Google has had a long-standing ambivalence towards the concept of negative SEO. If you corner a Google employee and ask them straight up whether or not it exists, they’ll tell you that you’re scaring them and that you should leave before they call the police. If you ask in a more polite setting, you’ll get some waffling; it’s not a problem you need to worry about, it’s not something that’s commonly seen, it doesn’t have a big impact on search rankings overall…
The trouble is, none of this denies that negative SEO exists. So how can something with the potential to destroy a web business both exist and not be a problem?
What is Negative SEO?
“Negative SEO” is an umbrella term for a bunch of different possible actions an attacker might take in an attempt to damage your site in the eyes of Google.
The end result is, to the attacker’s ideal, getting your site dropped from the top results in Google search, and even making your business close down, if you’re in a fragile position.
- Bad Link Spam. This is one of the primary means of negatively affecting another site is simply to create hundreds or thousands of bad backlinks to the site. Go to a known private blog network that has been delisted and buy links from them. Buy a bunch of links from Fiverr or from other shady sellers. Make a bunch of spam comments on blogs with their link. Links can come from a wide array of sources, and bad enough links can hurt the SEO of the site they link to.
- Content Scraping. Scraping content can muddle search results so it looks like your site isn’t the only one publishing the same identical pieces. Normally, Google uses indexation date, not displayed publication date, to determine who published the content first. This is fine, unless they index the spam site before they index your site, making your site look like the copier. There are ways around this, and if your site has sufficient trust they will often still give you the benefit of the doubt, but it can be detrimental nonetheless.
- Bandwidth Spam. Some attackers take a more direct route to hurt your site by flooding your web server with traffic. At a low level this can slow everything down, which hurts your SEO in terms of pagespeed metrics. A higher volume attack might have your web host sanctioning your account for your resource usage. Even stronger attacks can even take down your site entirely.
- Hacked and Hidden Spam. Sometimes, a particularly determined attacker might actually break into your site, either by compromising your admin accounts, hacking your email, or phishing you. In some cases a skilled hacker might even socially engineer their way into getting your information reset. Regardless, once they have control over your site, they hide spam links and spam pages. Some will just compromise the whole site, but others will be clever enough to simply drop hidden spam that Google can see, but users cannot. That, or they just put “noindex” on your site headers and let Google drop you entirely.
Now, when most people talk about negative SEO, they generally mean the first item on the list, link spam bombing. These spam attacks can be pretty sophisticated; they might use carefully chosen keywords to make it look like you as the site owner are trying to buy those links. They might make fake profiles under your author names to spam blog comments.
The reason link bombs are the chosen method for negative SEO attacks is because they’re easier to pull off and harder to trace. With actual hacking, it’s a difficult ordeal to pull off. With a DDoS attack, you need significant resources, and you can be traced. With scraping, it’s a pretty low success rate and very easy to counter. Link bombs, though, can slowly and steadily build for months or years before they take effect and demolish a site.
Negative SEO is not a myth, so why does Google seem to disavow all knowledge of it, and generally downplay it whenever it comes up in conversation?
The reason Google doesn’t consider negative SEO to be a huge problem is two-fold. Firstly, their algorithm is very sophisticated. They fully understand that negative SEO is a possibility, so usually when they delist a site or they hunt down a private blog network, they simply deaden the links coming from those pages.
What this means is that those links might as well not exist. They’ll show up in your backlink reports, and they’ll pass traffic if anyone is actually visiting one of those private blogs, but they won’t pass positive or negative PageRank. As far as Google is concerned, they don’t exist.
The second reason Google doesn’t consider negative SEO to be a problem is that they have a tool you can use to fight it. The Google Disavow Links tool, found here, allows you to upload a list of links that you think are harmful to your site and that you don’t want to exist.
When using the disavow tool, Google recommends that you take other efforts first. Reach out to the site owner and try to get the links removed. Report the site to a webmaster if necessary, and if it’s obviously spam. Also, make sure the link is actually something you want to have removed. The disavow tool is basically a nuclear option, and can be dangerous if you disavow good links with it.
Basically, as far as Google is concerned, negative SEO might as well not exist. Some negative SEO links hurt some sites, but at the same time, some negative SEO attacks include a few links that turn out to actually be positive. Most links in such attacks are easily filtered, and you can easily disavow the rest of them.
