My dad sounded nervous.
One of the pages on his website was redirecting to a marijuana dispensary and he had no idea why (he works in private wealth management).
It was scaring his clients, and likely harming his reputation, traffic, and rankings.
What would you do if you logged into Google Search Console and saw your rankings had plummeted? How about your traffic taking a nosedive out of nowhere?
Normally these would be signs of a Google penalty, however if you are not engaging in any risky SEO tactics they could be a sign of this thing called negative SEO.
For most of us, we engage in SEO tactics like blogging, improving our page speed, or honesty acquiring backlinks. Then there are greyhat SEOs, people who engage in somewhat shady tactics like buying links or using a PBN to boost their site.
Then, there are the worst of the black hat SEOs - folks who use negative SEO.
Negative SEO is an unethical set of SEO tactics used to harm a competitor site. It could be hacking a website and placing strange banner ads or content on it, redirecting to another website, duplicating content, and more.
I’ll run through the common negative SEO attacks, how you can identify them, and how to prevent/remediate them.
Negative SEO is a form of black hat SEO that involves a wide variety of malicious tactics to harm competing websites to boost their own.
It’s like the insecure kid who constantly puts down others to feel better about himself on steroids.
In the past negative SEO could simply be hacking a website and placing an illicit banner ad somewhere to scare people off. Now, it’s gotten much more sophisticated with attacks ranging from duplicating your website down to hiding it from Google.
Obviously Google wants us all to play nice.
Google is on a mission to return the best answer to every query. Allowing negative SEO to go unnoticed, or unchallenged, would not be a good look for that mission.
Back in 2021 Google launched the penguin update to punish websites spamming for links, and negative SEO evolved with it. Because Penguin allowed for Google to filter out the low quality links, and punish these sites by lowering their rank, it led to people buying low quality backlinks to their competitors website as a tactic to have them penalized by Google.
Google admitted to the existence of negative SEO all the way back in 2012. Matt Cutts answered these in a video released at the end of 2012 to chat about negative SEO and how businesses can respond.
Cutts candidly admitted negative SEO is a thing, but dismissed it as a concern. From his point of view, very few attempt negative SEO and even fewer succeed. Cutts cites the disavow links tool, which notifies webmasters of link spam, as one of Google’s public answers to this problem.
While I agree that negative SEO is extremely rare, it’s not the most satisfactory answer. Let’s dive into the common types of negative SEO attacks, how to recognize them, and what you can do to remediate.
That’s not the easiest question to answer.
I know - typical SEO answer: it depends.
SEO as a field is still new, and negative SEO is evolving. As a result the answer is, maybe? At the very least, negative SEO attacks are seen as a civil dispute rather than criminal, so the police won’t get involved. In the United States it could be qualified as unfair competition under the Lanham Act. So you can sue, but proving the damages and what you deserve gets tricky in court.
Negative SEO has evolved over the years, here are the most common types of attacks that hackers are using today. Again, these are fairly rare however it is important to understand each attack and recognize the signs.
One of the classic negative SEO attacks: placing backlinks on toxic websites to yours. The goal here is to penalize your site under Penguin.
Ordinarily backlinks are one of the most powerful tools to boost your rank. Buying backlinks from low-quality websites can hurt you though. Fortunately, Google is pretty smart and tends to filter these out however some can slip through the cracks and hurt you.
Link farms are another common tactic negative SEOs will try so they can do this at scale. A link farm is several interconnected websites that all hyperlink to other sites in the group for the purpose of increasing (or in this case decreasing) rank. Hackers tend to backlink sites to these low quality link farms to take a massive hit on the site’s ranking. They use link farms because generally one or two low-quality backlinks is not enough to flag to Google that the site needs to be punished.
Let’s be honest, who doesn’t plagiarize a little? There’s no harm in lifting a clever phrase or taking inspiration from a really good tagline.
How about a whole blog post though? Or an entire website? Plagiarism isn’t just a concern for school papers, it happens in the world of SEO too.
