Site Security Report
This report contains indicators that affect security and that search engines consider when ranking a site in Google.
When you click on the "Description" link, a tooltip with information on these parameters will open, and explain what they mean.
Here are some of the elements we will go through in our site security report:
SSL certificate
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Google now uses HTTPS as a ranking signal. Websites that use HTTPS will have a slight ranking advantage if HTTPS is enabled.
Valid until
If the SSL certificate has expired, it issues a warning such as: "Potential Security Risk Ahead". If a person visits an “unsafe” website URL, they will be greeted with a message stating that the site is not secure via the browser and that they should leave the site to remain safe. Expired certificates can result in a number of negative consequences for the website owner: most likely, lots of potential customers will bounce from the site (leave the site) due to these types of messages, and thus the site owner is likely to lose business to their competitors. If too many website visitors bounce from your site — which is likely in this particular example — Google will inevitably demote your website in the SERPs due to poor bounce rates and satisfaction of query intent.
Self-signed certificate
You need a Trusted CA Signed SSL Certificate to get the green lock & ‘secure’ sign on Google Chrome. You also need this to get the small Google ranking boost of having HTTPS. A self-signed certificate can be generated directly on anyone’s web server, so it has no value for search engines and therefore browsers will show an error. Self-signed certificates are not acceptable, nor useful for public sites because every user that comes to the site will see a notice stating that the certificate is invalid due to it being self-signed.
How to fix the issue?
These certificates are not accepted by search engines, meaning that when a user enters your site they will see a notification stating the site may be dangerous. They can also harm your SEO efforts as
- Users will bounce back from potentially dangerous pages.
- Search engines will demote pages that aren't secure. Self-signed certificates should only be used in the development phase of a site.
To fix the issue you need a trusted CA signed SSL certificate. This will then give you the green lock & secure sign on Google, as well as the opportunity to use HTTPS. There are multiple companies available online that offer the CA-signed certificate.
The domain is listed in the certificate
SSL certificates are for one specific domain. It cannot be used for other domains. The browser will warn visitors if used on multiple sites and inform the user that said site is dangerous. This will increase the bounce rate of the site. The search engines will also check the certificate, and if they notice an SSL certificate being used without the domain name listed, then they are likely to demote the site until the issue is fixed.
How to fix the issue?
An SSL certificate can only be used for one specific domain, therefore it's important to have the domain listed in the SSL certificate, otherwise, your site may be listed as 'dangerous' affecting ranking, bounce rates, etc.
To fix this, simply enter the domain name in the SSL certificate. Whether that's by contacting the developer/company who has done this for you or doing it yourself. If you use a third-party company such as GoDaddy, they will normally give you steps on how to do this via their dashboard.
Trusted certificate
If an SSL certificate is not confirmed by the registration center the browser will display a mark about the danger of the site and this will likely scare users away. The search engines also check the certificate, and if a problem arises when doing so the website will lose its position in the search results quite quickly, as it will be viewed as ‘untrustworthy’.
How to fix the issue?
If an SSL certificate isn't trusted, this usually means it hasn't been validated by the registration center, or you haven't used a trusted certificate authority (CA). Yet again this will affect your site's ranking as the 'danger' sign will appear for your site, causing users to bounce back from the page and a demotion in the rankings.
To fix this:
- Ensure you're using a trusted certificate authority.
- If the installation was not completed properly, redo it, or ask the company that did it, to redo it.
- Make sure the certificate hasn't expired. If it has, you will need to purchase a new SSL certificate.
301 redirect from HTTP to HTTPS
There is no use in paying for SSL if search engines and users still visit the site via HTTP. You need to redirect all of your traffic via a 301 redirect in .htaccess from the HTTP version of your site (unprotected and unencrypted) to the HTTPS version of your website (protected and encrypted).
Display port 443 shown in the URL
If your server is configured incorrectly, the port 443 may appear in the URL. This does not look good to users and may confuse them about the name of your brand and how to access your site. An example of this would be https://example.com:443
which is confusing and does not look as ‘clean’ as https://example.com
.
How to fix the issue?
If port 443 is showing in your URL this indicates that your server has been incorrectly configured meaning an incorrect URL will show. For example, instead of example.com we see example.com:443. This can be confusing to users and may lead users to believe this error code is part of your URL.
To fix this:
Add the following code to the nginx.conf in the HTTP section:
http { ... proxy_redirect ~^http://([^:]+):443(/.+)$ https://$1$2; ... }
This will override any location header request that matches regex on port 443, with the correct scheme.
Read more here: (link: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect)
Once completed, make sure to restart nginx to view the changes.
Your IP address has been blacklisted
RBL / DNSBL databases are blacklists of IP addresses that are commonly used to engage in spam tactics. A site can be blacklisted after receiving multiple spam complaints. If you use shared hosting with a shared IP address, then your IP address could be blacklisted because of other malicious spammers on your shared hosting using that IP address. Blacklisted IP addresses are untrustworthy in the eyes of search engines and mail servers may mark incoming e-mail messages from your domain as “spam” or even block them entirely. You do not want your IP to be blacklisted, and if it is, you need to arrange for a new dedicated IP address from your hosting provider.
How to fix the issue?
If you share an IP address on shared hosting with another website that has been using spam tactics, there is a risk your site could also be blacklisted. The RBL/DNSBL are databases that hold blacklisted IP addresses. Being blacklisted will affect your ability to appear in the rankings. To fix this you will need to arrange for a new dedicated IP address from your hosting provider.
Pages with <frame>/<iframe>
The <iframe>
HTML element represents a nested browsing context, embedding another HTML page into the current one. The <iframe>
element may be a security risk if a hostile site embeds itself inside an iframe on your site too. If someone compromises a site that is in an iframe, then they can conceivably compromise the integrity of your site. A malicious hacker can use an iframe to exploit a vulnerable site via CSRF. And iframes can be used by attackers in a "UI Redress attack". Therefore, you need to pay attention when adding an iframe from an untrusted site.