Page Experience Matters: Safe Browsing to Protect Your Website, Visitors & Rankings
Is a hacker trying to compromise your website right now? Probably. One study from the University of Maryland showed that there’s an attack every 39 seconds. Google launched Safe Browsing in 2007 to help protect users and website owners from these malicious attacks.
No one wants to navigate to a site that endangers their personal information or tries to install malicious code on their computer. That’s why maintaining a safe website is already a ranking signal in Google. And Safe Browsing is set to become part of the page experience ranking update going live in 2021.
So in this article, No. 4 in our series on page experience, I’ll discuss:
- What Safe Browsing is
- Why Safe Browsing matters
- How to create a safe website so you can retain rankings and protect visitors.
What Is Safe Browsing?
Safe Browsing is a service by Google that helps protect website owners and users from dangerous websites and downloads. According to Google, Safe Browsing helps protect more than 4 billion devices each day.
Safe Browsing alerts users of dangerous content across all types of products. This includes Google Search, Google Chrome and other browsers, Gmail, Android and Google Ads. The Security Issues report in Search Console alerts website owners of compromised websites.
Why Does Safe Browsing Matter?
Safe Browsing helps website owners keep their website safe for users. And that means helping to preserve your rankings and traffic.
Hacked websites often fly under the radar. Keeping up with website security is an important but often overlooked job.
According to the Sucuri 2019 Website Threat Research Report:
In 2019 alone, 60% of all CMS applications were found to be out of date at the point of infection, making outdated components and core CMS files the leading causes of today’s website hacks. Infections continue to come from outdated software plugins, modules, and extensions; abused access control credentials; poorly configured applications and servers; and a lack of knowledge around security best practices.
Reports generated by Safe Browsing help you know about these attacks. Safe Browsing can help you identify if your site has been affected by malware, unwanted software or social engineering content.
Malware refers to software or mobile applications made to harm devices or users. From Google:
Malware is any software or mobile application specifically designed to harm a computer, a mobile device, the software it’s running, or its users. Malware exhibits malicious behavior that can include installing software without user consent and installing harmful software such as viruses. Webmasters sometimes don’t realize that their downloadable files are considered malware, so these binaries might be hosted inadvertently.
Examples of malware include viruses, trojans and spyware, to name a few.
Unwanted software negatively affects the user. From Google:
Unwanted software is an executable file or mobile application that engages in behavior that is deceptive, unexpected, or that negatively affects the user’s browsing or computing experience. Examples include software that switches your homepage or other browser settings to ones you don’t want, or apps that leak private and personal information without proper disclosure.
Sometimes companies bundle potentially unwanted software with a wanted program. Google provides guidance on how to avoid being categorized as unwanted software, which I’ll touch on later.
Social Engineering Content
Social engineering involves tricking people into giving up sensitive information that bad actors use for fraud.
This can happen through phishing attacks or deceptive content, which Google defines as “sharing a password, calling tech support, downloading software, or the content contains an ad that falsely claims that device software is out-of-date, prompting users into installing unwanted software.”
Google discusses more dangerous content that can show up on a site:
Social engineering can also show up in content that is embedded in otherwise benign websites, usually in ads. Embedded social engineering content is a policy violation for the host page.
Sometimes embedded social engineering content will be visible to users on the host page, as shown in the examples below. In other cases, the host site does not contain any visible ads, but leads users to social engineering pages via pop-ups, pop-unders, or other types of redirection. In both cases, this type of embedded social engineering content will result in a policy violation for the host page.
Another category is what Google calls “insufficiently labeled third-party services”:
A third-party service is someone that operates a site or service on behalf of another entity. If you (third party) operate a site on behalf of another (first) party without making the relationship clear, that might be flagged as social engineering. For example, if you (first party) run a charity website that uses a donation management website (third party) to handle collections for your site, the donation site must clearly identify that it is a third-party platform acting on behalf of that charity site, or else it could be considered social engineering.
How to Keep Your Website Safe
One of the easiest things you can do is sign up for a Search Console account. This helps you monitor if your site has been hacked. (Note: It’s free to set up Google Search Console on your site.)
Google reports that the types of security notifications that you’ll get in Search Console increase “the likelihood of cleanup by over 50% and reduce infection lengths by at least 62%.”
Of course, you’ll want to ensure that you’re staying up to date with security measures on your site. Updating plugins and implementing HTTPS are two key to-dos.
Website owners want to be extra careful to follow Google’s definition of harmful content as well. For example, be sure to know its unwanted software policy. Google shares a lot more details on what’s acceptable here and includes advice on Chrome extensions and mobile apps.
There’s a video series from Google Webmasters that offers help for hacked websites. It covers everything from the basic overview to cleaning and maintaining the site and requesting a Google review.
If you discover that your site has been compromised, the process can be lengthy. Google reports that it can take up to 90 days for website owners to clean up their sites from an attack. The following chart shows how long (in days) it takes webmasters to do this after receiving notification of an attack, on average.
The good news is that, according to Google Research (linked earlier), 80% of website owners successfully clean up symptoms on their first try.
For more details on the coming update, keep reading our Page Experience series:
- What’s the Page Experience Update?
- How to Make a Mobile-Friendly Site
- Intrusive Interstitials & Why They’re Bad for SEO
- Safe Browsing to Protect Your Website, Visitors & Ranking
- HTTPS for Users and Ranking
- Core Web Vitals Overview
- Core Web Vitals: LCP (Largest Contentful Paint)
- Core Web Vitals: FID (First Input Delay)
- Core Web Vitals: CLS (Cumulative Layout Shift)
If you have concerns related to website security, a technical SEO expert can help. Contact us today if you’d like to talk.