1. SEJ
  2.  ⋅ 
  3. Webinar

How to Secure Your Website from Hacking & Manual Actions

Eric Kuan, Webmaster Relations Specialist at Google, shares tips on how you can prevent your website from getting hacked or penalized.


Security threats and search engine penalties are critical issues that can hurt your rankings and your bottom line. You need to avoid them from the outset.

To achieve great SEO results, you need to learn the basic steps you can take to ensure that your website is well-protected and properly optimized.

I had the pleasure of moderating a Best of SEJ Summit webinar on June 27, presented by Eric Kuan, Webmaster Relations Specialist at Google.

Kuan talked about website security and manual actions, and how webmasters and SEO professionals can avoid getting hacked and penalized.

Here is a recap of the webinar.


How to Keep Your Website Secure

According to Google, the number of hacked sites increased by approximately 32 percent in 2016 compared to 2015.

Thankfully, in 2017, the search engine was able to reduce webspam with over 80 percent of hacked sites removed from search results.

While Google is making significant progress in combating website hacking, you shouldn’t be complacent. Aggressive hackers prey on vulnerable websites, and if you don’t secure your outdated site now, you might be the next target of their attack.

Common Types of Website Compromises


Hacked spam is the most common type of website compromise. Spammers inject content into a legitimate website in order to drive traffic to a malicious or deceptive site.

Hackers might redirect content to pharmaceutical, gambling, or pornographic websites that can cause real damage to your actual site. They are attempting to leverage the reputation of your site in order to get their bad content to rank.


Malware is any piece of software that was written with the intent of doing harm to data, devices, or people.

Malware can directly affect your website users, which is why Google provides strict warnings.

Credit Card Skimming

Credit card skimming is a fairly new security threat that affects ecommerce platforms. This is one of the most dangerous compromises for consumers because credit card data is stolen.

There’s a potential threat that malicious code was injected onto a site that skims credit cards so when users are typing in their credit card credentials, either they get moved to another page (i.e., a phishing page) or there’s some type of system that stores that credit card information and sends it to the person who hacked the site.

If you have an ecommerce site and you noticed anything unusual, look into your platform and check if there’s something going on.

Having your users’ credit card information stolen can hurt your reputation if you don’t address this immediately.

Crypto Mining

Recently, crypto mining instances have been on the rise.

Crypto mining hackers inject one or two lines of JavaScript on to your site and start using your users’ resources in order to mine for cryptocurrencies.

This has reportedly caused a lot of issues with mobile phones and devices with limited processing power.

While there are legitimate ways of using crypto mining, a lot of times, hackers will inject it onto your site without you knowing. It’s going to negatively affect your users’ experience and your brand.

Make Web Security a Priority

Always put web security at the top of your list.

Hackers are constantly looking for exploits. Check your log files constantly so you can spot and fix any compromises right away.

Pay attention because only a single weak link is needed to break the entire chain. You can do 98-99 percent right in website security but if you neglect that 1-2 percent, you’re still vulnerable to compromises. Hackers can exploit that one weak link and undo all the security measures you’ve done.

Whether you’re a small or a big brand, you can get affected by website compromises. No one is 100 percent immune to these types of security issues.

A Quick Word on Social Engineering (Phishing)

The most believable phishing sites trick almost half of the users. Thus, you need to make sure that everybody who has access to your website is really well educated about phishing threats and that they understand that there are people out there trying to steal your website credentials.

Around 20 percent of the compromised accounts are accessed within 30 minutes after being phished. After you’re phished, you have a really small window of recovering your site and changing all your passwords.

Again, you want to make sure that prevention is there. You don’t want to be fixing things after the fact. You want to be preventing things before they happen.

Why Should You Care?

If your site is hacked, a lot of damage can happen:

  • Users cannot access your site.
  • You and your user’s data will be compromised.
  • Your brand’s reputation will be affected.

Aside from the above damages, fixing a hacked site, finding the vulnerability and re-securing lost data can be extremely difficult.

Hackers will constantly try to keep a hacked website hacked. Therefore, they will do things that can prevent you from spotting the compromise, such as cloaking and file injection.

The best thing way to avoid this inconvenience is to secure your website properly.

What Can You Do?

Here are the steps you can take to avoid your website from getting hacked.

1. Sign up for Search Console

Once you’ve added and verified ownership of your site in Search Console, Google will send you critical website notifications such as vulnerability and hacking warnings that you need to pay attention to.