Content scraping tools make it easy to lift the content from a website allowing a hacker to duplicate the site as often as they’d like. Google hates duplicate content, making this an effective attack.
Websites like Copyscape and Grammarly can help you sift through other copies of your content that exists on the internet. This is an easy way to pinpoint a content thief, and can also help you to avoid any accidental plagiarism on your own site.
Reviews are one of the most powerful tactics you can use to build up your business and reputation.
With great power comes great responsibility though. Negative reviews can severely damage your brand.
One of the easiest (and most common) ways for spammers to attack your company is through social media reviews. It’s no wonder that spammers will use this against you. Whether it is flooding your Facebook, Twitter, LinkedIn, or Yelp page with bad reviews or even setting up fake profiles to harm your brand - spammers are getting creative in how they use social media to carry out negative SEO attacks.
Here’s a fun one - one of the best ways to hurt a website’s rank is to just make it disappear off Google.
To do this, hackers will steal your password so they can get into your website manager and edit your robots.txt file to hide every page on your website from Google. It won’t be until you see a steep drop in your search impressions in Google Search Console that you’ll realize what they’ve done.
There are all kinds of malware attacks a hacker could try, the typical ones are malware to slow down your website or malware that throws up security warnings when someone visits your website.
A slow website can be a nuisance, but a website that never loads is dead in the water when it comes to SEO. Some SEOs go even further to put malicious malware on the website causing Google to warn potential visitors that the site may be hacked:
In both instances, traffic is liable to plummet, and rank with it.
Here’s one my dad suffered from - malicious redirects to another website.
It could be anything - drugs, sex, rock and roll - anything that is illicit and scares off your customers. Redirecting to another site is pretty bad for multiple reasons.
For one, it feeds off your own traffic and rank like a parasite to other websites. And secondly, as visitors to your site are redirected and bounce off Google will take notice and your rank will plummet.
It’s a win-win for the attacker - more traffic to an illicit website that is likely paying them, and your rank drops.
Negative SEO can be tricky to trace, but there are tactics you can use to catch a hacker red-handed, and guard against being hacked in the future.
You don’t have to obsessively check your rank and traffic every day, you can let Google Search Console and Google Analytics warn you if you have a drop.
Google Search Console began proactively notifying users of big rankings and traffic drops in 2019 and Google Analytics makes it easy to set up custom alerts to notify you as well.
Once alerts are enabled, you can go about your day to day and let Google notify you if anything goes wrong. With these simple automations, you can be kept in the loop if anything serious happens and kick back and relax a bit.
This is one I personally took an embarrassingly long amount of time to do myself.
If your password is the street you grew up on and you use it for everything, change your password now. Like now, now. Leave this screen and sign up for a secure password manager like LastPass.
Hackers will try to get into your website manager in order to add malware, set up redirects, or edit your robots.txt file. They cannot do any of these things though if they cannot get into your website.
It’s a good habit to routinely change your passwords too, every 6 months or so should be good. Sure, it requires a bit of upfront work (and hard to remember passwords) but your business is on the line (not to mention all the other private info you have, like your email, bank account, etc).
You can track your site’s traffic and prevent hackers from getting access to your accounts, what about backlinks?
There is nothing you can do to prevent someone from linking to your website, however you can monitor the links you receive for anything fishy.
The best way to avoid this from happening is using a visibility management platform like SEMrush, which will monitor your backlinks and provide you with summary emails of any changes that occur.
Suddenly that blog post that is stuck on page 2 of Google doesn’t seem like your biggest concern.
Let me say again that negative SEO is rare. I do agree with Matt Cutts that few attempt it and even fewer are successful. Still, it is critical to recognize an attack so you can do something about it should that day come.
I sincerely hope that day never comes to you, but if it does I hope this post is helpful.
September 17, 2021
We’re always sharing insights, findings, and case studies with our subscribers. Sign up to get our best SEO tips and advice in your inbox.