The SEO of Speed and Security

The SEO of Speed and Security

“What is SEO?” I ask, rhetorically.

The most common answer: “You know, keywords and stuff…”

SEO in 2017 will involve much more than keywords, although they are still definitely part of the mix. Google has been penalizing sites that don’t render properly on small screens like phones for some time. Part of that usability standard is the speed with which the site loads. You really don’t want to see this for your site:

SEO speed problem

As in most optimization items this is something that you probably already react to when you visit a site. How long do you stick around if the site doesn’t load right away? A couple of seconds? Five? Would you wait for 10 seconds? You know that if it takes too long you will decide at some point that it’s not working and leave. Google’s algorithms work the same way.

Fixing a slow site can be a complicated process. First, you need to acquire some hard facts about your website. A site like pingdom.com can help. Here are the results from sem[c]’s site:

SEO of speed

 

As you can see the site has been highly optimized and is more loading quickly that 98% of tested sites. Our site was created in WordPress which has become a very popular website authoring environment. It has not been noted in the past for its speed, however. There are many adjustments that are necessary to get the site to load this quickly:

  • The WordPress theme is designed for speed
  • The site is hosted on a managed WordPress server
  • The site is behind a combination firewall and Content Delivery Network (CDN)
  • Numerous tweaks to code and content have been implemented

One adjustment that will be implemented next on our site is the security certificate. According to this article from WordPress an SSL security certificate will become necessary to even use aspects of WordPress beginning in 2017: https://wordpress.org/news/2016/12/moving-toward-ssl/

In addition, the Chrome browser will begin warning users in January when they request a non-SSL site: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Please note that each of the above two links are secured by SSL. Both of these sources are practicing what they preach about SSL and that leaves no doubt of its effect on SEO.

Achieving high quality SEO is a constantly changing target. It is not simply a matter of you picking a few keywords that you think might work. We can help you get your website the SEO speed and security that will benefit your business.

Get ready for the new year by contacting sem[c] today for an audit of your website’s SEO or to start a program to make it faster and safer.

It’s “your” website… really?

homepageWhat do you mean by “your” website? A typical website consists of files on a server that can be reached on the Internet by means of a domain name. Unless you own the webserver you can only edit “your” files by using the correct username and password to access your website’s hosting provider. You may not even know in which country the server is located.

asf_logoAnother thing that you might not know about your website is the type of server software that’s making it appear on the Internet. You might not know software named Apache and IIS.  There are even smaller divisions of specialties in this area. One of our clients got hacked because their (former) web hosting provider had not updated it’s PHP software. You have likely been licensed to use this software under your terms of agreement with your hosting provider.

Without a properly configured domain name your website’s address will be a string of numbers. This may require another username and password depending on your domain name registrar. We have had clients that only think they know who might know these usernames and passwords. We have had clients whose names are not part of their domain name registration.

Screenshot 2016-04-27 09.39.35Like many websites, yours might use a content management system (CMS) for convenience and ease of use. A typical CMS like WordPress supports plugins to offer specialized functionality. Both the CMS and the plugins are software written by someone (usually not you) and your use of them is under the terms of a license agreement about which you may know nothing. One of our clients licensed a proprietary CMS but didn’t receive the source code.  This resulted in there being no way to change anything about the front page of the website without paying the developer to make the change.

Other websites might think so highly of your website that they “borrow” from it without crediting you.  There are tools like Grammerly and CopyScape that can help you find your content if it gets expropriated.

You should also have information about usernames and passwords should anything happen to you so that whomever is entitled can access the website when you no longer can.

All of these items will be very helpful to know in case a problem arises. For example, if your website gets hacked someone will need to know everything above to find a solution. When this happens it’s very difficult to claim ownership of “your” website since someone else has proven himself to be in control. Having quick access will help minimize the duration of the problem. We have helped clients recover from hacks and Google provides us with a number of resources that are useful in crafting a solution.
Contact us for more information from sem[c] 

Site hacked? Completely replacing it might not be enough…

When your site gets hacked completely replacing it might not be enough.

Your website is under attack every day. Unfortunately, everyone with a website is at risk for getting hacked.

sem[c] was brought in to help when a site that had previously been hacked and fixed but it seemed to have been hacked again.  The client reported that a number of site visitors had complained that the site had infected them with malware.