Google is also constantly creating new documentation to help webmasters. Recently they put out this guide that outlines what can be done to recover from a hacked website.

2. Keep Security at the Forefront of Your Strategy

Talk to everyone who works on your site – developers, marketers, SEO professionals, etc. – and make sure that they understand the importance of security.

3. Back up Your Site Regularly

This is one of the most effective ways to recovering your site when it has been compromised, but not all webmasters do it. If you have a backup of your site, it will be easier to revert it to its original state prior to getting hacked.

4. Keep Software Updated

Keeping your software updated is the easiest thing you can do to prevent your site from being compromised. Most of the compromises Google sees are from outdated software such as content management systems (CMS), plugins, etc.

If you’re using a CMS or ecommerce platform, sign up for their newsletter and be on the lookout for emails saying you need to update the software due to security risks.

Talk to the people who are working on your site because sometimes making updates to the software can cause certain plugins to break or become incompatible.

5. Consider Investing in Security Software

If you’re not an expert in securing your site or you think you need an added layer of protection, you can invest in a security software.

6. Use Two-Factor Authentication

If you have any type of username/password combinations that you want to keep secure, use two-factor authentication.

It gives you a second layer of security in this age where countless of major account login data leaks are happening.

A Quick Word About HTTPS

HTTPS is about encrypting the information transmission of your website, which is a good practice that can help keep user data secure. This is related to, but different from, securing your website from intrusion.

Google urges using HTTPS everywhere. If you have limitations, then use it on any sensitive data that gets passed like passwords or credit cards.

Starting near the end of July 2018, Google’s Chrome 68 browser will notify if sensitive info is being passed on non-secure connections. See the Google Security Blog for additional tips and details.

How to Avoid Manual Actions

What is a Manual Action?

A manual action is an adjustment of a site that is manipulating Google search. Manipulative behavior is:

  • Anything done to trick search engines.
  • Deceptive behavior (e.g., cloaking, unnatural links, scraping content).
  • Not limited to a specific set of rules.

What Should You Do?

Check Webmaster Guidelines

Make sure to follow and understand Google’s Webmaster Guidelines.

Don’t resort to manipulative behavior to game the search engine – it will do you no good.

Don’t Be Overly Concerned with Manual Actions

If you’re building a good website for your users, you aren’t going to get penalized.

A manual action is reserved for webmasters trying to do something tricky in order to manipulate search rankings.

Improve Ranking by Focusing on Your User’s Needs & Technical SEO

Talk to your users about how you can improve their experience on your website. Google focuses on bringing users to sites that would be most helpful for them. Therefore, if you listen to what your users need and give them what they want, you should have no difficulty in ranking well.

You should also make sure that your website’s technical SEO components are on point so that Google understands it properly.

What Is a Reconsideration Request?

A reconsideration request is a request to have Google review your site after you fix problems identified in a manual action notification.

Reconsideration requests are manually reviewed by the Google Webmasters team.

Characteristics of a Good Reconsideration Request:

  • Demonstrates understanding of the problem.
  • Details how the problem was solved.

Characteristics of a Bad Reconsideration Request:

  • Submits a blank site.
  • Doesn’t detail what was changed.
  • Completely tears down a site.

If you aren’t aware of the problem, get help from experts.


Key Takeaways

  • Prioritize web security.
  • Follow Webmaster Guidelines.
  • Don’t worry unnecessarily about manual actions.

Video Recap: Google on Website Security and Manual Actions [Webinar]

Watch the video recap of the webinar presentation and Q&A below.

Here’s the SlideShare of the presentation as well.

Join Us For Our Next Webinar!

Technical SEO Best Practices: How To Improve Discoverability, Crawlability & Rankings

Join us as we explore an actionable framework for auditing and improving your technical SEO across four key pillars—discoverability, crawlability, indexability, and user experience. You’ll walk away with tactics to send stronger signals to Google and outrank your competition.

Category Webinar Web Dev SEO
SEJ STAFF Brent Csutoras Managing Partner / Owner at Search Engine Journal

Managing Partner / Owner at Search Engine Journal with over 18 years experience in Digital Marketing, specializing in Reddit, Search ...

How to Secure Your Website from Hacking & Manual Actions

Subscribe To Our Newsletter.

Conquer your day with daily search marketing news.