Everything you need to know about SEO, delivered every Thursday.
The terrifying connection between malware, Google Search Console, rogue subdomains and AdWords
In the midst of a malware emergency or want to ensure you never have to deal with one? Columnist Glenn Gabe provides recommendations based on his experience helping clients with security situations.
Security warnings in Google Search Console (GSC) can be scary. Really scary. Whether your site was flagged for being hacked, serving malware, unwanted software or worse, security warnings in GSC can cause serious problems for your organization.
First, your site can be harming users. That’s bad enough. Second, your organic search traffic can plummet as Google takes action against your site (either manually or algorithmically).
For example, your site can be labeled in the SERPs as being hacked or being a site that can harm your computer. In addition, with Google Safe Browsing, users might see the red screen of death in their browser as they try to visit your site. As you can guess, this can create serious barriers between users and your website content.
And with all of the buzz in the news about hackers, malware, phishing and more, you can bet that many users will not break through those security barriers and visit your site. They will often simply move on to another site that won’t infect them with malware.
When users can’t access your site, you can’t convert them. That means revenue can take a huge hit while security problems remain. It’s an extremely frustrating, confusing and terrifying situation for many businesses, both large and small.
If you’re at a smaller organization, chances are that your founder and CEO will be all over this from the start. And if you’re at a larger organization, you might receive a direct email from a C-level executive for the first time. Something like “Hey, great to have you on board here at XYZ corporation. If you don’t fix the security warnings today, you’ll be working out of our Siberia office by Monday, cleaning the mail room for the next ten years.”
That’s definitely a frightening situation, but what if I told you there’s another hidden danger based on security warnings showing up in Google Search Console? One that can kick you while you’re down, ripping even more revenue from your weary hands? Yes, I’m sorry to tell you that there is another danger, and it’s tied to your AdWords account.
Beyond SERP warnings — site suspensions in AdWords
Many advertisers have no idea this is even possible, but it is. If your site gets flagged for malware, your AdWords account can get suspended. So just when you need AdWords the most (since organic search will be taking a hit), you won’t have air cover from paid search. It’s like the cavalry came within a hundred feet of helping you but got blindsided around the last curve.
The first thing that will catch your attention is the “Site suspended” message showing up in the AdWords UI. That’s pretty terrifying.
By clicking the question mark icon, you can learn all about why sites get suspended in AdWords. You also might learn a nifty new trick, which is how to enable the “Policy details” column in the UI. Once you do, you’ll see another horrifying message: “Malware.” At that point, and depending on your involvement with the organic side, you might have a disturbing reaction as you wonder, “What now?”
The AdWords Help Center explains the connection with GSC
From the warning in the “Policy details” column, you can click a link to learn more. That link leads to a page that will explain all about malware and AdWords. It lays out the situation pretty clearly, and it’s one of the few times you will see a documented connection between the organic and paid search sides of Google.
AdWords tells you to log into Google Search Console and check for security warnings. Then the documentation gives you some quick tips for how to handle that situation and provides a link to the GSC support documentation for cleaning a hacked site (malware, unwanted software and so on).
The perfect storm for search marketers (all search marketers)
As you can guess, being hit on both the organic and paid search sides at the same time can be an uncomfortable situation. I like to call this the “malware sandwich of death.” And no, it’s not very tasty.
At this point, your team might look like this:
And your competitors might look like this:
And that C-level executive I mentioned before. He may look like this:
Moving forward: gather your team and execute efficiently
At this stage, it’s critically important that you don’t freak out (too much). Stay calm, and gather your team to form a plan of attack (which will include people from both the paid and organic sides of your business).
Yes, you will be the person calling the Jets and the Sharks together for meeting in the streets of Googleland. Hopefully, your paid and organic teams respect each other more than the Jets and the Sharks, but you get my point.
You’ll definitely want your IT group represented, your marketing team, your SEOs and your paid search team. The situation has already gone sideways, so be direct and move quickly. Your goal is to clean the malware situation ASAP, so you need to organize and execute quickly.
I recommend having your paid search team call AdWords immediately to talk about the situation, while your SEOs help your tech team track down the security issues on the site. And the marketing team — along with any executives that are helping — can drive change through the organization wherever that’s necessary (More about that soon).
Handling malware via Google Search Console (GSC)
For most sites, it’s extremely important to track down the core security problems and rectify those problems as quickly as possible. For example, GSC will provide sample URLs that are infected with malware, that hold malicious content and so on. Work with your technical team to clean or remove that content from your site. Then, close any security holes to ensure this doesn’t happen again.
And once you are confident that you’ve fixed the security problems, you should request a review in GSC. When you request a review, provide a concise rundown of the situation, what you did to clean up the problem and any other relevant information you think will help.
Note that it can take a few days to get a response from Google. Then, if approved, it can take up to 72 hours for messages to be removed from the SERPs, for security warnings to be removed from GSC and for your AdWords account to be reinstated. Yes, it’s usually a multi-day process.
Hold the celebration for a minute (or two)
Before you fire up the blender to make piña coladas with little penguin umbrellas, you’ll notice I said the situation documented above will cover most sites. That still leaves room for some other sites to have a much trickier situation. Read on.
Malware problems and rogue hostnames and subdomains
Let’s say you’re a large company, and your core website is on www.domain.com. That’s where all of your focus is, and it’s where AdWords campaigns are driving traffic. Now, there might be some (or many) subdomains sitting out there, and maybe you’re not so confident you know about all of them. Oh well, no big deal, right?
WRONG. VERY WRONG. YOU COULDN’T BE MORE WRONG.
When you receive a security warning in Google Search Console, your core website is NOT the only “site” that can be flagged and impact your marketing efforts. That’s right, any subdomain you have can be flagged for malware, and those rogue subdomains can bubble up to your root domain GSC-wise.
In addition, hostnames tied to your root domain can also be infected with malware and can also bubble up to that root domain. For example, subdomain.domain.com or http://aa.bb.cc.dd.subdomain.domain.com can both cause problems for your root domain from a security standpoint. The above examples show a subdomain and then hostname, respectively.
And if you’re following along, that means your AdWords account can also be impacted by your rogue subdomains or hostnames that get infected.
What I just explained can be a real thorn in your side, especially if the rogue subdomain or hostname is new to you, if your team has no idea why it’s there, and nobody has a clue how it got infected or how to clean it.
A quick example: when malware finds a way in…
I actually helped a company recently where malware was impacting a rogue subdomain and multiple hostnames. It’s a company that has a very unique technical setup — which is creating a tough situation with fighting malware at cryptic URLs.
I can’t go into much detail here about the client, but let’s say the security problems are somewhat out of the company’s control; the malware was located on a number of hostnames, on a rogue subdomain and at cryptic URLs that had no linkage at all to the core website.
Quickly, malware warnings showed up in every “site” in Google Search Console tied to the root domain. And not long after that, their AdWords account was suspended. Yep, in just a few days, the entire domain was flagged for malware, and their AdWords account was suspended.
Once the problematic URLs were cleaned up and the company requested a review, even more URLs were being infected. It was a hard problem to solve based on their technical setup.
As more URLs were infected, the security warnings spread through their GSC sites tied to the root domain, and then to AdWords again. It felt like we were battling zombies in The Walking Dead.
What can you do now?
Can you see why I used the word “terrifying” in the title of this post? Now, I’m going to focus on what you can do today to avoid this happening. And if it does happen, I’ll recommend what you can do to rectify the situation as quickly and efficiently as possible.
So, based on my experience helping clients with security situations impacting both GSC and AdWords, I’ve provided some tips and recommendations below. I recommend reviewing the list and forming a plan now, before malware strikes.
Final tips and recommendations
- Know your site and all of the subdomains that are active. Don’t get blindsided with malware on a rogue subdomain that nobody in the organization knows about.
- Verify all subdomains and variations of your site in Google Search Console (GSC). After doing so, you can receive a boatload of information directly from Google. And that includes security warnings, messages and more.
- Create a security team NOW, before malware hits. Have a process in place for dealing with security problems before they arrive. Meet with that team to go over the process so everyone understands roles and responsibilities.
- If you get hit by malware, move quickly to rectify the problem. Have your IT team and SEO team work together on tracking down malware and problematic URLs. And have your paid search team contact AdWords directly. The faster you resolve the problem, the more quickly your AdWords account can be reinstated.
- Once the problem is cleaned up, request a review in Google Search Console (GSC). Explain the situation thoroughly, what happened, how you fixed it and what you’ve done to make sure it doesn’t happen again. It can take a few days for your request to be reviewed, and then up to 72 hours for the security warnings and SERP notifications to be removed. And then you have AdWords, which can also take a few days to be reinstated. Again, it’s a multi-day process (unfortunately).
- If you end up in a unique and problematic situation (like the case I explained earlier), work with your security team on both a short-term and long-term solution. The short-term solution will be focused on getting the security warnings cleared from GSC quickly and getting your AdWords account reinstated. The long-term solution might involve larger changes to your technical setup. If you don’t fix the core problem, you could face the terrifying security warnings for a long time. Avoid this at all costs.
Summary: when organic search impacts paid search
Many don’t realize how malware and other security problems can impact both the organic and paid search sides of a business.
Unfortunately, companies can get blindsided when malware strikes, and the warnings can bubble up from rogue subdomains and hostnames to your root domain, and then to your AdWords account. And when it does, both organic and paid search traffic can suffer.
Follow the tips I listed above to form a team now, along with a protocol for handling security problems. That’s the best way to avoid long-term problems associated with malware, GSC and your AdWords account. Be safe.
Some opinions expressed in this article may be those of a guest author and not necessarily Search Engine Land. Staff authors are listed here.