The handy Google Search Console gives web admins actionable insights into their sites’ performance, and offers clues on areas that could use improvement. However, the SEO bells and whistles under its hood might eclipse a useful feature whose importance should not be underestimated. This is the Security Issues report.
Originally introduced in late January 2019, this functionality hinges on automated checks to identify security problems on your website, such as malware injection, dodgy scripts, hacking, and social engineering. You do not have to activate this feature – it works by default to give you a heads-up whenever suspicious activity is spotted.
How It Works
There is quite a bit of overlap in the security issues your website faces and its SEO health. Malware-riddled or compromised resources appear with a warning label in Google Search results. In severe attack scenarios, visitors are brought to a scary looking in-between alert page that warns you “The site ahead contains malware,” which strongly advises against going to the site.
Either way, your organic search traffic takes a nosedive, and therefore it is in your best interest to take care of the quandary as soon as possible.
If Google’s algorithms pinpoint malicious behavior, the “Overview” screen on the Google Search Console will send you an alert banner stating how many security issues have been detected. Once you click the “Open Report” button next to the warning, the service will display a breakdown of these problems by category, the date they were found, the affected URLs, and recommendations on addressing the predicament.
Every entry in the report is also backed by a brief description of the issue and includes a “Learn More” link. The latter leads to a comprehensive overview of the specific problem and methods to tackle it.
In some cases, the report might miss out on listing sample URLs that need fixing. This does not mean that the alert is a false positive, so you will have to do your homework figuring out what pages are exhibiting this type of sketchy activity.
You won’t miss these alerts even if you do not frequent your Search Console. Google sends the relevant notifications to the email address enrolled in your webmaster account.
What Kind of Security Issues Raise a Red Flag?
Any security problem Google detects on your website falls into one of the following generic clusters:
1. Hacked Materials
If a threat actor finds a loophole in your content management system (CMS) installation, or brute-forces your admin credentials to gain a foothold in your website, they may deposit arbitrary content behind your back. Google will let you know if its crawlers spot such foul play. This overarching category can be further broken down into several spin-offs:
i. Code Injection
An attacker who gets elevated privileges on your website may alter the server configuration file (e.g., the .htaccess document) so that specific pages redirect users to shady resources. Another technique is to inject JavaScript code that automatically reroutes visitors to pages under the crook’s control.
ii. Content Injection
To set this form of exploitation in motion, an adversary will typically piggyback on a vulnerable outdated version of a CMS plugin or theme you are using. On a side note, many of these third-party components are notoriously insecure and easily hackable. Content injection is a common method to poison a site with spammy links that land users on knock-off drug stores or other junk resources whose owners pay accomplices for unique leads.
iii. URL Injection
Malefactors can take the abuse further by adding new pages to your website without your awareness. These pages are usually chock-full of keywords and hyperlinks pointing to other sites. This tactic is a part of black hat SEO schemes aimed at boosting the search engine positions of other resources.
2. Malicious Code
This category spans harmful software that, when downloaded by a site visitor, affects their device, promotes other malware, or charges them for services they don’t need. Scareware, ransomware, keystroke loggers, and stealth crypto miners are a few common examples. The Security Issues report will use one of the following labels to categorize a problem like that:
i. Harmful Downloads
This one is self-explanatory: an attacker may pull off a privilege escalation trick to pollute your website with software that exhibits malicious behavior. To prevent your audiences from falling victim to digital pests, Google informs you of the danger via the Search Console.
ii. Links to Harmful Downloads
Even if your website does not host any dodgy downloads, it might include links to other URLs that contain unwanted software. This mechanism adds an extra layer of obfuscation to an attacker’s evil plan, but the Google Safe Browsing technology is potent enough to unveil it in a snap.
iii. Uncommon Downloads
This sub-type covers software on your website that is not yet documented as malicious but has hallmarks inherent to mainstream malware. To err on the side of caution, the Security Issues report will draw your attention to such potentially unwanted apps. If a visitor tries to download such uncommon materials using the Chrome browser, they will encounter a message alerting them to possible danger.
3. Social Engineering
Perpetrators may surreptitiously embed ads leading to phishing pages that hoodwink visitors into handing over their sensitive information such as account credentials, credit card details and email addresses.
Another “classic” trick is to show a pop-up that instructs the user to install the latest version of some popular software, which turns out to be a predatory program in disguise. The following issues exemplify this category:
i. Misleading Content
This alert appears in the Security Issues report if your site contains pages that try to manipulate users into sharing their passwords, contacting rogue tech support, or downloading software that will harm their devices.
ii. Phishing
With these social engineering attacks being hugely widespread, Google will definitely notify you whenever its algorithms detect bogus forms or other dubious materials that instruct visitors to reveal their confidential information. Content like this typically pretends to emanate from a reputable entity such as a financial institution, operating system, or a trusted service provider like Microsoft or Apple.
iii. Concealed Mobile Charges
This hoax could not possibly fly under Google’s security radar. If it determines that your website is not fair and square about mobile billing information, the Search Console will display this entry in the Security Issues report.
How to Fix Security Issues Listed in Google Search Console?
Knowing the security problems on your website is half the battle. Once you scrutinize the report, the next thing on your to-do list is to address those issues. Not only is this the key prerequisite for regaining your previous positions in search results, but it is also a sign of proper site maintenance practices and a way to keep your audiences safe.
One more thing to keep in mind is that the Security Issues report does not provide any automatic fixes. Instead, it points you in the right direction with your cleaning efforts. Assuming that you have already familiarized yourself with the detected issues, here is what you need to do next to remedy your site:
1. Decide if You Can Address the Issues on Your Own
If you are certain that you have enough expertise to fix the problem, good for you. But some situations require third-party assistance. Make that decision before you move on with your spring cleaning.
2. Pinpoint the Troublemaking URLs
Expand each category to view sample pages affected by the problem. Visit these pages and identify the content that makes Google frown. Be advised that the list may be incomplete (or sometimes even blank), so you will have to go the extra mile looking for similar issues on other pages.
3. Fix Every Single Affected Page
This can be tedious, especially if the report omits too many URLs impacted by the issue. A specially crafted security plugin might be the silver bullet here. For example, if your site runs WordPress, you can install the Wordfence Security or Sucuri Security plugin that will thoroughly scan your WP installation and identify all instances of the problem. That is a great shortcut worth considering.
4. Test if Things Are Back to Normal
Audit your website manually, or use a security plugin tailor-made for your CMS to verify that the issues are no longer there. This is important, so you should take your time and be scrupulous with your inspection.
5. Request a Reconsideration
Once you have made doubly sure that your site is in the clear, click the “Request Review” button in the Security Issues report. This will open a window where you will need to write a summary of the problems you have encountered, the measures you have taken to fix them, and the final result of your cleaning steps. The review process may take up to two weeks. When it is completed, you will receive a message with the final verdict.
Summary
Google Search Console combines SEO perks with useful security recommendations that help get your website back on track after compromise. Bear in mind, though, that the logic of the Security Issues report is to keep you aware rather than fend off exploitation, and it is not a replacement for vigilance and safe webmaster practices
Disclaimer: This is a guest post by David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com; both projects present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
Jamil Ali Ahmed
Jamil is an Organic Search Manager at Cloudways - A SEO friendly hosting Platform. He has 14 years experience in SEO, and is passionate about Digital Marketing and Growth Optimization. Jamil is a Minimalist, Observer, Loves Nature, Animals, Food, Cricket & Mimicking :)
