Thursday, July 19th, 2012...6:34 am

Security Audits and Economical Viability

Jump to Comments

One of the SEO services I have been offering for many years are SEO security audits. With all the recent talk about increased risks of negative SEO (Penguin making it even more of a real threat supposedly) and even Google finally caving in to recognise that negative SEO is a real threat, the need for SEO security audits is as great as hardly ever before. Site owners need to understand that by having security flaws on the site they are increasing their risks – and the risks that a negative SEO attack will turn successful. Sometimes, infact, there is even no need for an external force to carry out an attack – a mistake or two can hurt your site without any malicious external actions (Seer Interactive case and possibly Dan Thies case are a proof that even high profile sites are prone to these things). Running an SEO security audit can foolproof a site and make a negative SEO attack much more difficult, if not completely undoable. When I say undoable, I do not mean your site can not be hurt at all, even theoretically – but it may become not viable economically to attack it. Example: is negative SEO against the likes of CNN.com possible? – if you think really hard about it, technically it is, but the amount of effort required is so enormous that you have to be bigger than CNN to be able to carry it out.

Recently, I have been asked to do an SEO audit of a software site whose main source of  traffic was ads on one of the major online technology publications plus submissions of their software to a handful of shareware sites. The site did not have any organic positions in Google, it only had a couple of links and that was it. There is nothing wrong with this business model I guess, it probably works for them, but the site appeared to have a number of vulnerabilities. To begin with, their robots.txt:

User-agent: *
Allow: /

– allows for stuff like this getting indexed:

http://www.theirdomain.com/srgoogle/?utm_source=google&utm_content=&utm_term=&utm_campaign=theirkeyword&utm_medium=sr&keyword=whatever%20keyword%20here&matchtype=b

which allows for indexing URL modifications like:

http://www.theirdomain.com/srgoogle/?utm_source=google&utm_content=some%20bad%20keyword&utm_term=&utm_campaign=somebadkeyword&utm_medium=sr&keyword=some%20bad%20keyword&matchtype=b

– which in turn could easily put them into the realm of bad neighborhood and hurt their organic traffic if they had it. The fact that they don’t have it or don’t need to rely on it doesn’t really make it less of a risk for the site owner as it can lead to poor ratings on sites like Web of Trust (WOT) and consequently, to warnings in people’s browsers as they access the site from whatever source. Now, that can already hurt the business model of this site.
Besides, it makes URLs like this one:

http://blog.theirdomain.com/wp-includes/js/jquery/jquery.js?ver=1.7.1

– also indexable, which is already an open invitation for their blog to get hacked, and that is also a very serious risk not only to their business model but also to their reputation (a site offering software!) and to the very existence of their site.

Now, after any SEO security audit a question arises about the economical viability of applying any fixes to the site, especially if they are numerous, require external assistance and cost a lot. In the case of the above site, they are not so difficult to implement, nor do they cost much, but NOT implementing them is not an option. I don’t think anybody in their right might would have launched a negative SEO campaign against this site in the common sense of pointing a bunch of bad links at them ( infact, pointing any links at this one would probably do more of a favor to them than of harm, especially outside of Google, as the site has never done any active linkbuilding – those negative SEO campaign links could actually make it rank, maybe even for something relevant, so instead of harm an attacker would be potentially working on their behalf) – but exploiting the vulnerabilities I have mentioned would be just as harmful as any negative SEO linkbuilding, or even worse.

As a side note, while auditing the above site, I have come across a major vulnerability of another site who is one of the top file archiving software providers due to a hosting mistake – their whole subdomain is duplicated by another site that resolves to it because of incorrect settings on a shared server. Talk about economical viability – it surely pays to run a dedicated server if you are a major software provider.