You’ve Won the Battle but not the War: 10 Ways to protect your site from negative SEO

Last month there was an interesting article in Forbes about the search engine marketing saboteurs. These so-called “SEO professionals” proudly proclaim their job to be damaging the hard-earned rankings of their clients’ competitors. I understand a lot of people would do anything for money, but it’s still unsettling to see such people trumpet their efforts with such gusto. A huge thumbs down to all those mentioned in the article.

Earning high search engine rankings is challenging enough. Now we need to work twice as hard to protect the rankings once we earn them. The Forbes article lists seven ways you can damage someone else's website. I can think of three more — but instead of adding more wood to the negative SEO fire, I’ve decided to create a list of things you can do to detect, prevent and protect your rankings from these types of attacks.

Here are Hamlet’s countermeasures. (You may want to read the Forbes article first to better understand the terms.)

1. Anti-Google bowling. This attack makes your link structure look spammy, potentially causing Google and other search engines to believe your rankings are undeserved. The way to protect your site from this is to monitor your incoming links and their anchor text. Google’s webmaster central provides all the information you need for this purpose. Any site-wide links you are not familiar with, links with strange anchor text (usually porn), etc. are a clear indication that your site is being attacked. Contact the site owners that host the links and politely request they take them down. A cease and desist letter should do the trick, too—but only as a last resort.

2. Anti-Tattling. This attack is possible thanks to Google's encouragement of reporting paid links for ranking purposes. The best way to avoid this attack is not to buy text links at all. A competitor can purchase links for your site and report it. I assume Google's spam team is smart enough to tell if those paid links are making any difference for the search engine rankings and demote the links instead of banning the website. Again, monitor your incoming links profile and request take-downs where necessary.

3. Anti-Insulation. This one is basic— creating more pages about the same topics as your site’s pages to make yours less relevant. Preventing your competitors from pushing down your pages means that you will have to work even harder to make your pages more popular and relevant to keep their highly-deserved rankings. As you know, this is why SEO is an ongoing battle.

4. Anti-Copyright take-downs. Make sure all your content is original. This might sound obvious, but if you pay content writers to create your content, it is good practice to do a Google search for portions in their work to make sure it is original. I have turned down more than one “content writer” because of a simple Google search. If someone does file a bogus complaint against your site, the legal option is the best. Make sure their unscrupulous actions backfires to them. 

5. Anti–Duplicate content take-downs. If you content is original and it gets copied by another webmaster, contact the webmaster to have him/her take it down. It’s also a good idea to file a DMCA complaint with the search engines before that might affect you.

6. Anti–Denial of Service Attacks (DOS). There are hardware and software solutions to protect your site from DOS attacks. Most are very expensive. For my most profitable websites, I have been subjected to heavy DOS attacks, followed by an alleged 'Chinese hacker' asking for ransom. Personally, I’ve found that a reverse proxy with mod_evasive is good enough if you have the bandwidth to sustain the attacks. This is how you can protect yourself inexpensively:
   1. Set up a separate web server with Apache mod_proxy and mod_evasive.
   2. Set up mod_proxy as a reverse proxy server. That way, all requests will be forwarded to the real web server.
   3. Set up mod_evasive and adjust the number of simultaneous requests per second to a low value. Use a number that does not cause legitimate traffic to be filtered.
   4. Set up iptables on your real server so that you block all direct HTTP traffic not coming from the reverse proxy. All the web traffic must pass through the DOS filter.

7. Anti-Click fraud. Not exactly SEO-related, but also mentioned in the article. The best indication of click fraud is a sudden amount of clicks and no conversions when you have a history of strong conversion rates. The new click-fraud reports provided by the search engines help, as do some tools by specialized analytics providers.

8. Anti–SERP hijacking. This one wasn’t mentioned in the article, but SERP hijacking is another way to steal your rankings. As I explained in a previous post, before this was possible via HTTP 302 redirects, and these days with cgi proxy servers. Here is how you can protect your site from an attack:
   1. Se tup HTTP-USER-AGENT detection and reverse-forward dns verification to confirm that it is actually the search engine crawler pulling pages from your website.
   2. Some hijackers's proxies will not report as a search engine robot to avoid such detection. For this second case, here is a more advanced approach that involves cookies and IP blocking:   
      1. For each new IP address that is not a search engine robot (your script will need to keep track of each IP), encode the IP with optional information (user_agent, time, etc.) and insert it into the HTML as a comment or other invisible element that is returned to the requester.   
      2. When you find a hijacked URL, check the content of the page and look for the encoded text. Decode it and add the IP address to an access control list. You can block the IPs in Apache or in your iptables' based firewall.

9. Anti–Website hacking. Also not mentioned in the article, but perfectly possible (I read a thread at Digital Point Forums where this happened) is the hacking of your website to make the pages spammy. This includes adding hidden links or text, etc. If such a thing happens to you, remove the spam immediately, harden your server, and submit a re-inclusion request explaining what happened. In order to prevent this from happening make sure your server has all the latest security patches and any unnecessary Internet services shut down. All web scripts should 'sanitize' their input and treat it as not trusted.

10. Anti–Domain hijacking. This one wasn’t mentioned in the article either, but is probably very common. Hijackers can steal your domain names if you forget to renew them or with a fraudulent domain transfer. It is one of the most difficult attacks to recover from. If you value your domain property, it is imperative that you always keep your domains in a 'locked' state and that you set them up to auto renew at your registrar. It is also good practice to trademark your domain names if you are doing something serious. If you ever lose your domain, your best chances are by disputing it with the ICANN. Basically, you’ll need to prove that you own a trademark to the domain name and/or that the current registrant is using the domain in bad faith (to profit from your branding efforts for example).

Achieving high search engine rankings for competitive terms is hard enough. Every day is a new battle and we need to fight continually to keep winning the war. If you’re like me, you’ve spent a lot of your time improving your sites and content and it would be a colossal waste to let negative SEOs demote your rankings.

As always, let me know in the comments section if you find the tips useful and if you have any of your own to add.