There are a number of things that need to be evaluated in a situation like this. In order to evaluate it’s necessary to see the problem in action. First a reading of the on-site scan showed no evidence of a hack.  This made sense since the entire site had been restored from backup and the security had been tightened months earlier. At the same time this strongly suggested that the site had NOT been hacked again.

Checking the results of a Google search was the next step. When using the Chrome browser on a Mac clicking on what should have been the company’s front page brought up a full-screen red warning which informed that the link led to a site known to disseminate malware.

Screenshot 2015-11-24 11.54.36
Google’s warning of a hacked site

It is important to note that the URL mentioned in the warning (via.7od.pw) was not the company’s address but was a kind of “man-in-the-middle’ that redirected to spam sites. Tests with other browsers did not bring up the red interstitial warning page and brought up random spam pages including those attempting to install malware.

Our conclusion?  Google’s index itself was corrupted. This helped to explain why Google was listing nearly twenty thousand crawl errors.  It also explained why both the Google and Bing bots were constantly requesting non-existent pages from the site. It’s important to note here that it’s been long discussed that Bing uses the Google index in its algorithm.

The very negative SEO implications should be obvious here. Visitors using Google to search were at best being warned from visiting the company’s site and at worse being exposed to malware. The company website’s performance risked degradation due to the thousands of requests for non-existent page. These problems led to a very serious trust issue with the site’s visitors.

The solution was not quite so obvious. One approach would be to use webmaster tools to individually remove each of the twenty thousand spurious sites on at a time. Instead, sem[c] was able to communicate to Google that it’s index had errors and needed to be updated.

What the scourge of referrer spam means to you

Referrer spam must be stopped

For a long time it was true that the more traffic that your website got the better.  No more.  Not exactly. Coders have been spoofing Google Analytics accounts to make it appear that visits are coming from what seems to be a never-ending list of websites. These “visits” are fake. No one is visiting your site from these “sites”. These fake visits provide no benefit to you. We’ve seen statistics in which the fake visits outnumber legitimate ones by a factor of ten to one. This type of activity is known as “referrer spam”. It is done by malicious hackers to game the link-counting algorithms that search engines use to create rankings.

What’s the harm is this?

It wouldn’t be called “spam” if it were something that you wanted. Just like with email spam there are a number of costs that you will likely pay for these fake visits:

  • Your site may run slower
  • Google may lower your search rankings
  • It is possible that some of this traffic represents probes for WordPress vulnerabilities
  • It is a complete waste of your time

While there are a number of techniques to mitigate the effect of referrer spam none of them is a complete solution. Like so many threats to the security of your website, keeping referrer spam under control requires monitoring and an advanced understanding of Google Analytics and the underlying structure of your website.

It might be helpful for you to think of maintaining the “health” of your website. There are a number of components to this:

  • A technically contemporary and secure website platform
  • Fresh, relevant content
  • Active (not dead) links to and from well-regarded sites (not referrer spam) that are pertinent to your business
  • A workable social media presence

Google has a short article about the importance of the above items called “Steps to a Google-friendly site”. The SEO practices followed by sem[c] have always conformed to the guidelines set by Google. Contact us if you have any questions about your website and how it’s looking in Search. We can help you make your website healthier.

Online security? – if you are using WordPress maybe not so much…

Online security is a relative thing.

With more and more news of huge hacks of companies’ financials you really should wonder about your own website.  Especially if it is based on WordPress.

From time to time we are brought in to evaluate the effectiveness of SEO provided by others. Recently we were asked to audit a site that had enjoyed excellent search engine return placement (SERP) for a number of relevant search terms but had dropped well off the front page for all of them.  We found a lot of problems that likely contributed to the decline. We did not, however, see any evidence that they had installed security plug-ins in WordPress.

Could compromised security have contributed to their problem?  Absolutely! No way to know for sure without installing the appropriate software. That software was not present in this case.

spam from hack
This text block appeared in the header of all pages on the site. Something to be proud of isn’t it?

