Chris Band (3:03)

So full disclosure, I'm a little bit biased on this, right? So before I, before I worked at Luma, I was in house for a very long time, almost all of that time working on the SEO team and working in a business that while I was there were ramping up their security efforts to the point where they were kind of like bank level secure. The interesting thing about this was my best friend, as in I was his best man and he was mine, worked on the security team and it meant that we would. SEO is obviously now working for a large scale crawler. We run afoul of Cloudflare and DDoS protection and stuff like that all the time. But obviously when you're working in a business that's very rapidly scaling its security decisions and sometimes having to make security decisions on the back of things happening that the rest of the business might not be aware of, it means that sometimes you will come in and all of a sudden, oh, well, we can't access Gmail anymore. Well, why is that? Well, someone has decreed somewhere that you can't access webmail anymore. Or you know, God rest it, we can't use the Google cache anymore. Why is that? Well, it's technically a proxy and you could in theory use that to get around the company's acceptable use policy, things like that. But the problem is to an end user and to an SEO, as an SEO, I come in and go, well, I can't use the Google cache anymore. That was really useful. I can't access a Google account anymore. That means I can't use Search Console, I can't use GA in some instances, all these things. But all that would get passed down was it's a security thing. Security have decided security have said I had the advantage that I could then go to the pub on the weekends with my friend and say, well hey, why did this happen? Why did this happen? And he would explain why. And they saw us as just always trying to get round things, you know what I mean? Trying to get assets onto the website that they didn't want there because we were using JavaScript libraries that they hadn't checked over, things like that. But we had to get campaigns over the line and things like that. This is when I was a way more generalist SEO that was still involved in digital PR and things like that. So they didn't understand why we wanted the things that we wanted and we didn't understand the reasons that they were making the decisions they wanted. And it was only by chance that say, me and a member of the security team were really good friends that we meant that we ever actually fully got the story between us. And I see that so much now where still SEOs and similar to how SEOs and front end devs don't always understand why we do the things that we do, right? We as SEOs go, well, surely this should be an easy change, right? We just put a canonical tag in there, just in that bit there, drop a canonical tag in and they say, well, it's not actually that easy because there's react templates and the helmet means that we can't change the head of the page and things like that. So there's that side of things and then obviously there's three parts. But then as I say, working at Lima, we run into trying to crawl. Obviously what happens is a SEO will buy the tool in and then we'll go to crawl the site and suddenly find that as soon as we hit 500 URLs or something like that, then an alarm goes off in an office somewhere and suddenly our user agent gets blocked or IP gets blocked and things like that. Because again, nobody's told the security team that they've bought on a really large scale crawler. And the first thing that anybody does when they're given a cloud based crawler is they set the URLs to like 30 a second or something like that. And all of a sudden people start DDoS in their own business without realising it. And then the third thing is, I think had life been a bit different, I think I would be a security guy. You can't give me something without immediately thinking, how can I not misuse this? But what happens if I do the thing that you don't necessarily want me to with it, right? I love taking things apart and seeing how they work and just trying what happens if I like the way I learned JavaScript was just taking JavaScript and changing numbers, changing things to see what would happen, right? And so I've just always had this interest, like I love reading things like Oliver Mason's blog, ohgm.co.uk, i think it is because he's the same, he was just, oh, okay, what happens if I try this? What happens if I do this thing that people say I shouldn't do or that doesn't make any sense, what happens? And that's always been an interesting thing for me, and I see it now with client sites a lot where sometimes we kind of say, oh, this can happen. And they say, well, yeah, but who's going to do that? And it's like, well, I have, or I could. And then the other side of it is SEOs have this weird unique tool set that nobody else really has within the business. And lots of teams have unique tool sets. Of course they do. But we have crawlers, which quite often the only other people who do are security teams. And then we've got all these, we've got access to seeing how computers all over the world see our site right in via Google again until the Google cache and the inspection tool and things like that. So it allows us access in log files and things like that. So it allows us this, this weird set of tools that obviously it's not a, it's not our job description, but if you are notice if you're looking around things, you can spot these things and you can spot not only weaknesses in the site, but you can also spot things that people have tried to do or have done and then you can learn to raise them. And again, that's how you make these other teams like you. Excuse me, is by, by understanding these things and actually saying, well, hey, I was doing some log file analysis the other day and there was a load of requests here that say they were googlebot, but I know they weren't because I know Google's IP ranges and I know what Google looks like when it hits a site. And this just smelled weird to me. And they can take that and they can look at it and go, yeah, that was somebody looking for compromised WordPress plugins or something like that. And you can provide that information. And it might be nothing and it might be something, you know, but again, it shows that scene that you're thinking about and that's all the other teams want. And I'm aware now that I've been talking for a long time nonstop, so I'm going to stop.

Tyson Stockton (8:52)

No, no, no, all good. And I mean I'm glad that you're bringing up this because it, to me it's kind of like, you know, one of the less heard about partnerships in the organization is like SEO and security. And you see it sometimes also with like accessibility, you know, that sometimes having like an overlap to it. But I don't feel like there has been much coverage in these use cases. And so I think you painted a nice picture of, I mean one first, like going back, it seems like very similar to a lot of other cross Functional like interactions where there's just that first level understanding of the, the world that the other person is living in in that sense. And so your story with being able to go to the bar with your buddy, then being able to say, oh, this is why I want to do this. I feel like that's like such an important piece for SEOs out there. And so I almost want to just flag that as like a takeaway for people is to maybe you're not as fortunate of having one of your best friends on the other team, but making that effort to build those relationships and then being able to learn that context of why something might be a problem or why something might be, be an issue. Because we do have a tendency to try to just find our workarounds and go around things, but it's not always like the best, like kind of long term wise.

Chris Band (10:20)

Yep. Yeah. Yeah.

Tyson Stockton (10:21)

And I feel like there, there's, there's two areas that I'd like to, to broach on within like security. One that we'll get to a little later. But the, the first one, what do you feel like are the most important factors that SEOs should be thinking of in regards to security? If they're not already familiar it's not been on their radar, is something that they should be paying attention to.

Chris Band (10:47)

The thing I would say, and I think a lot of it just boils down to, I mean again, like I say, it's never really going to be your, your job, you're never going to get paid completely to do this, but there are things that you can look out for or things that you can be. So a great example is the log file example I mentioned before. That's a legit thing that happened for a client. We had a client who felt like they getting crawled or indexed enough. I was doing a load of log file analysis and I could have just said, well hey, on the 3rd of January, you got hit by Google like 10,000 times. That's, that's great. But again, straight away it looked weird to me because they weren't getting hit 10,000 times any other day. So I started to zero in and started to look at it. I could have just gone, oh, that's weird, or just taken it at face value and moved on. But I didn't. Same with if you've got GSC access and you've got access to all the old weird subdomains that the site has had that was a test server or a staging server 10 years ago, look into them. Because what can happen there is if the business no longer. If the DNS records change, it can basically mean that the same content is still sat in the same ip or rather, sorry, people can upload illegal content to that ip, but Google still has the connection between the two. So you can see that stuff in there. Again, my wife is an SEO and has had a client with that where they had an old subdomain that was full of, I think it was like copyright infringing books or something like that. Just like hundreds of thousands of PDFs that were just in there. That again she found by just. She was clicking around in search console, saw something a bit weird and investigated and that's the biggest thing. Another really great thing you can do, and again as SEOs we're guilty of doing it, is look at your site in the SERPs and see what it looks like. There's a thing, especially if you work on like WordPress or more kind of off the shelf CMSs, there's nothing wrong with them, but they are by nature of what they are, they are more security, they are more vulnerable because they're more, they're available to more people. There's a very famous hack called the farmer hack, as in P H A R M a big pharma and in more recent years it's sometimes called the Japanese keyword hack where your site will, to all intents and purposes, when you hit it as, as a normal user will look fine. If you switch to a Google user agent, all the content gets switched out and they generate hundreds of thousands, millions of other content pages that then link out to dodgy pharma sites, casinos, all the usual NSFW stuff. And that's sat on your website, right? And you might not notice it until one day you, Google, or worse your CEO or something like Google's their website and doesn't see the name of their brand and whatever, they just see something about buying Viagra and Cialis. So if you see things that seem a bit weird go down that rabbit hole, right, no one's ever going to expect you to be fuzzing inputs and stuff like that. That is what the security team are for. But you have so many tools that allow you to notice things that might be of interest to that security team and if you find it, just flag them. As I say, just report it to somebody and they might never, might not ever do anything with it. But again it's. Even if you're wildly off base with what you're flagging again, the fact that you have any interest in what's going on is going to be hugely important to them. As I say for me, at the end of the day we all either go to our little home offices or drive somewhere. Right. Because we just want to be, we want to make money, be respected and go home. Right. So I think the more you can just do that with other teams and just offer them, you know, hey, I saw this. Is it of interest to you? It just makes everyone's life better and easier.

