server (called cold crawling) to jumpstart crawling on the CDN’s cache. If Google detects the content is backed by a CDN, it’ll “throttle” the system and raise the crawling limit beyond that for non-CDN-backed content. More crawled pages means more of them indexed and ranked. |
Malicious Traffic ProtectionBecause a CDN receives and facilitates requests in multiple areas, it reduces the burden on the server. This is especially helpful in thwarting distributed denial-of-service (DDoS) attacks, which rely on swamping the server with fake requests to take the website down. |
It’s important to note that a CDN is no substitute for a hosting server. Not only is it built for handling static data only, but its performance is also dependent on that of the web server. Having both is better in most situations.
Conclusion
To recap, website security is a key factor in any SEO effort because Google has deemed it so. Achieving this requires a combination of adopting HTTPS, finding and repairing signs of hacked content, and investing in a CDN.
These are by no means the only methods for maintaining a more secure website that ranks well in search results. That said, they’re a good start for a business looking to gain the edge in their respective markets. Consulting an SEO agency can help develop the best strategy for your business’s circumstances.