In another case, hackers attempted to break into one of our client’s WordPress sites. If they had prevailed, the site would have forever displayed spam ads for a changing carousel of usual suspects: payday loans, cheap Viagra…

If we hadn’t quickly identified and corrected the problem, the site would have been a strong candidate for de-listing by Google and other search engines. This is the area where online security and SEO intersect.

The interesting news showed up post-hack.  There are a number of new security upgrades that track and dissuade hack attempts. We installed the most highly rated. These plug-ins guide you past the basics of never using the default administrator name and easy passwords. The tracking was the real surprise. One of our client’s sites had over 60 attempted fake logins per day.

60 failed attempts in one day
The aftermath of robotic attempts to login to a WordPress site.

Others were experiencing fast flurries of attempts several times a day. By arming ourselves with the best security software, we had the earliest possible indication of the scope of attacks on all of our individual client’s WordPress sites.

How can you protect your website? If your webmaster hasn’t protected you or if you don’t even know maybe it’s time to bring in someone to help.

Contact sem[c] – we make your website a more effective business tool.

 

Ecommerce – nothing is simple

Ecommerce

E-commerce has many components. Since the main purpose is to make money you need to process credit cards. This isn’t necessarily the easiest thing to do.  It also can spring some interesting surprises.

sem[c] ‘s client The Samurai Business Group presents a number of events every year. It order to improve the process both for the business and its clients we introduced Brown Paper Tickets, an online events aggregator. Samurai had maintained their own shopping cart on their website but decided it was wise to begin phasing it out for a variety of reasons. The new approach offered a better user interface, better calendaring and good attendee tracking capabilities. The only hitch was that Brown Papers Tickets required one of a set number of merchant account providers for credit card processing. Samurai’s provider was affiliated with Authorize.net.

Mary Ahart at Matrix Payment Systems got the ball rolling quickly and in less than a day we got things setup, tested and into production. So far, so good… right?

The next day we heard from Mary that their risk management TriSource Solutions LLC had discovered a problem with the Brown Paper Tickets website.

???

Incredulity was our first response.  How could a well establish company like this have missed such a problem?  Admittedly it was a bit obscure: they had included Office of Foreign Assets Control (OFAC) sanctioned companies in their list of countries in which they claimed to deliver tickets. Trisource accurately assess this as a risk and Brown Paper Tickets, when notified, quickly agreed to correct their problem. Trisource proved why Mary could cite their great track record in preventing online fraud. Your e-commerce success can all go away if you are defrauded. You are warned.

Do you know where your passwords are?

So much has been written about online security that it’s hard to believe how many people have important passwords they don’t know about. Part of the problem is that there really aren’t any viable options.

So we are still stuck with using passwords.  This mean keeping track of them. Yet rarely does one of our new clients have all of the basics:

  1. Domain name registrar password – this gives you important control over your website address and, possibly, your email setup. You or your company should always be the owner of the registration NOT a third party.

  2. Hosting provider password – this give you access to how your website is put together and allows you to figure out the FTP password which gives you control of your website.

  3. All email accounts usernames and passwords – your company email belongs to the company NOT to individual users. In this era of cloud computing these usernames and passwords may also give access to online storage of company documents.

One of our clients found it necessary to part company with an employee.  This employee anticipated her own departure by changing all company passwords in her possession. After she left our client had us change the passwords that she had provided. One of them was incorrect as she had just changed it two days previously. We were able to access the account using password recovery linked one of the other accounts for which we did have working access. Luckily thoroughness was not one of the departed employee’s strong points in this case. A more thorough person could have made it a great deal more difficult to secure a company’s critical information.

How your business looks online is a critical part of your marketing. You can choose to let it take care of itself or make it work for you.  We can help.

Our name starts with “Search” but we go on from there to help with all aspects of your online presence. Contact us to get us onto your team.


If your website breaks, SEO is NOT going to fix it!

Even if you have the best SEO in the world (we can help you with that) your website won’t help you if it’s broken. Websites break for all kinds of different reasons. The important point here is “Who is going to fix it?” This sounds simple but very often turns out to be anything but.

A lot has changed since a website was simply a collection of HTML files on a Web server. Many people have found that the ease of content update offered by a content management system (CMS) is very desirable. Since fresh content is essential to the success of a site’s search visibility CMS can be good for SEO as well.

