What Every Search Marketer Needs To Know About Web Security

All too often web site security is somebody else’s problem. It shouldn’t be. If you work on websites, you should know the basics of web security. The more popular a site becomes, the more value it accrues, the more likely it is to become a target. As you apply search marketing techniques to a site, you are inherently increasing the risks that it will be attacked. Therefore, it is your obligation to understand these risks and help manage them.


Matt’s Cutts recently stated on the official Google blog that, for the fifth year in a row, they will be placing a lot of emphasis on hacked sites in 2011. In 2007 Google started scanning sites for malware and removing them from search listings. At the time Google said, “In the past year, the number of sites affected by malware/badware grew from a handful a week to thousands per week.” In August 2009 Google said, “[W]e have seen a large increase in the number of compromised sites since April. The number of entries on our malware list has more than doubled in one year, and we have seen periods in which 40,000 web sites were compromised per week.”

Malware is inserted in sites by hackers looking to build botnets that can then be rented out for criminal purposes. But not all hacking results in malware deployment. Some hackers are black hat SEOs looking to do link building. When Google detects spam links, they can ban the site, or I think more appropriately, label the site as hacked.

This year I had a client suffer this type of hacking. Another SEO performed a site review, and referred the client to me to fix everything that was wrong. Among the items to be repaired were some oddball links that kept appearing in their header and footer. We’d take out the links, and they’d appear again in a few hours. Apparently the server had been compromised and a hacker had uploaded a php file that would deploy the links. Finding this file among the many thousands of files on this ancient (yet highly profitable) website was the first step. Removing the script helped, but to be safe I convinced the client to switch to a better hosting provider, and they’ve had no trouble since.

How can you prevent hacking? Use a good hosting provider and don’t share File Transfer Protocol (FTP) passwords. Use a unique, strong password for each user for each site. When somebody no longer needs access to a site, cancel their FTP account. If possible configure your web server’s firewall to lock down FTP and web hosting control panel access to the IP addresses where your computers are located. This will prevent anybody from getting in, even if they have stolen or guessed a password. Passwords are typically compromised when one of your developers gets a malware infection on their computer. Given enough time and developers, this is very likely to happen.


Backups are critical. If you get hacked, or more commonly, make a mistake editing your site, you need to be able to go back to a working version. Too many people assume that their hosting provider is taking backups, only to discover that when needed, the backups aren’t helpful. Ask your provider how often they take backups, what they back up, and how long those backups are retained. Some providers take seven days of rolling backups. If you have a problem, you need to discover it within seven days or you are out of luck. Other providers may take a monthly “image” of your virtual private server. Restoring that backup could take your website, database and email boxes back a month—not something you would want to do. Hosting is a commodity business where cutting corners is rewarded with additional profit. Many hosting provider backups are grossly inadequate.

Another reason to have reliable, up-to-date backups is in case you get into a dispute with your hosting provider or web developer—or they suddenly disappear. If you don’t have your own copy of the latest code, your negotiating position will be much more complicated. Yes, you can hire a lawyer and force the other side to hand over your code and data, if they retained it, but why would you want to suffer that delay and expense? Over the last year I’ve had two clients get into this situation, and it cost them a bundle. Your best option is to choose a third party backup provider so that you don’t leave the fox guarding the hen house.

Site Scanning

All those scanning services that tell people your site is safe are nothing more than security theater. Notable security expert Merrick Furst told me that the best scanning available only detects 30% of threats. Most modern threats are polymorphic, which means that the code changes from instance to instance in order to defeat scanning algorithms. Real security requires verifying the files on your server to ensure that none of them have been tampered with. File integrity monitoring (FIM) systems can do that for you, but they require an expert server administrator. Even without such a system you can reduce your risk by clearing cruft files from your server, periodically inspecting to make sure no unexpected files have appeared, and making sure that the latest timestamps on your files match the last time you edited the site.

