On November 20, 2018 Yoast released a security update to fix a vulnerability. This update was not announced on the Yoast blog. The vulnerability only affects users who have the SEO Manager role enabled. It does not affect all users of Yoast SEO.
Nevertheless, 77% of Yoast users have not upgraded to version 9.2 and may be unaware of the vulnerability.
This article seeks to help users by making them aware that the vulnerability exists and to responsibly encourage them to upgrade.
The vulnerability was a complicated issue called a race condition vulnerability.
It’s basically a situation where a software expects an operation to happen within a certain sequence. The vulnerability happens when that sequence is changed. This results in an opening where an attack can happen.
TechTarget defines a Race Condition like this:
“A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.”
How Does the Yoast Vulnerability Affect Websites?
The Yoast 9.1 vulnerability requires that a website have the Yoast SEO Manager role enabled. This is why this vulnerability does not affect all users.
Which Versions of Yoast Does this Affect?
It is being reported that Yoast version 9.1 and under that have the SEO Manager role are affected. The security researcher who discovered the vulnerability said:
“I tested with Yoast 9.1 and 9.0.3.”
How Does the Yoast 9.1 Vulnerability Work?
I asked the security researcher how the vulnerability worked and he said that the attacker can target Yoast installations with the SEO Manager role enabled and then perform code execution exploits.
Here is what he said:
“The thing with the SEO Manager is that this role is not able to install plugin, themes etc on the WordPress, however the attacker can perform command execution.”
The goal of command execution is making undesirable changes to the website.
Does this Affect Sites without the SEO Manager Role Enabled?
I asked the security researcher if sites with the SEO Manager role not enabled were vulnerable. He advised that the possibility of being hacked because of this is remote if the role is not enabled. The possibility rises if the SEO Manager role is enabled.
“If you do not have SEO Manager and the zip archive can be uploaded only by a WordPress administrator, the impact is very low.”
Are Race Vulnerabilities Common?
I asked the security researcher if this is a preventable vulnerability. He answered:
“I would say that many developers are not aware of race condition issues.”
What if You Don’t Have SEO Manager Role Enabled?
In general, it’s a good practice to update to the latest version of your plugins. Security is never an issue until it’s an issue and web traffic has collapsed. Why become an object lesson to your competitors of what not to do?
If you are using a Yoast SEO 9.1 or earlier, it may be a good idea to update it. Keeping plugins updated is a security best practice.
Images by Shutterstock, Modified by Author
Screenshots by Author, Modified by Author
Subscribe to SEJ
Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!
How to Optimize AMP Stories for Google Search Results
An official set of recommendations concerning SEO for AMP stories is now available from the AMP Open Source Project.
AMP stories are similar to stories on social media platforms like Facebook and Instagram. The key difference is they can be indexed and displayed in Google Search results.
See: AMP Stories Now Have a Dedicated Section in Google Search Results
AMP stories are just like other web pages in the sense that they have a URL on your web server, they are linkable, and they can link out to other web pages.
Flavio Palandri Antonelli, a Software Engineer at Google, states:
“In particular, just like other pages on your site, make sure your Stories are linked from within your website so that your users and bots can actually discover them. If you are using a sitemap, make sure to include your Stories in that sitemap. If you are posting your regular web pages to social media, post your Stories as well. We could go on here, but the gist really comes down to: Follow the best practices you’re already applying to the rest of your website.”
See: Official AMP Plugin for WordPress Now Supports AMP Stories
AMP stories should be optimized like any other page on your website. What works for regular web pages will also work for AMP stories
With that said, there are some SEO tactics specific to AMP stories that can be utilized as well.
Specific SEO Tactics for AMP Stories
Here are the SEO tactics specific to AMP stories. Keep in mind these tactics aren’t comprehensive and should be utilized in conjunction with the standard SEO work being done for your web pages.
- Metadata: AMP stories have a built-in mechanism to attach metadata to a story. This ensures maximum compatibility with search engines and other discovery features that take advantage of metadata.
- Internal linking: Site owners should generously link to AMP stories from other pages, such as linking to them from the homepage or category pages where applicable.
- URL format: There is no need to indicate in the URL of a story that it is using the AMP stories format. Follow the same URL format as other web pages on your site.
- Page attachments: Page attachments can be used to present additional information in classic article form alongside your story.
- Image descriptions: Use meaningful alt text where appropriate.
- Video subtitles: Consider providing subtitles and/or captions for the videos in your Stories.
How Hackers May Be Hurting Your SEO
It is oftentimes rather easy to sometimes grow complacent as an SEO when it comes to site security, or put all of the responsibility on I.T. departments when it comes to any form of cybersecurity or hacking prevention practices.
It’s a debatable topic amongst many, however, this is defiantly true:
Website security, or the absence of it, can directly and critically impact a site, and that includes the site’s organic performance.
For this reason, website security should not be ignored when it comes to digital marketing plans.
But first, let’s gain a deeper understanding of what hacking, it itself, is, in order to connect the dots on why it should not be neglected.
What Is Hacking?
Hacking occurs when an individual gains access to a specific website or computer network, sans permission.
Unwarranted hacking most often occurs when people are trying to gain access to sensitive or private information, or to redirect users to a specific hacker’s website.
What Are Some Common Tools Utilized by Hackers?
Malware is specifically designed to damage or disable a specific network, with the goal usually being a data breach.
The potential after-effects of a malware attack can be great, including extensive financial losses for an organization.
Website spamming usually occurs when a hacker adds hypertext to a webpage that, when clicked on by a user, will link to the hacker’s chosen destination.
Adding spammy links to a hacker’s website on websites that have a high amount of traffic to them has a chance of increasing search engine rankings.
It is essentially a way to shortcut the system of solidified, ethical SEO work.
Effects of Hacking
The ramifications of hacking can be significant and far-reaching. There are a few more common things that can happen when a website is hacked.
GoDadddy conducted a study a few years ago where they concluded that over 73% of hacked websites were hacked due to SEO spam reasons.
Something like this could be planned and deliberate, or an attempt to scrape a website that is authoritative and capitalize on strong rankings and visibility.
In most cases, legitimate sites are ultimately turned into link farms and visitors are tricked with phishing or malware links.
Hackers may also employ that use of SQL injections, where a site will be turned over with spam and recovery may be very difficult.
This can potentially put your website in the sandbox if Google detects it.
If detected, Google will display a warning message when users try to navigate to the site, and therefore encouraging them to stay away.
It can also potentially result in the complete removal of a site from search engines in an effort to safeguard users.
This will both, directly and indirectly, influence SEO value:
- Visits: Overall organic site traffic will most likely drop significantly.
- Mistrust: Users who know that your site may be less enticed to visit again if they know that your site has had one or multiple security issues, thus also affecting your traffic, and ultimately, your bottom line.
Oftentimes, hackers will implement redirects when a website is hacked.
These will send users to a different website than the one that they navigated to initially.
When users are directed to this separate web address, they will usually find that the site contains:
- Malicious forms of content such as duplicate content that isn’t true.
- Other types of scams like phishing where users are enticed to click on a spammy link and ultimately reveal sensitive information.
If Google follows your site that has been redirected and sees that it contains questionable content, it may severely hurt overall organic visibility in search.
Search engines carefully assess the overall reputation and value of domains and links that link to one another.
During a hack, links will oftentimes be added to a site, and most likely ones with low value, which can negatively affect SEO efforts.
Your website may ultimately be flooded with backlinks from questionable sources, which will most likely decrease the level of trust Google or other search engines has in a site.
Being hacked can put a site at a serious detriment in Google’s eyes. This can affect a site’s presence in SERPs and also result in potentially several manual actions in Search Console if Google flags it.
The kicker is, is that oftentimes they do not. This usually only leads to more attacks, such as via malware, without the webmaster knowing, and puts the site at risk for an even greater loss, both from a visibility and revenue standpoint.
This creates a bit of a conundrum. Being flagged or blacklisted for malware essentially depletes your site’s visibility across the board, at least until the site is analyzed and cleaned and penalties removed.
Yet, not getting flagged when your site contains malware can result in greater risk and penalization.
Common Risks & How to Prevent Attacks
There are a few more common things that put your site at a greater risk of getting hacked:
Installing Plugins or Other Tools From Untrusted Sources or Not Updating Them
Many plugins, such as those used in a CMS such as WordPress, are not all secure.
Hackers are consistently searching for sites that use insecure or outdated plugins and then finding ways to exploit the site.
As a best practice, it is recommended to research a plugin and read reviews before installing it on your site.
Sharing a Server May Also Pose a Risk in Terms of Site Security
This is because someone could easily upload a spammy or malicious file, or even grant access to other hackers.
Non-Secure Credentials May Also Pose a Risk for Data Security
It is recommended that secure passwords are created for online accounts and make them difficult to guess.
Another more advanced method to prevent an attack is through penetration testing. This analyzes and tests your network’s security and any potential vulnerabilities within it.
Everyone is affected by web security. When building a partnership with a website or client, SEOs should be able to provide some advice when it terms to overall security.
If you’re responsible for the SEO effectiveness of a site, part of your role is to ensure that there are security measures in place to protect it.
A Definitive Guide to Mobile SEO
3. Technical Aspects of Mobile SEO
Now let’s look at the technical aspects of mobile SEO.
When you optimize the SEO elements on a page, you should start with title tags, H1 headings, content, image alt text, URLs, and meta descriptions, just as you would doing standard SEO on your desktop site.
Pay special attention to your title tags and meta descriptions.
Mobile search results pages don’t display as much information as desktop SERPs, so your titles and descriptions will be truncated to a much shorter length.
Use those marketing skills to write shorter, more compelling titles and descriptions, so you’ll make a better impression when you show up in mobile searches.
Make sure you don’t have any popups on your mobile site – they’re incredibly annoying.
Think about what you do when you’re browsing the web. When you get to a site and a giant popup appears, you get frustrated and close it immediately.
Your customers do the same thing.
Make sure you’re using schema markup. You should be using schema anyway, but it’s even more important when you consider the size of mobile screens.
And if you manage to get a rich snippet in search results, you’re even more likely to stand out when people are searching for you.
And finally, never, ever use Flash on your website! If you want your site to have animations or special effects, use HTML5 instead.
4. User Experience
It’s more convenient to search on a mobile device, but because of that convenience factor, user experience is critical to success.
So let’s talk about the things you should optimize to make your user experience stellar.
One of the most important UX issues on mobile sites is click size.
Whether it’s a menu button or a clickable element, you need to make sure the clickable area is large enough for finger taps.
Along the same line, pay attention to the distance between clicks. If your clickable areas are too close together, users will get frustrated when they can’t click what they’re trying to click.
Frustrated users are bad for business – they’re probably going to bounce.
Make sure your phone number is easy to see and is coded with a click to call link. Far too often, we see sites with unclickable phone numbers.
Why do you have your number on your site?
Because you want customers to call you!
So make things easy for them – add the click to call link.
Make sure your mobile menu is easy to navigate. If you’ve crammed a bunch of buttons into your menu, they’ll stack vertically on mobile, and might not fit on the screen – users will have to scroll to see them all.
If it’s too hard for users to find what they’re looking for, they’re going to bounce and find the answer or the product elsewhere.
Another massive mobile UX headache is forms. Most business owners and marketers don’t put much thought into their mobile forms, thinking that the responsive site solves everything.
The forms need to fit well on the screen, and they need to be easy to use. If the fields are too small, it’s tough to click them to select them.
But the biggest issue of all is the keyboard you use for your forms. There are several mobile keyboards available, and it’s important to connect the right keyboard to each field.
If a user needs to type in their name, you’re cool with the standard keyboard. When the user needs to type in a phone number, set that field to pull up the number keypad instead of the standard keyboard.
It’s a simple code change that will drastically influence the number of form completions you’ll see on mobile.
Font size is also important. Pull up your site on your phone – is it easy to read? Is there enough space between lines?
Don’t try to use a smaller font to squeeze in more content on the smaller screen – in fact, you most likely need to do the opposite. Make it easy to read and your users will be happy.
Make sure you’re serving different image sizes on mobile.
A full-screen image on a desktop is much larger than a full-screen image on a mobile device, so use your website code to serve up different images based on screen size.
Don’t load in huge images that you don’t need to. If you’ve got a slideshow, serve mobile-specific images for it, making sure they fit on the screen of a mobile device.
5. Mobile Site Speed
Page load speed is a Google ranking factor – and since it’s using a mobile-first algorithm, we know that mobile load speed is what matters.
It’s important, but note that your page load speed is really only going to affect your rankings if you’re in the bottom range.
The extremely slow sites get penalized – but once you’ve got a site that’s loading within a few seconds, shaving another half second off your load time isn’t going to help you rank any better.
It will help you convert more customers, though.
When you’re browsing sites on your phone, there’s nothing worse than going to a site that loads so slowly you feel like you’re going to die.
If that’s the case, your users will bounce and go to your competitors instead.
Most business owners and marketers have heard of Google’s Page Speed Insights tool. It shares incredibly valuable insights into how you can speed up your site, but it doesn’t really tell you how long your site takes to load.
Use it for the suggestions it provides, but opt for another speed testing tool to tell you the actual load time.
Now, we’re going to share eight tips that will help your site to truly rock in terms of page load speed.
- Find quality hosting. Server response time has a massive effect on your page load speed, so get your site on a host that’s optimized for fast performance. We’ve seen WordPress sites get moved to a better host and the load time is nearly cut in half immediately.
- Be careful with your site plugins. It only takes a few, especially chat and social media, plugins to slow down your site drastically. If you have any, try disengaging them and testing your “naked” site speed.
- Prioritize the loading of above-the-fold content. In other words, load what the users see first. Make sure you’re not render-blocking anything above the fold.
- Optimize your images before you load them. A 3-megabyte PNG file could be converted to a 210-kilobyte jpg image that looks the same on your users’ screens. Imagine how much faster your site will be if you could do that for every image. It’s also important to use responsive code to serve the right image size for the screen being used to view your content.
- Be careful with redirects. Too many redirects can slow down your site – and so will redirect chains. Only use them if they’re absolutely necessary.
- Use a CDN. CDN stands for Content Delivery Network, and it’s a collection of geographically different locations that serve your content. When a page is requested, its assets are served by the CDN server that’s closest to the user’s location.
6. AMP & Apps
We can’t talk about mobile page speed without mentioning AMP and PWAs, which are two alternative options for providing faster-loading content for your users.
AMP stands for Accelerated Mobile Pages, which are created with a special coding language that is based on a stripped-down version of HTML and CSS and loads almost instantly.
AMP tends to be mainly for news sites and wouldn’t make much sense for many businesses, as those pages don’t look as appealing as fully designed pages. Even worse, the AMP pages are stored on Google servers, and you get limited analytics data.
If you’re looking for a fast, streamlined user experience, apps are another option. Native apps allow you to do things that aren’t possible on a website.
There’s a bit of a barrier to entry, though – there’s no point in having an app if your customers and potential customers don’t download it.
You’ve also got to get the app approved by the App Store or Google Play.
A progressive web app, or PWA, gives you the best of both worlds. A PWA is a hybrid between a mobile website and an app.
You can download it directly from your browser without going to the App Store (or worrying about App Store approval).
It looks like an app on the user’s phone, but functions basically like a mobile website. PWAs are incredibly fast.
Thanks to data caching, once the PWA has been used one time, users can load and use the app without even being on a network. It can even send push notifications and access other functions on the device – just like native apps.
There’s even a newer hybrid combo of PWAs and AMP, commonly called PWAMP, which are progressive web apps built on AMP pages.
So, should you use one or the other, or any of the options at all?
Each business is different, so there’s no right or wrong answer.
It also depends on your customers and audience, on how users find you, and on how they engage with you once you’ve been found.
7. Optimizing for Local
Let’s finish up with talking about how to optimize your site for local.
Mobile searches are inherently local. Google knows you’re searching from a mobile device, and if that search has anything to do with local businesses, it’s going to show localized results.
A Google study showed that 76% of users who searched for something nearby visited a related business within 24 hours of searching.
Even better, 28% of those visits resulted in a sale. If you haven’t heard of it before, Local SEO is going to be your new best friend.
You need to be sure your content is localized – it needs to reference the local area, and you should be including your city name in your content.
Don’t stuff the city name in, mention it conversationally. It’s also helpful to write locally focused blog posts – they allow you to talk about specific information about the local area.
You also need to be sure that your NAP information is displayed on every page of your site. NAP stands for name, address, and phone number. Make sure your phone number is click to call.
Your NAP information needs to be marked up with Local Business schema – a type of code that shows Google that you’re a local business.
You should also use local optimization tactics when you’re optimizing the important SEO elements on your pages.
Include your location keyword phrase in your title tag, in your H1, and in your image alt text. Don’t just add it to the end – try to make it conversational.
Most website platforms allow you to customize your URLs, so include your location keywords in your URLs wherever possible.
Finally, include your location keyword in your meta description. It won’t help you with ranking, but since it appears under your blue link when you show up as a search result, it’s helpful to include the location info to boost the likelihood of a clickthrough.
You’ll also want to shift your link building strategy and start targeting links from local businesses. Google’s local algorithm values links from local businesses, even if the authority metrics are lower than what you’re used to seeing.
You’ll need to be sure your Google My Business profile is claimed and fully optimized. It’s a direct interface with Google that allows you to supply specific details about your business, and it’s the first thing customers will see when searching for your business.
Reviews play a big part in the local algorithm as well, so if you haven’t been paying attention to reputation management, it’s time to start working on getting more reviews.
Citations are also important to the local algorithm. Citations are mentions of your NAP information on other websites. Basically, they’re your directory listings.
They’re a foundational Local SEO signal, and Google expects to see the same NAP listed every time it sees your information on another site.
Want to learn more about mobile SEO? Take this course at SEMrush Academy. You’ll learn how to start thinking mobile first and top the rankings in mobile searches!
SEO2 weeks ago
Paid search marketers can find success with top of funnel campaigns
SEO2 weeks ago
Google adds Siri Shortcuts to its iOS apps
SEO3 weeks ago
Justice Department homing in on Google Ad Manager in antitrust probe
WordPress3 weeks ago
A Definitive Guide to Mobile SEO
WordPress3 weeks ago
Best Free Online SEO Training Courses in 2020
SEO3 weeks ago
Google Search Console fixed a bug with Google Tag Manager verification
SEO1 week ago
Google: ‘We do updates all the time’ – somewhat confirming February update rumors
SEO3 weeks ago
Pro Tip: Here’s why content audits are so important