The hidden cost of a CMS is discovered when it breaks. A current client had their site fail. The hosting company had a policy of NOT updated an unlying software utility because of the possibility of an update breaking the functionality of websites. However, since a lot of updates address security problems it was only a matter of time before a very serious security breach occurred. My clients were forced to change everything. Their site was converted to WordPress and placed on an offshore hosted server. There were many problems after the move that we started to resolve.  Google had delisted the site for starters. No updates had been performed in over a year. The email form didn’t work.

The ecommerce plugin for WordPress had a major security update that needed to be implemented.  When applied it was no longer possible to take payment for anything. Believe it or not there is nothing special this so far.  The real problem became apparent when the hosting company insisted that a restore from backup was the only possible course of action and that they would have to be instrumental in the process.  Instrumental but not responsible.  Three different types of restore from three different backups were attempted. We got the last one to work… barely and without the interference of the hosting company. The process with this “support team” was dreadful.  The host’s “support” consisted of frequently bad advice delivered through an antiquated bulletin board system. As a result of their actions the site will be moved to a different host with a useful approach to support.

Another recent story came from a contact on LinkedIn whose site “disappeared”. I still don’t know all the details but both his Web developer and marketing agency suggested using a different ISP for hosting. It was clear that the original hosting ISP had fallen very, very short in support.

Another client found that the website he listed on his business card no longer showed his information but did offer “his” domain name for sale.

What a month!

How can these problems be avoided? You need to be clear about who is responsible for the maintenance of your site and what that maintenance entails. If you are going to have to interact with support of any kind I recommend that you make sure that phone support is available to you.

You site is of no use if no one can see it.

Contact us if you want to review (or fix) your site.

A cautionary tale on WordPress security and SEO

WordPress security and SEO: a cautionary tale

Search engine optimization (SEO) is a great way to be very clear about what your business does. The opposite of SEO is being confusing instead of clear.  What could be more confusing than advertising someone else’s business instead of your own?

This is what neglecting your WordPress update can lead to:
This example is part of what a client’s website looked like after it was hacked. The website had nothing to do with any kind of financial service least of all “payday loans”. Everything about it had been modified crudely.

If being hacked this way wasn’t bad enough Google tacked a “This site may be compromised” warning on search results that showed the website with the “new” commercial offerings:

Since there were a number of facility websites within the hacked company website Google picked up and showed the hacked results instead of the actual company information for all ten businesses:

These WordPress hacks happen.  Unfortunately they can happen in many different ways. As a result they can be very difficult to completely correct because in some cases code has been hidden within the website files that will rewrite the unwanted text over and over until it is found and eliminated.

In this example a developer had modified a theme to give the site a unique look. He cautioned the business to NOT update WordPress because the updating process could break the look of the site.  This turned out to be very bad advice. One of the most important reasons to update both WordPress and your plugins is to improve your website’s security to make it less likely that it might be hacked.

How your website looks in Google and other search engines is an important part of your business marketing. Once people are credibly warned to not visit your website it is less likely that they will return.

WordPress is a powerful tool for getting your message out to the world. It’s up to you to properly care for it.

Why is there spam?

It works. It makes money. Think about it.  Why would so much effort be made to create and disseminate something that it seems everyone hates and never reads?

There is a lesson about social media marketing in today’s example. My wife received an email that spoofed my name. It wasn’t from any of my accounts. It was correctly marked “Junk” by her email app. She didn’t notice anything other than it seemed to be from me, opened the email and clicked the link. This was a successful transaction in terms of marketing and shows why companies are spending money of Facebook to replicate this kind of effectiveness because of the social engineering that is involved. People are simply more likely to act on something recommended by family or friends.

You can do something to counteract this kind of effectiveness. It may seem like a lot of work but you should make sure before you click any link that:

  • The name of the person and the email address make sense
  • The link’s text makes sense with the URL that you are going to visit. In most browsers you can see this address near the bottom of the screen when you mouse over the link.

The problem is compounded by the general lackadaisical approach people take to their passwords. A recent report on Mashable is titled:

This can make it pretty easy for unscrupulous spammers to hack into your address book(s). Especially if you use the same password for many different sign ons.
If not, your spam filter will need to work overtime.