Tyson Stockton (14:28)

Absolutely. And, and again, like so much of the work is that relationship building side and so just having the consideration and even if it's, you know, like maybe it's even not like an issue. But I think too especially someone from a team that probably doesn't get as much attention as they deserve in a lot. Right. Would probably also just appreciate that you're thinking of something that yeah, is relevant or could help them. Now you kind of hit on this and I feel like with this intersection of security and SEO and you highlighted how with the nature of our tool types, like we do have line of sight into some of these areas that could have an issue. But I feel like there's also the potential issues that have the potential impact on organic search. And you kind of reference to one. I've seen that also working with clients, like sometimes where you could generate different URLs. And yeah, typically maybe it has some or it's commonly seen in site search type pages that come up where maybe it's some unwanted content then all of a sudden finds its way on your site and then it's an index page for it. What could you share for kind of the SEOs of the security risk or concerns that could have a detrimental impact to organic search traffic.

Chris Band (15:59)

So this is a really interesting, I think and even I, as someone with more than a passing interest in this stuff is still really guilty of thinking like, oh, site's been hacked. As soon as I log into it, they're going to take control of my computer and it's going to form a botnet that's going to take out, you know, a water filtration plant or something. Right now a lot of it is way more mundane than that and really boring, but multiple things can happen, right? So again, the Japanese keyword, hack, the farmer hack or whatever. Again, if I'm Googling for back when I was in house, if I'm googling for cheap holidays to New York and I recognize the URL of the site, but it's talking about buying pain meds or something like that, or inviting me to, you know, play roulettes or Something like that, or it's in Japanese at the least. I'm going to think, well, that site's broken. You know what I mean? I might not immediately think that site is hacked, but I'm going to look at it and say, well, why would I put my credit card details in there? It looks, even in Google, it looks broken, right? And then that sticks. The next time I visit it, I think, well, yeah, okay, they are 10 pounds cheaper. My flight, you know, my flight would be a bit cheaper, but last time I was on there, it looked really bad and looked really broken. So why would I. Why would I click on it? Right? So you've got this reputational stuff as well. On top of things like the pharma hack, Google will send you a you have been hacked warning in your GSC and then it will start deranking pages and then you've got to do all that work to then prove to Google that you fixed it all, hope that it puts you back where it did. It never does. You know, you know, all that stuff. And then just on top of that, again, let's say, and this is kind of the interesting thing where it works the other way around, there could be a security issue that's completely nothing to do with the SEO team whatsoever. But it ends up in the paper. In the paper. Sorry, I'm old. It ends up online, you know, there's stories written about it. And again, straight away, well, I'm not visiting them. They got hacked last week. Why would I put my credit card details into that site? It might still be hacked, right? So you've got all these different ways. So it's not just actual positional change, which sucks. It's also how you appear in the serps, it's also just reputational change. It's all these other issues. And again, I think it's an interesting thing that you say about this because, like, security teams are interested in this stuff because again, they're not just interested in all the credit card details being taken, right? They're interested in the potential for misuse of the site to create financial or reputational damage, because that reputational damage is financial damage, right? So again and again you mentioned it. Let's say you find a load of content that has been uploaded by a user completely within the views, the mechanism built within the site. But it is content that. And again, I've worked with one client where we had this issue. They were using the tool as it was supposed to be used, but all the content, we found loads of content in there that was really needed to be taken down. It would have been a disaster for the company. That's of interest to a security team because they might not be able to directly be involved in that, but that's of interest to them. Again, a security team does not want a call from, again, you know, a law enforcement agency or the owner of, you know, Taylor Swift's copyrights or something like that to say, hey, we found all this content on your site, it needs taken down. You know what I mean? So yeah, there's a million ones. And then that's the other side of it. You end up in a position where you are egregiously committing problems. Your website will just get. Depending on where you are, your website will just get shut down. Your business will be ruined financially because you'll be taken to the cleaners. You know, if you look at things like Drizzly had a. Oh, and I can never remember the name of the agency in the states, but it's an information security agency in the States. Drizly were found in breach of something a few years ago and from what I understand they were. They were an alcohol delivery service and they never really recovered from it. And then they were bought by Uber and they were closed down recently. Now, I'm not saying it's because of that, but you know what I mean. In some really egregious instances, it can just. Your company can be put under such financial strain as to what's happened that you lose your job or the company goes.

Podcast Announcer (20:00)

So time for a one minute break to hear from our sponsor, Pre Visible. So you're looking for SEO help. Then you got a couple of options. You could start replying to spam from agencies that claim they can get you to rank number one on Google. You can pay an hourly rate for a consultant who will inevitably nickel and dime you with hourly charges. Or you can work with a cookie cutter agency to quickly launch a strategyless project with low success rate. None of those sound very good now do they? Well, that's where Pre Visible's integrated consulting model comes in. Pre Visible draws From a collective 40 years of SEO and digital marketing experience to unlock your organic growth opportunities. They build custom solutions that combine strategy, technical expertise, content and reporting to effectively operationalize SEO for your business. Pre Visible's four stage approach ensures that your SEO programs thrive by starting off with a strategy first approach. Then they support you in your efforts to create quality content, help you identify technical issues, and most importantly, they'll work with your cross functional teams to integrate your SEO strategies to make sure that your SEO budget actually drives results, not just your agency's bottom line. So join brands like Yelp, eBay, Canva, Atlassian Square, all who rely on the SEO consultants at Pre Visible. For more information go to Pre Visible IO. That's Pre Visible. P R E V I S I B L E IO.

Tyson Stockton (21:29)

Absolutely. And I think you know, sometimes too it goes back to like that partnership with security where they can similarly also be flagging things potentially for you to be looking at that could have that impact on SEO. One I mean we're talking right before this so. So a large E commerce site that we both have worked on, I remember and maybe it's just like an illustration of one of your kind of previous points, but I remember a time with them where all of a sudden we saw this huge spike in rankings for one of their smaller market domains and so it wasn't the biggest domain so it didn't have the most of attention and it was like you know, a local website for a specific country and all of a sudden it shifts shot up and had like crazy numbers from like a ranking perspective. And then when we looked at it it was all adult related content which was not necessarily for their site. And from this we were then able to see oh well, it's actually generating a self referring indexable page from different search queries and if enough people search something it would generate a page for it that would then the index and we didn't know about it because it was a smaller again not the primary website, it was a smaller thing. But all of a sudden when we saw their rankings just skyrocket and then sure enough the reason for it was a bunch of high search volume adult terms that people were searching in the search field of it. But then that even though great we have this potential win of now we're getting more traffic then highlighted the piece of oh, we have a huge problem right here and this is a really significant issue of just completely crushing our crawl bandwidth efficiency. Everything else that goes into some of those like page bloat issues but I feel like that was something that was not on anybody's radar but it was these SEO tools that we're using that then flagged it as a potential risk and concern that had to be addressed.

Chris Band (23:40)

Yeah, Google bombing is a little bit less of a thing nowadays obviously. But I remember in the uk I don't know what CMS it is but there's a lot of local news sites in the uk. I don't know if this is still the case now, but certainly 10 years ago or so, when this story takes place, this was the case. The URLs would be site.com category and then you would have like a six or eight digit UID, which was the actual story. And that was the important part for rendering the page. And then there would be a few words after it, which would be the headline with the stop words taken out. But they were literally just there for SEO. So people discovered that, and there was a story in this paper that I think maybe some SEOs took umbrage with or something like that, and within a few hours they'd managed to get that version of the story ranking, but with the URL, you know, had the UID of the article, but then with the keywords and if you allow me a very minor swear, something along the lines of we'll publish any old crap, because again, and that's a funny one, right? But you know, if you work in a small, very competitive industry where people are prepared to do anything. And it's even worse when a site takes something that's in the content of the URL bar and puts it in the page, because then people can just spin up slanderous pages on your website. Again, I've worked on sites where, and this is going on a little bit now on that, but on the subject of putting things in the URL, if you ever have a site where you find that anything you put in the URL bar becomes a canonical tag, you need to start checking whether you can escape out of. Because basically what you can do on some. Most sites have closed this down now. But if you then tag a closing canonical tag, if you close the canonical tag within the URL, you can then just start injecting script tags via a canonical tag and you can do all sorts of crazy man in the middle stuff with it that's so simple that most sites have it shut down now. But it's silly things like that that SEOs have to get really, really good.

Tyson Stockton (25:38)

At noticing and similar. So years back there was, it was another. A different E commerce site that I was working with and I was doing an audit of the site and one of the things that I flagged was basically what you were just describing, where you could take pretty much any URL, add on whatever words, characters you want on the thing, generate a new page that's indexable, came across. I was like, okay, this is an issue. This like needs to be raised. When I brought it up to the SEO team, it kind of fell on deaf ears. And maybe something that I feel like could be Helpful as like a next step for the listeners is do you have any recommendations? Like maybe it is that exact scenario or another one of how to be flagging and how to be kind of vocalizing these issues. Because I think it's one thing to be able to spot and identify the problem, then it's another thing to kind of get the ears of the company or to kind of do that. So like, would you have any recommendations for SEOs in how they would go about flagging some of these security risks, regardless of if they have that impact on SEO or not?

Chris Band (26:52)

Cool. So I would say so. Two things. So number one, and this is actually legitimately useful stuff that I think you can do when you're working on any site, if you allow users to create URLs, let's say you have profile pages that sit on site.com userprofile or that's being built for your site. It's worth saying to the team, what if somebody signs up the username robots txt, what happens then? Raising those questions means that people then they recognise that you're smart about this stuff and then they start saying, oh hey Mark on the security team, Jenny on the security team wants to speak to you. So then you start to know those people. So you've got that thing going on. Another thing you can do if you found something that you think is especially has the potential to be really quite serious or looks quite serious. Again, if you found illegal content, especially if it's very illegal content, number one, on that note, if you think you found illegal content, don't touch it. If you've found URLs that you think looked really, really, really bad, leave them alone. Especially in the uk, I can tell you now, you're going to be saving yourself way more trouble than you think you would by being curious and clicking on things, don't do it, just flag it immediately to somebody. The best place to start is probably your business, probably has security at name of business or infrastructure team. Sometimes security comes under infrastructure. Ask ground for who that is. Probably again, if you're an SEO, they probably run into the infrastructure team quite a bit. For various different things, I would start there, speak to your favorite. I get in trouble for calling them this, but speak to your favorite tame developer and see who they would speak to. Start there. And then the other thing I was going to say is if you're techie enough to, or smart enough to kind of demonstrate what could be done with this without causing any legitimate problems, you know what I mean? If you can Do a stupid thing like, oh, hey, if I change the canonical tag look to this, I can make this JavaScript, I can put this in the console, or I can get this JavaScript to pop up if you can do a little demonstration. Because there's programs with cool things. So there's one called HackerOne, which is basically where companies will pay independent security researchers, as they're called, essentially white hackers who will raise these issues. But part of what they do is they basically have to show they're working right. They have to say, well, I've done this and this is now the access that I've got. This is what I can do with the thing that I found. So security team is going to be used to assessing things like that. So if you can send them a screenshot, as I say, and say, well, I did these three things and now I'm here, or I've got a screenshot that shows that Google's in. We know that Google get into a staging domain is bad. If Google somehow gets into, I don't know, somehow an admin panel or, you know, something with user data in, that's where you need to start. Just screenshots. Just flag it straight away. That's the best. Demonstrate what you found and then try and find an email alias for the security team and just fire it directly at that and hope that somebody picks up. If not, don't be afraid to chase, because you could be saving a lot of money, time, energy, jobs, the lot.

Tyson Stockton (29:55)

Absolutely. All right, Chris, we've covered a lot of ground here, and I think it's refreshing and nice to have. It's not necessarily a new topic, but like something that is, I think, a new flavor to discuss here. But for the SEOs out there, that maybe it hasn't been a top of their mind or hasn't been an area that they've spent much time in learning. Like, any recommendations or any tips that you'd have for the SEOs out there to maybe learn a little bit more. More about this.

Chris Band (30:24)

Yeah. So if you're a podcast person, which I'm assuming if you listen to this, you are, there is a phenomenal podcast called Darknet Diaries that isn't as frequent as it used to be. Now, I think the guy who runs it is having a. Just taking a little bit of a backseat with it at the moment, but he interviews hackers, white hat hackers, or people who have been to prison for the things that they've done. Right. And it is fascinating because, again, you just get to hear people talk about it's incredible some of the things that these people have done right and it's just a, I think, I say, I think it's a really interesting world to be involved in. That's really interesting. There's a website called Krebs on Security that's K R E B s on Security written by a man called Brian Krebs who is a very well known cybersecurity journalist. Also Troy Hunt's site, Troy Hunt runs have I Been Poned? Which is that website that you can put your email address in and it will tell you where it's been found. He also runs a blog where he just kind of reports on this stuff. I like Brian and I like Troy because they both write in a way that someone like me who is relatively technical but has a passing interest in cybersecurity more than anything can still understand and can still. The more interesting, again, the more interesting parts for me are the people and they especially Brian Krebs, he tends to focus on the people behind these things. So I just think they're really, really interesting places to start. And then also if you're an SEO, Tom Anthony, who works for it's not called Distilled ODM anymore, it's called Search Pilot now he does some independent security research stuff. He's got some videos on YouTube that he's done about doing a thing called Fuzzing which is basically giving inputs data that they aren't expecting to see what would happen. But he uses a lot of skills from being an SEO and tools that you would recognize from being an SEO to do that. So I would recommend there's a video of his called Fuzzing websites for fun and profits or something like that I think on YouTube. So I'd recommend that as well.

Tyson Stockton (32:24)

Excellent. Well. And for anyone listening if you didn't get a chance to write those down also to shout out, you can find all those recommendations that Chris had in the show notes. But with that, that wraps up this episode of the Voice of Search podcast. Thanks to Chris Finn, senior Technical SEO at Lamar, for joining us in part two of this conversation, which will be published tomorrow. Chris and I are going to be discussing actionable and effective technical SEO insights. If you can't wait until the next episode and you'd like to learn more about Chris, you can find a link to his LinkedIn profile in the show notes. You can find him on Twitter X where his handle is at 503blazit or visit his website chris span spann.co.uk.

Podcast Announcer (33:13)

Okay, thanks. To Tyson Stockton, our guest host. If you'd like to get in touch with Tyson, you could find a link to his LinkedIn profile in our show notes. You can contact him on Twitter where his handle is TysonStockton. Or if your team is interested in SEO consulting or organizational education, you can always head to their company's website, which is Previsible IO that's P R E V I S I B L E I O and a special thanks to Ahrefs for sponsoring this podcast. Monitoring your website used to require multiple expensive tools, but that's not the case anymore, thanks to Ahrefs because they just launched their Ahrefs Webmaster Tools product, which monitors your SEO health, helps you keep track of your backlinks, and gives you the insight into what keywords are performing for free. So check out Ahrefs webmaster tools@ahrefs.comAWT that's Ahrefs a h r e f s.comAWT just one more link in our show Notes I'd like to tell you about. If you didn't have a chance to take notes while you were listening to this podcast, head over to voicesofsearch.com, where we have summaries of all of our episodes and contact information for our guests. You can also subscribe to our weekly newsletter, and you can even send us your topic suggestions or or your marketing questions, which we'll answer live on our show. Of course, you can always reach out on social media. Our handle is voicesofsearch on LinkedIn, Twitter, Instagram, Facebook, or you can contact me directly. My handle is Ben jschapp B E N J S H A P and if you haven't subscribed yet and you want a daily stream of SEO and content marketing insights in your podcast feed, we're going to publish an episode every day during the work week. So hit that subscribe button in your podcast app and we'll be back in your feed tomorrow morning. Morning. All right, that's it for today, but until next time, remember, the answers are always in the data.