There’s a problem with this situation, though. Actually, there are two problems. The first is that a negative SEO attack doesn’t necessarily need to damage your site for very long; they might be able to knock your site down a few pegs and then out-do you with their own site while the chance is there. You might not experience a permanent loss of traffic and ranking, but you can lose customers and leads. It can set back your expansion plans as well, given that it can lead to a couple of thin months with minimal profits.
There’s also the problem that Google seems to think they’re the only game in town. When you disavow a bunch of links, Google stop treating them as links, and your search ranking will change accordingly.
The problem is, those links still exist. Google didn’t reach out and remove them. They don’t send out press releases with lists of links that are no longer considered legitimate. Any other third party link analysis software is still going to see those bad links and is still going to factor them into calculation.
This isn’t necessarily a bad thing, really. Majestic might still consider those spam links as bad links, and your site ranking with Majestic might be lower than it should be, but that doesn’t matter to Google or to your customers. No one is checking your link profile with Majestic before they sign on to buy your service. It’s an internal metric that might look lower than it should, but it’s still internal. Majestic’s rankings don’t affect Google search results.
Dealing with Negative SEO
If you or a loved one is a victim of a negative SEO attack, contact the law offices of… okay, dropping that joke. Negative SEO can be dangerous to a site, so it’s worthwhile for you to keep an eye on the possible threat vectors. This goes back to those main methods of attack I mentioned all the way at the start.
Bad Link Spam. Link spam is the most common form of negative SEO, but it can also be fought fairly easily. It’s only a problem in massive volumes, and most significant attacks will be noticeable if you even glance at your traffic metrics over time.
I recommend doing a full backlink audit if you have not done one before. Use a tool to pull your entire backlink profile and go through it. Find links that fit the bill as being bad and set them aside in a separate file. Once you have this file, you can reach out to webmasters to get links removed, and you can throw the whole file into Google’s disavow tool as mentioned above.
A link audit is not a one-and-done thing, unfortunately. You’re going to need to keep an eye on new links showing up to your site. I recommend a maintenance audit about once every six months. Twice a year is enough to catch when a slow or low-scale negative campaign is being waged against you, and you can do spot checks occasionally to see if you should be more immediately concerned.
If you’re in a very competitive niche, a cutthroat industry, or if you notice a competitor with a bad site is rising above your good site, you should check more often. There’s always a chance one competitor is rising above what they deserve through knocking everyone else down.
Content Scraping. Having your content scraped and published in another location or under another name is a pretty common problem. As I mentioned up above, it’s rather unlikely to actually hurt your site in most cases. As long as you’re not borderline spam yourself, Google will have built up some trust in your site and will recognize that a post published on your site and a post published on some dumb microsite are not the same.
That said, it can be worthwhile to occasionally delve through the internet looking for spam copies of your content. Take a recently published article or an older article and run it through a plagiarism checker. Copyscape is good for this. You can also take specific sentences and run them through Google to see if they show up anywhere else. Put quotes around them so you get exact matches, not partial matches.
Copyscape also has an active anti-plagiarism scanner available for a fee. It scans their index of the web – and through various search engines – looking for copies of content published on your site. You are alerted when a copy is found, and you can track where, who, and how you respond to them. It’s called CopySentry, and unfortunately it gets pretty expensive. It’s $5 per month for weekly checks or $20 per month for daily checks, but that’s only for 10 pages on your site. After 10, it’s either 25 cents or $1 per page, for weekly and daily respectively.
That said, it can be a good idea to set up 10 pieces of content to be tracked, rotating them out every month or two. A simple $5 membership should be enough to give you a hint of anyone copying your content, and you can do more detailed scans from there.
Bandwidth Spam and Hacking. I’m lumping both of these together because they both come down to security. There’s not much you can do against a DDoS attack other than implement protection against it like CloudFlare. There are specific anti-DDoS protection suites available, but frankly unless you’re actively being targeted, there’s not much need to implement one.
Hacking protection, meanwhile, is essential. You want to take any step possible to keep your site safe. Use SSL. Use secure FTP for uploading files. Make sure your username and password for admin access on your site and on your hosting are unique and strong. Educate yourself about phishing vectors and common attacks. You can also do semi-regular site audits looking for rogue pages or intrusions onto pages. All in all, information security is a huge topic all its own, and there’s only so much I can cover here. Just strive to be secure.