Categories
Uncategorized

Bad for Business: Canonical Negative SEO Attacks

Settle in and get ready to take notes – this is important information for every digital marketer and online business. There may be a new negative SEO attack in town, and this time, it has the ability to seriously hamper SEO campaigns for even the most upstanding website owners. Known informally as “canonical negative SEO,” what makes the exploit so concerning is its near-impossibility to detect.

I expect that Google will eventually close this loophole. In the meantime, here’s what you need to know to keep yourself protected.

Canonical Basics From Google

Before we get into the how’s and why’s of canonical negative SEO attacks, it’s important to understand exactly what “canonical” means and how it applies to you. If you’re an SEO expert or marketer, you may already understand the basics; if so, feel free to skip ahead to the next section.

If you aren’t, or if you’re just getting started as a layperson, here’s what canonical is (and what it is does). “Canonical” is an HTML tag used by webmasters to tell search engines, like Google and Bing, that the content they’ve crawled is identical to other pages on or off the site. It essentially prevents web crawlers from double-indexing the same page multiple times, which can be interpreted as duplicate content even if the duplicate pages have a real purpose and use.

Webmasters must first choose the preferred page and then insert a link that looks like this into the header:

<link rel=”canonical” href=”http://example.com/blog/your-blog/”>

The link, of course, is the main page you want to indicate is “preferred” for crawlers.

Rel=canonical does not apply to visitors, so you don’t need to worry about your visitors needing to choose a preferred version. If you do choose to provide access to multiple versions (such as languages), there are other much clearer ways to provide access. This tag is specifically targeted to search engines.

When Should You Use Rel=Canonical?

There are a few very specific reasons webmasters would use rel=canonical, and moreover, would have duplicate pages on a website or network in the first place. The most common use here is on websites that allow pages to render under both www.example.com and http://example.com. The first gives a bit more DNS flexibility, while the second doesn’t carry advantage, but many webmasters allow both just in case visitors type in the wrong link.

Other instances when you might (or should) use rel=canonical include:

  1. When your content is syndicated over your network
  2. When you have pages in more than one language
  3. When multiple pages display the same content (e.g., product search)
  4. When you have a specific print-friendly or PDF downloadable page
  5. When two or more subdomains lead to the same content (e.g., webshops)
  6. Any other time two pages are identical, yet one should be the main focus

 

When you use rel=canonical, it essentially tells google the page you link to is the only page that matters. This influences rank by weakening the influence of non-canonical pages.

Which brings us to how people may be using this trend in negative SEO…

How Marketers Abuse Canonical Links

So, how exactly can unscrupulous marketers abuse canonical links? After all, if they could use them in such a way, wouldn’t Google have locked down this decades-old loophole long ago?

The theory here is that another webmaster can essentially just copy the entire header, including the rel=canonical tag itself, and paste it into a self-generated spam website page. Because rel=canonical combines rank scores for multiple pages, the search engine may count the spam page as a qualifier, dropping rank scores for the attacked page.

Even more frighteningly, there’s virtually no way to find pages using the same header or rel=canonical tag as yourself. So, if someone were to utilize this concept, you would most likely only find out once you see your scores dropping.

Wait – Are Canonical Attacks Real?

There are two schools of thought in this answer: yes, they’re real, and more people are using them than we think, and yes, they’re real, but it’s a weak tactic few webmasters would use. Either way, the potential for rel=canonical to be abused does exist, and that means you should protect yourself from it whenever you can.

As for Google, they spoke out about this specific issue – and unfortunately, they’re refusing to acknowledge it thus far. Most of their response seems to be that if it was going to happen, it would have happened already. But this hasn’t stopped webmasters from abusing other older strategies in the past, like XML.

The Problem With Cross-Site Negative SEO

Cross-site negative SEO does happen. While this specific strategy isn’t the most common, the potential for how it might be used is concerning enough that you should consider it if you can’t figure out why your rank is dropping. Unfortunately, it’s far from the only cross-site negative SEO attack out there.

The biggest problem in negative SEO attacks is malicious link-building at the hands of competitors. Black hat SEOs will take a website’s url and manually list it on known link building scheme networks, directories, and other websites on Google’s list of “known manipulation tactics.” That’s why Google created their disavow links tool.

Theoretically, if someone was abusing rel=canonical to attack you, and you identified the site, you could simply disavow it. What isn’t yet clear is how you should identify it or even if it’s enough of a problem to really even be concerned.

In terms of “negative SEO,” the much bigger concern for today’s businesses isn’t linkbuilding schemes or even rel=canonical; it’s hacking and/or reputation destruction. It takes only a single insecure, out-of-date WordPress plugin or weak FTP password to lead to a deleted site (or worse, adult content all over your PG pages). And a competitor can easily file fake reviews slamming you anywhere from YELP to Google Reviews.

The biggest takeaway from all this is what SEO needs to be wholistic, meaning you shouldn’t over-focus on any one aspect of your campaign. And you shouldn’t even really over-focus on negative attacks; instead, strive to engage in positive, honest strategies that foster real, organic relationships with your audience. Not only will you improve your growth, but that growth will endure over time, too, unlike other unscrupulous tactics.

Categories
SEO

How to Protect Your Business From Negative SEO Attacks

Black hat SEO refers to using tactics that are against search engine terms of service to manipulate ranking. As the SEO industry has changed over the past couple of years, as Google and other search engines seek to improve search result quality to provide a better user experience and traditional black hat techniques are becoming less effective, negative SEO is the new solution. Since it is harder to rank for competitive keywords than it was just three years ago, negative SEO uses a number of black hat techniques to sabotage the competition’s ranking as a method of increasing your own.

Negative SEO attacks come in a variety of shapes and sizes, including:

  • Building spammy backlinks to your website
  • Spammy blog comments
  • Distributing copies of your website’s content all over the internet
  • Working to remove your best backlinks
  • Hacking your website
  • Pointing backlinks to your website with keywords promoting Viagra, gambling, and other negative niches

If you’re not a big website and you don’t think you have to worry about it, realize there are hackers and people out there who mess with random websites for fun. And you don’t have to know what you’re doing to find someone who does. If you’re out to create trouble for someone, a quick search of Fiverr for “negative SEO” shows plenty of providers who are willing to launch massive negative backlink campaigns against any website you want. The threat is real, so rather than waiting to see if your website falls victim, it’s best to take a proactive stance.

You can fall victim to one at any given time, even if you’re not a major brand with a lot of competition. And if you do, it doesn’t necessarily mean the competition is to blame. I’m going to show you how to protect yourself from a negative SEO attack, because prevention is much easier than cleaning up the mess afterward.

 

Setup Alerts in Google Search Console

The Google Search Console, formerly known as Webmaster Tools, is an excellent source of information about what’s going on with your website. Setting up email alerts can let you know when certain issues arise, such as:

  • Website is attacked by malware
  • Server is having connectivity issues
  • Pages are not being indexed
  • Google manually penalizes your site.

If you’re not already using this service, I’ve written a guide on how to get started with Google Search Console. There you’ll be able to learn how to add your website and setup the necessary email alerts. Remember, this is not the same as Google Analytics, but provides some additional useful information about your website.

 

Keep an Eye on Your Backlinks

The most common form of negative SEO, especially as evidenced by what’s available on Fiverr is the creation of mass amounts of low quality backlinks. This is why it is important for you to keep a close eye on your backlinks so you can see when someone is building links to your website.

There are all kinds of backlink checker tools out there like Open Site Explorer and Ahrefs, but those require you to manually look at your backlinks every morning. There’s nothing wrong with that of course, but when you’re busy, it’s easy to forget to do. I’m a big fan of automating what you can without sacrificing quality, and then using the time savings elsewhere to improve your business. Monitor Backlinks will email you when it sees new backlinks are added to your website. Plans start at $25 a month for a single website, and allow you to monitor two competitors. There’s the option to skip competitors and make it a little cheaper, too. There’s a free 30-day trial so you can make sure you like the service, too.

When you notice new backlinks are being added, but you know you’re not the one behind them, you can start taking action to get them removed or disavowed. More on how to do that in a bit.

 

Use an Email Hosted at Your Domain for Building Backlinks

Spammers and attackers will often try to remove the best backlinks your website has. They do this by contacting the website owner of the link, pretending to be you, and asking that the webmaster remove the link.

You can’t stop people from reaching out pretending to be you, but you can safeguard against the webmasters falling for it by making sure you use an email address from your domain, rather than a generic account like Gmail or Yahoo. This way, you can prove you work for the website and it’s not someone who’s posing as you. Your hosting plan will generally include a certain number of email boxes you can use.

You’ll want to keep an eye on your backlinks as you’re building them, so you can see if any manage to disappear. If you notice you lose a good one, reach out to the webmaster, ask why they’ve removed your link, and let them know what has happened. If you’re using Monitor Backlinks, you can tag the backlinks you want to keep the most, so you can verify if any of them get removed.

 

Secure Your Website

There are several things you can do to protect your website against hacks. If you’re using WordPress, check out this post on ways to secure it. I recommend using WordFence on your WordPress site, as it can protect your site from malicious attacks, and scan for changes in the core files. The premium version of the plugin can also let you know if there are any viruses on your site, and tell you if your site is being used in any spam activity.

If you’d rather take a different approach, you can use the Google Authenticator Plugin to create a two step verification password used each time you login to your WordPress website. You’ll have to enter a code that Google generates on your smartphone (available for both Android and iOS phones) before you can access your site.

Use a strong password with numbers and special characters. If you struggle with remembering, use special characters to help you spell a word, like $ for S or @ for A.

Create backups of your files and database on a regular basis. Ask your hosting company if they are doing this for you. Even if they are, it’s a good idea to keep your own copies. You can use a plugin to automatically backup everything to Dropbox or OneDrive.

If your website allows visitors to upload files, talk to someone at your hosting company to make sure you have antivirus installed to prevent users from being able to upload malware.

 

Check for Copies of Your Content

Use Copyscape to check for content on your website elsewhere on the web. You can start with your website URL, or just copy and paste the text from any page or blog post into the engine and search.

 

Use Social Listening Tools

It’s possible spammers will create fake social media accounts similar to yours to trash your brand name. To make sure this isn’t happening, you can use social listening tools like Mention.net or Google Alerts (not real time) to see who’s talking about you and what they are saying. If you see anything that’s not legit, take action to get the profiles removed as soon as possible. Report them as spam, and ask that your followers do the same. You can monitor everything from Facebook and Twitter, to videos, websites and blogs, and even images and forums.

 

Monitor Your Page Speed

If you notice your website suddenly takes longer to load, run some tests on Pingdom to make sure it’s not because someone is sending thousands of requests to your server. If you don’t stop this quickly, it’s possible the spammers will be able to take you entire server down. You can setup email alerts to find out if your server is every down. If you notice your site is being attacked, contact your hosting company as soon as possible.

 

What to Do If You’re Attacked

Create a List of Backlinks to Remove

Check the links that were created to your website recently. Manually check all of them to decide if you want to keep or remove them. If you want to remove them, put them in a separate list.

Create the list as soon as you get an email alert with backlinks you’re unaware of – especially if they look like they are spam.

Try to Remove the Links

Reach out the webmaster of the websites with the links you want to remove and request that they remove the link to your website. If you are unable to find a contact page, you can check the WHOIS registration to see if there’s an email address there. Sometimes it is hidden. If you cannot find a contact email address even after taking that route, or you do not hear back from the webmaster, you always have the option to ask Google to disavow your links.

Disavow the Rest

Disavowing links is the way you tell Google you don’t want them to count backlinks toward your link juice. I’ve written about disavowing links in more detail on the blog before, so I’ll let you go to that post to learn more about creating the disavow file and using the Google Disavow tool. Basically, you create a file with the links you want to disavow, then upload it to Google’s tool. The results aren’t instant, however, so you may end up waiting up to three months, though most are done within a month. That’s why it’s always a good idea to reach out to the webmaster and ask them to remove the links, too.

 

Negative SEO Isn’t the End of the World

If you’re the victim of a negative SEO attack, try not to stress out too much. Google is smart, and can tell when a negative SEO campaign is being launched. There’s no guarantee you’re going to be penalized as a result of the attack, since the search engine can tell you’re not the one causing it. In fact, the entire process could backfire and improve your rankings. Someone who invests in a negative SEO campaign against you is engaging in a high risk, low reward activity.

Have you ever dealt with negative SEO? If so, how was your recovery? Share your experience with me in the comments below.

Exit mobile version