SEO Ranking Drop: Does Website Security Affect Your SEO?

Published 14 June 2021
Updated 5 June 2024
Agnes Talalaev
SEO wizard at Patchstack
Table of Contents

Do you have an SEO ranking drop? Is your website secured? Search engines are going to recommend only websites that they’re sure to be of use to users. This includes security.

Way back in August 2014, Google put it in writing that the most basic step in securing a website was something they wanted.

They announced that strong HTTPS encryption will be a ranking signal. It was the first big sign that website security directly affects SEO.

Cybersecurity breaches will be seen by search engines like Google as a reason to lower the rank of your website. When you’re hacked, you lose control of your website and Google doesn’t like that.

What happens to your SEO strategy when you’re hacked?

The best way to analyze how website security affects SEO is to understand what happens when you’re hacked because there are an incredible number of ways it can be done.

Now, this is not an exhaustive list of security issues. It shows how some of the more common website security issues can hurt your SEO efforts.

If something is wrong with your website’s security and Google notices, it can have an effect on your position in SERPs (Search Engine Results Page).

‘Man-in-the-Middle’ attack

The name pretty much describes the hack — an attacker gets in between your website and the user to get sensitive information. HTTPS encryption provides easily-implemented protection against the man-in-the-middle attack.

Now, the 2014 Google Webmasters blog had made it clear that HTTPS encryption would only be a “lightweight signal”.

They said it will act as a tiebreaker if two sites had similar ranking signals, but won’t be a big reason you rank lower or higher. The larger intent was to get everyone to adopt HTTPS faster.

But, in 2017 Google also said the Chrome browser would flag websites as “not secure” when they’re not HTTPS. This means there’s more to it than just the ranking signal. It’s also about user behavior once you’ve got them on your site.

A Hubspot survey says that 82% of users leave a website that is not secure. This means that even casual users know that when a browser flags a website, it’s best not to take a chance. That’s a direct loss to your SEO efforts right there because of website security.

It doesn’t end with this. If a user jumps back to the search engine results page immediately after clicking on your webpage, the search engine may see this to mean that your page is not the desired result.

It lowers the page on time, therefore the SEO ranking drop.

Then there’s also the matter of referral data. Referral data is not passed from HTTPS to HTTP pages. This means that your Google Analytics will show traffic from HTTPS pages as direct traffic. This can mess with your SEO planning.

For one, you can’t measure which backlinks are giving you traffic and which ones aren’t. Two, it skews your understanding of where your traffic is coming from.

SEO spam on your website

Ever heard of SEO spam? SEO spam is directly connected to your SEO and can be a clear indication of an SEO ranking drop.

Essentially, spam content is introduced into your website. Hackers can introduce anything from whole pages of spam content to links that redirect users to pages you do not want to be associated with.

It’s a growing malware category. A report by GoDaddy flagged it as the most common problem, with 62% of their client sites containing SEO Spam. This means SEO is a major reason to compromise a website’s security.

If you’ve worked on improving SEO, you should know how important link building is for your site. Black hat SEO tries to hijack this process. They use illegal ways to improve rankings of spam or malicious websites.

Consider “cloaking”. Attackers replace or add content to your website. It’s done so that search engines and users see different content. Cloaking is against Google’s Webmaster Guidelines.

This is because Googlebot will get one version of the webpage, one that Google will display, and a browser will get one that contains content the attacker wants the user to see.

They’re looking to use a legitimate website to distribute spam content to users.

There are many ways to do this, and you should be aware of how it’s done. An example would be to identify browsers and bots by their User-Agent header, a string that basically tells networks what the application is.

Now, search engines might not catch the compromised content immediately as it’s “cloaked” from both you and Googlebot, but it will eventually notice. And your website will go into the Google Blacklist when it does.

Apart from cloaked content, attackers can also insert links that redirect to spam websites. This helps improve the ranking of spam websites but lowers your ranking because of all the suspicious links you’re providing.

Examples of most popular types of spam sites:

  • Viagra
  • Cialis
  • Sport jerseys
  • Pharmacies/ no prescriptions
  • Replica watches
  • Porn
  • Turkish escort spam
  • Essay spam

Hacks that lead to crawling errors

“Error 404 — Content not found” should be familiar to you. This happens when content that was at the specified URL does not exist anymore. Attackers can and often do delete web pages and this can lead to “Error 404”.

Google will not penalize you for this if it’s a rare occurrence but being hacked means you’re susceptible to this a lot more and for a longer time. This could hurt rankings. Googlebot will not appreciate a lot of missing content on your website.

Being hacked can also mean downtime. Googlebot will give you the chance to recover from a hack by trying to index your website multiple times after it’s down.

But the longer critical issues persist, the chances are higher that you’ll fall in SERP.

All the hard work trying to rank for keywords will be ruined if you give the competition the chance to gain on you while you’re fighting off a hack.

SEO visibility falls from 35% for ranking first for a keyword to 2% for ranking 10th. It’s zero for anything outside the first page.

Moreover, search engine bots like Googlebot are not the only ones crawling your websites. Bots can come to scrape content. They might be trying to find vulnerabilities in your website. They might even be trying to steal sensitive or user data.

According to the GoDaddy report, the most blocks by their firewall was under the “Bad Bot Access Denied” category (15.80%).

This means malicious bots were stopped from accessing a website for trying to use “a lot of resources” or “attempted to access a restricted location like /wp-admin or /wp-login.php and the IP isn’t whitelisted”.

If your website does not have adequate protection, bots can use up server resources that should be reserved for a legitimate bot or an actual user.

A bot that scrapes your content can also use the same content on another website. This means all the effort you put into making the content is wasted.

Data theft

The worst thing that can come from being hacked is losing your user’s data. There are far too many ways this can happen.

It’s best to ensure that all vulnerabilities in your website are taken care of and you pay attention from the development stage.

Website Security Issues

You work on SEO to get your users. But once they’re alerted that you’ve compromised their data, you lose the user’s trust. It can take a long time to gain it back.

n the meantime, you can optimize all you want, but if users refuse to come to your website, Googlebot will drop your SEO ranking.

If you’re a website that saves customers’ personal details and sensitive data, you should never let yourself be vulnerable to loss of data.

Imagine what someone can do with names, addresses, telephone numbers, emails, passwords, bank accounts, credit card numbers, and such. It’s best to use professional website security solutions.

How do I protect my website from being hacked?

The easiest answer would be to figure out all the ways in which spammers get access to your site. The most obvious ways have obvious solutions as well.

Your SEO ranking drop can happen because of outdated software

New versions of your CMS, like WordPress, often address vulnerabilities to your website’s security. The same applies to any plugins or add-ons you’ve installed.

Yet, users often don’t jump to update software. This is what attackers are counting on. They seek out old software with vulnerabilities. The longer you wait, the more sophisticated the attack is going to be.

You have to be proactive in checking for software updates, especially if the update is intended to patch vulnerabilities. You can also just set it to update automatically.

If you’re a frequent user of plugins or other third-party software, set up an alert for announcements or news on vulnerabilities or related hacks.

Insecure plugins and themes can cause an SEO ranking drop

The point of using a CMS like WordPress is the additional benefits of plugins and themes.

You don’t have to code a feature by yourself as plugins can improve your website’s functionality at the click of a button. Themes make it easier to design a professional-looking website.

But you’ve got to be aware that there is no perfect coding. These plugins could have errors and vulnerabilities that give attackers access and hurt your website’s security.

A recent website threat report found that “44% of vulnerable websites had more than one vulnerable software”. That means plugins or themes — and 10% had “at least four vulnerable plugins”.

Good developers release patches as soon as vulnerabilities are found. Therefore keep all your plugins and themes updated, and uninstall them as soon as developers stop maintaining the software.

It’s best to not overdo plugins as well. Ensure they bring real value to your website. And be careful with free plugins or themes. Do some research on both the software and the developer, because attackers do use free versions of paid plugins and themes to add malicious code.

When you see SEO ranking drop – get some help

If you’re feeling like you need professional help in recovering a hacked site from an SEO ranking drop, you may find help from services like Patchstack.

Patchstack is focused on plugin vulnerability protection, but can also help in identifying the vulnerabilities or errors in your site and offer help. You can contact the Patchstack team on our website through live support.

Frequently asked questions about SEO problems

Does website security affect ranking?

Way back in August 2014, Google put it in writing that the most basic step in securing a website was something they wanted. They announced that strong HTTPS encryption will be a ranking signal. It was the first big sign that website security directly affects SEO.

Is HTTPS and SEO ranking factor?

Google has said it will act as a tiebreaker if two sites had similar ranking signals, but won’t be a big reason you rank lower or higher. The larger intent was to get everyone to adopt HTTPS faster.

But, in 2017 Google also said the Chrome browser would flag websites as “not secure” when they’re not HTTPS. This means there’s more to it than just the ranking signal. It’s also about user behavior once you’ve got them on your site.

What to do when my SEO ranking dropped?

If you’re feeling like you need professional help in recovering a hacked site from an SEO ranking drop, you may find help from services like Patchstack.

Patchstack is focused on plugin vulnerability protection, but can also help in identifying the vulnerabilities or errors in your site and offer help. You can contact the Patchstack team on our website through live support.

The latest in Security advice

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu