By submitting your email address, you agree to receive follow up emails about RankSense’s products and services. You can opt out at any time by clicking the link in the footer of our emails. We share your information with our customer relationship management partners. For information about our privacy practices, please see our privacy policy
by Hamlet Batista | February 06, 2008 | 15 Comments
Internet security is a big problem, and it isn’t just for the IT staff anymore. It affects us as SEOs. Don’t believe me? Consider the incident reported at the end of last year by security research firm Sunbelt Software.
…criminals are now combining SEO tactics and booby-trapped Web pages, and doing it systematically. By posting tens of thousands of Web sites simultaneously, criminals can take over all the top spots on a search results page, casting a wide net that’s more likely to catch Web users. Eckelberry described these criminals as “SEO Gods,” saying they can “take any site and get it on the first page of Google results.”
Instead of wasting energy defacing sites and showing them off as trophies to their peers on IRC, hackers are now modifying the code of hacked sites to include (invisible) links to their web properties or link farms. The article talks about virus writers creating tens of thousands of websites and cross-linking them using all sorts of queries as anchor text. They then spam blog comments around the Web to improve the overall PageRank of the link farm.
Hackers already know how to break into sites. Now that they see the profit that can be made from top-ten search rankings, they have adapted their techniques to break to take advantage. Currently, search engines’ quality reviewers can detect most sites utilizing these black-hat techniques because they show up pretty obviously as SPAM. However, this is just the beginning, and I’m willing to predict that this is going to scale with cleverer hacks that are harder to detect. Most break-ins will be highly sophisticated and highly automated. They will “recruit” thousands of computers into their link-farm. If your site is one of those “recruited” without your knowledge, your site will most likely be penalized by the search engine along with the whole group.
How can somebody break into my server if they don’t know my password?
I remember my days working for a big ISP, setting up firewalls, installing the latest patches and hardening servers. It was a constant battle between the hackers and me (crackers is the correct term, but I will use hackers out of habit). One day one of the consultants the company hired to do penetration testing told me that I was not letting him “do his job.” He meant breaking into the servers of course; the only thing left for me to do, he said, was to disconnect the servers from the network. I couldn’t resist laughing out loud.
I had another boss once that would ask me simply to change the passwords each time our sites got hacked. He didn’t even want to buy a firewall, the most basic form of protection. Why changing the password is ineffective may be too obvious for those of you with some security background—but that’s clearly not everyone.
Hackers break into systems by exploiting software vulnerabilities. These vulnerabilities exist because most software is tested under “normal” circumstances. Software developers don’t usually expect users to provide input designed to fool the program into doing something it was not designed to do. But that’s exactly what hackers do using buffer overflows, string format attacks, script and SQL injection, default passwords, and other tools of the trade.
Protect your site from hackers now
You can protect your site or blog from such attacks, however. The first order of business is fairly straightforward:
Server hardening. Update all software, apply the latest security patches and disable all unneeded services.
Install a firewall.
Install an Internet security scanner and instruction detection, such as snort.org. Set it up to poll your site every day and address all issues that come up in the reports.
Unfortunately, some setups require a large number of software packages and keeping that list of components up to date can be quite a nightmare. The most common approach to deal with this is to use a multilayer approach—separate servers that do specific functions, such as a web server, database server, application server, etc. It is also common to host the blog, forum, chat rooms, and other elements on separate servers because each requires different applications and poses new security risks. The idea behind all this is to, at the very least, isolate the sensitive parts of your system, like your e-commerce components, customer list, and other delicate information.
Where SEO meets security
When you set up a blog or forum on a separate server, you still want to have it linked from the main site, typically using subdomains like forums.sitename.com or blog.sitename.com. The problem with this approach for SEO purposes is that search engines regularly treat each subdomain as a separate site when counting incoming links. The incoming link juice is therefore split among the domains. Google makes an exception only when displaying search results.
The single domain will benefit from higher rankings if links to the subdomains are funneled to the main one. Luckily, there is a technique to do this—reverse proxies. I have mentioned reverse proxies in the past and they are very useful beasts. In a nutshell, a reverse proxy sits in front of the web server, receives all requests, does some special processing (such as caching) and forwards the requests to the actual servers. A reverse proxy can be used to map URLs to different servers, and this feature comes in very handy for SEO.
We can use Apache’s mod_proxy for this. Here is a sample configuration
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /blog http://blog.sitename.com
ProxyPassReverse /forum http://forum.sitename.com
Instead of directing users to blog.company.com, we write a reverse proxy rule to send requests for company.com/blog to the internal server blog.company.com. We can do the same for forums, chat, e-commerce systems, and so on. It is completely transparent to the user (and search engines) that the website is divided among multiple servers. Note that each web server will need to be isolated completely for the security to work. If someone breaks into the blog because the software hasn’t been updated, for instance, at least he won’t get to the e-commerce system.
Internet security is a very large (and interesting) topic. I will talk about it more in the future if there is enough interest. As usual, please share what you think in the comments.
Chief Executive Officer
Hamlet Batista is CEO and founder of RankSense, an agile SEO platform for online retailers and manufacturers. He holds US patents on innovative SEO technologies, started doing SEO as a successful affiliate marketer back in 2002, and believes great SEO results should not take 6 months
15
REPLIESRankSense automatically creates search snippets using advanced natural language generation. Get your free trial today.
What do you do when you’re losing organic traffic and you don’t know why?
Custom Python scripts are much more customizable than Excel spreadsheets. This is good news for SEOs — this can lead to optimization opportunities and low-hanging fruit. One way you can use Python to uncover these opportunities is by pairing it with natural language processing. This way, you can match how your audience searches with your...
READ POST
As we continue to improve the RankSense app for Cloudflare, we are always working to make the app more intuitive and easy to use. I'm pleased to share that we have made significant changes to our SEO rules interface in the settings tab of our app. It is now easier to publish multiple rules sheets and to see which changes have not yet been published to production.
READ POSTFor the following Ranksense Webinar, we were joined by Antoine Eripret, who works at Liligo as an SEO lead. Liligo.com is a travel search engine which instantly searches all available flight, bus and train prices on an exhaustive number of travel sites such as online travel agencies, major and low-cost airlines and tour-operators. In this...
READ POST
CarlosO
February 7, 2008 at 9:38 am
Great Article, security is one of my favorite topics!
Manual Directory Sub
February 8, 2008 at 2:25 am
Hamlet, it is very nice at informative post. I had attended a cyber security conference in india where top security experts told that it is the race of cat and rat. Some times softwares become smart not to hack like instead of 64 bit security, 128 bit security come and now 256 bit security is common. At other side hackers are very smart as well. They see the security holes in softwares itself. So it means that we need to buy latest antivirus, internet security and operating system and live update all these continuously or choose open source which is quite a difficult for new users. We need to face this security problem in our day to day life. Every body is affected not just tech community. So we must ready to be the part of this cat and rat race. Padhamanabha Sharma Directory Maximizer Manual Directory Submission Service
Amanda
February 8, 2008 at 6:31 am
Really great article. Some very helpful tips and advice on the thing I fear most.
Gavin Mitchell
February 8, 2008 at 6:42 am
I'd definitely be interested in hearing more Hamlet - really useful stuff.
Internet Marketing J
February 8, 2008 at 12:12 pm
Security is indeed very important that's why we should always make sure that all are sites are properly secure. Thanks for the tips Hamlet!
Andy
February 16, 2008 at 5:50 am
Thanks for the interesting post Hamlet. To move the subject on, maybe talk about how to tell when your service is being probed for weaknesses? As a forum moderator, I suspect that many weird posts are possibly due to some kind of test or that some member registrations are to do with setting up a future spam attack. Andy
JD
February 17, 2008 at 2:35 am
Great article. Through posts like this, I think bloggers are beginning to realize the importance of security. I remember late last year a few articles about security issues with Wordpress, I think we all need to keep abreast as you suggest.
Sharingmatters.com
February 18, 2008 at 1:02 am
Hi Hamlet, Great post. Really. This battle will exist as long as someone will be ready to pay a lot of money for top 10 on Google. Your blog redesign added a lot of character to your writing (I am aware you changed it a while ago).
Links Roundup - February 19th 2008
February 19, 2008 at 6:02 am
[...] The Unsuspecting Recruit: Why every SEO MUST learn Internet security - A very good post about protecting your site from hackers. [...]
This Month In SEO - 2/08 - TheVanBlog
February 29, 2008 at 9:29 pm
[...] The Unsuspecting Recruit: Why every SEO MUST learn Internet security [...]
Jason Pearson
March 9, 2008 at 3:36 pm
Great article and very well written. I really appreciate how thorough you were in explaining this problem and it's solutions.
Frank
May 20, 2008 at 6:48 pm
@.@ Internet security is always a headache for all webmasters. No matter how secure your website is I'm pretty sure it's still easily hackable =/ Just make sure those obvious bugs are patched though.
Simon
September 14, 2008 at 1:51 pm
Pro blog. I personally do not trust wordpress because a month ago, my blog disapeared..... Just to inform you all.
Eva White
September 19, 2008 at 6:15 am
I think Hackers top the list of every internet professional's nightmares. I found this post informative and useful.
harley
August 17, 2012 at 9:32 am
this happen recently to godaddy, famousbloggers.net got hacked and so was other big websites stealing their domain names. Hopefully this get sorted out! Thanks for the article!