This document discusses how SEOs can help with cybersecurity by identifying vulnerabilities and malicious activity on websites. It provides three ways SEOs can benefit security: 1) Prevent risks by checking robots.txt files and Google search results for sensitive information exposure, 2) Identify weaknesses like outdated plugins or default credentials through site crawls, and 3) Identify malicious activity by monitoring for hacked pages or spammy content. Specific tips include using Google Alerts to monitor code repositories for leaks, crawling sites as Google would to detect unusual content, and reviewing Search Console for security warnings. The document emphasizes the value of vigilance, asking questions, and investigating anomalies to enhance website protection.

1. Google, Cybersecurity
and You: Being
security savvy as an
SEO
Chris Spann | Deepcrawl
@marqueetag

2. Who Am I?
1
2
3
4
Hi, my name is Chris!
I’ve worked in SEO for nearly 15 years
I have an unhealthy interest in breaking
things and making things do things they
aren’t supposed to
I’m a member of the Professional Services
team at Deepcrawl, working with some of
the biggest websites on earth, finding,
diagnosing and fixing issues from the really
really mundane to the really really weird
1
2
3
4

3. 60% of Small Businesses
close within 6 months of a data breach
Why should I be concerned about security?
😞

4. 60% of Small Businesses
close within 6 months of a data breach
As well as direct financial damage,
damage to reputation and customer confidence can be long term
Why should I be concerned about security?
👤

5. 60% of Small Businesses
close within 6 months of a data breach
As well as direct financial damage,
damage to reputation and customer confidence can be long term
You don’t have to be targeted
to be a victim of malicious activity, just vulnerable
Why should I be concerned about security?
🤷
♂️

6. Disclaimer:

7. I am not a security expert!
I’m just an SEO who is either cursed or blessed
with the ability to find these things.
This talk is about preventing issues where
possible, and learning how to find problems to
report to your Secops/Dev teams
Disclaimer:

8. So what can I do?

9. SEOs have a unique view of websites

10. Three Ways You Can Provide Security Benefits

11. Three Ways You Can Provide Security Benefits
Prevent risks

12. Three Ways You Can Provide Security Benefits
Prevent risks
Identify weaknesses

13. Three Ways You Can Provide Security Benefits
Prevent risks
Identify weaknesses
Identify Malicious Activity
both successful and attempted

14. Robots.txt
● Robots.txt is a great way of keeping Google out
of folders and files you don’t want it getting into
● But consider whether you want to announce their
existence to the whole world

15. Robots.txt
● Instead, consider using the X-Robots-Tag header
to prevent indexation and limit crawling if you don’t
want the urls known - or better yet, block non-
verified visits
● As an aside, if you allow UGC, consider what could
happen if a user is allowed to create a robots.txt slug

16. Google Alerts
● Set up an alert for ‘site:github.com “[your-website.com]”’
● Catch devs accidentally storing private
keys etc in public github repos
● Catch other nefarious actors who might
be targeting these domains with scripts/code

17. Google Alerts
● Keep an eye out on what shows up for an image
search for your brand - what can you see in the
background of office photos from news stories?
● This also applies to social media -
has your new starter taken a photo
of their pass?

18. Crawl Your Site As Google
● This will help you see if your site returns anything
weird or untoward when it thinks you are not a
“normal” user
● Don’t worry too much if the crawl crashes! Your
security team might already be one step ahead

19. Monitor your SERPs
● Wordpress sites in particular are susceptible to
compromise due to their off the shelf nature
● A famous hack, known as “The Pharma Hack”
(Recently overtaken by “The Japanese Keyword
Hack”) can serve spammy content to Google -
but not to users

20. Question Things That Look Weird
● Look into outliers - go down rabbitholes,
● and always think laterally about how or why
something has ended up a specific way
● Just because something says it’s Googlebot,
don’t believe it on face value

21. Question Things That Look Weird
● Look into outliers - go down rabbitholes, and
always think laterally about how or why
something has ended up a specific way
● Just because something says its Googlebot,
don’t believe it on face value

22. Search Console
● Search Console will straight up tell you if Google
believes your site has been compromised
● Keep an eye on all those subdomains that are no
longer used - a malicious actor can tank an entire
domain’s traffic by 90% via DMCA takedowns
● Make sure the owner inbox is monitored

23. Summary
● Get to know your site
○ How big is it?
○ What do your SERPs look like?
● Be vigilant of change - especially changes you
haven’t made
● Set up alerts
● Automate crawls
● Spend time in Search Console!
● Anything you really don’t want Google or users
to find should not be in your robots.txt
● Go down rabbitholes, ask questions, investigate
anomalies

24. Thanks for Coming.
Resources: https://linktr.ee/chrisspann
Chris Spann, Senior Technical SEO at Deepcrawl
@marqueetag