Parasitic Hosting

Even if you don’t have a high volume site, there is a risk that cybercriminals could abuse your servers as a platform for distributing malware, sending spam, or launching denial of service attacks. Do you have a portfolio of trusty old websites that you don’t pay much attention to? Those are an attractive target for parasitic hosting. The bad guys can have their fun, misusing your server, your brand and your trust. Meanwhile, you suffer the loss as your virtual property becomes blighted and develops a bad reputation. If you have sites and servers running on autopilot, you need to check them periodically to make sure they aren’t being abused. File integrity monitoring can help, or you can inspect server logs to look for suspicious web traffic.

Denial Of Service Attacks

This year I had a client who was repeatedly hit by denial of service attacks emanating from China. The client believed that a competitor was responsible. The site went down repeatedly for days at a time, and eventually the hosting provider, Earthlink, cut off the victim’s hosting service because the attacks were impacting Earthlinks’s data center. My recommended replacement hosting provider was able to fend off the attacks. It pays to use a competent hosting provider so that your site doesn’t get taken down by an unscrupulous competitor. The cost of web site and email disruption is much greater than the cost of buying the best available hosting. When selecting a hosting provider, look for somebody who has a reputation for responding quickly and is technically competent. Hosting is often priced as a commodity service, but not all hosting is the same quality.

PCI Compliance

What this jargon have to do with search marketing? PCI stands for payment card information. If your conversion action is to take somebody’s money, you may be handling payment card information. Deep in the contract between you and your merchant processor, there is probably a clause that says your site must be certified “PCI compliant” by a vendor such as Trustwave, or else you are liable for hundreds of dollars per customer record if there is a data security breach on your site. In other words, if a hacker steals credit card info from your site or database, you will be sued out of existence. To top if off, states have laws that require you to notify their attorney general and every one of your customers in that state if you suffer a data security breach. This recently happened to one of my friends. It cost him $50,000 in legal fees, printing and mailing costs just to send out the required notification letters. The guy couldn’t sleep for months, worried that he was going to get sued for ten times that amount by Visa.

An excellent approach to solving PCI compliance is not to store or handle any credit card information on your site. You may be able to fob the entire problem off to Google Checkout or Paypal. If however, you have an osCommerce cart, XCart, ZenCart or similar site, and you store customer credit card numbers in your cart’s database, you definitely need to start asking questions. I once found an unencrypted database backup file containing thousands of customer credit card numbers, expiration dates and addresses in the top level directory of a site. It was a half-million dollar penalty waiting to happen. Can you afford to run that risk?

The Importance Of Managing Risk

Risk is an unrealized expense, possibly one that could put you out of business. Now would be an excellent time to review your risk exposures and start managing them properly. Your website is a valuable asset, possibly as valuable as your car, home or office building. You probably have an alarm system and insurance on those assets to protect against loss or liability. Shouldn’t you treat your websites with the same level of care?

If we allow the open internet to become overrun with malware and hacked sites, users will flee to the protection of walled gardens. That would be a very bad thing for search marketers and search engines alike. So let’s work together to confront these problems.

Opinions expressed in the article are those of the guest author and not necessarily Search Engine Land.

Related Topics: Channel: Consumer | Features: Analysis | Google: Security


About The Author: has two degrees in computer science from Yale University and is a founder of Hochman Consultants, an internet marketing company, and CodeGuard, a computer security service.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • http://www.wewatchyourwebsite.com WeWatch

    One of the many ways we’ve been seeing hackers steal credit card information from websites is that they inject code into the checkout processing files. It might be with the payment processing PHP file or some other program file used in the credit card processing.

    The code they inject copies all the credit card information and sends it via an email to an address where they simply read it from. Then they collect hundreds if not thousands of them and sell them on the black market in batches.

    With file integrity monitoring, this type of “hack” would be detected. Of course, once you’re notified of files being tampered with, you still have to determine how the breach occured.

    Great article!

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide