Home / Technical site audit / Site Security Report

Site Security Report

This report contains indicators that affect security and that search engines consider when ranking a site in Google.

When you click on the "Description" link, a tooltip with information on these parameters will open, and explain what they mean.

Here are some of the elements we will go through in our site security report:

SSL certificate

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Google now uses HTTPS as a ranking signal. Websites that use HTTPS will have a slight ranking advantage if HTTPS is enabled.

Valid until

If the SSL certificate has expired, it issues a warning such as: "Potential Security Risk Ahead". If a person visits an “unsafe” website URL, they will be greeted with a message stating that the site is not secure via the browser and that they should leave the site to remain safe. Expired certificates can result in a number of negative consequences for the website owner: most likely, lots of potential customers will bounce from the site (leave the site) due to these types of messages, and thus the site owner is likely to lose business to their competitors. If too many website visitors bounce from your site — which is likely in this particular example — Google will inevitably demote your website in the SERPs due to poor bounce rates and satisfaction of query intent.

Self-signed certificate

You need a Trusted CA Signed SSL Certificate to get the green lock & ‘secure’ sign on Google Chrome. You also need this to get the small Google ranking boost of having HTTPS. A self-signed certificate can be generated directly on anyone’s web server, so it has no value for search engines and therefore browsers will show an error. Self-signed certificates are not acceptable, nor useful for public sites because every user that comes to the site will see a notice stating that the certificate is invalid due to it being self-signed.

The domain is listed in the certificate

SSL certificates are for one specific domain. It cannot be used for other domains. The browser will warn visitors if used on multiple sites and inform the user that said site is dangerous. This will increase the bounce rate of the site. The search engines will also check the certificate, and if they notice an SSL certificate being used without the domain name listed, then they are likely to demote the site until the issue is fixed.

Trusted certificate

If an SSL certificate is not confirmed by the registration center the browser will display a mark about the danger of the site and this will likely scare users away. The search engines also check the certificate, and if a problem arises when doing so the website will lose its position in the search results quite quickly, as it will be viewed as ‘untrustworthy’.

301 redirect from HTTP to HTTPS

There is no use in paying for SSL if search engines and users still visit the site via HTTP. You need to redirect all of your traffic via a 301 redirect in  .htaccess  from the HTTP version of your site (unprotected and unencrypted) to the HTTPS version of your website (protected and encrypted).

Display port 443 shown in the URL

If your server is configured incorrectly, the port 443 may appear in the URL. This does not look good to users and may confuse them about the name of your brand and how to access your site. An example of this would be https://example.com:443 which is confusing and does not look as ‘clean’ as https://example.com.

Your IP address has been blacklisted

RBL / DNSBL databases are blacklists of IP addresses that are commonly used to engage in spam tactics. A site can be blacklisted after receiving multiple spam complaints. If you use shared hosting with a shared IP address, then your IP address could be blacklisted because of other malicious spammers on your shared hosting using that IP address. Blacklisted IP addresses are untrustworthy in the eyes of search engines and mail servers may mark incoming e-mail messages from your domain as “spam” or even block them entirely. You do not want your IP to be blacklisted, and if it is, you need to arrange for a new dedicated IP address from your hosting provider.

Pages with <frame>/<iframe>

The <iframe> HTML element represents a nested browsing context, embedding another HTML page into the current one. The <iframe> element may be a security risk if a hostile site embeds itself inside an iframe on your site too. If someone compromises a site that is in an iframe, then they can conceivably compromise the integrity of your site. A malicious hacker can use an iframe to exploit a vulnerable site via CSRF. And iframes can be used by attackers in a "UI Redress attack". Therefore, you need to pay attention when adding an iframe from an untrusted site.