There was a story on the news a day or two ago about websites ending with a ".gov.uk" domain getting hacked and being used to sell drugs which were found to be fake.
It was on the Channel 4 news, you can watch the clip and read more about it here.
It got me thinking, not only because we look after a .gov.uk domain, but about the wider implications of hacking and the effect it has on rankings both in the short and long term. I believe we are slowly moving towards a situation where Google will start punishing hacked websites.
Currently Google appears to treat websites which are hacked with a soft touch, providing they are repaired and restored with all nasties removed they return to their original rankings relatively quickly, taking days or weeks rather than months or years.
Currently Google appears to treat websites which are hacked with a soft touch, providing they are repaired and restored ... they return to their original rankings relatively quickly.
I wonder what would happen if Google were to take a firmer line on sites being hacked. We saw the rapid adoption of secure certificates when Google announced they would be promoting sites which delivered content over SSL over those which don't. Effectively rewarding websites which are taking steps to be more "trusted".
Follow this line of thought its not hard to imagine Google punishing sites which are repeatedly found to be untrustworthy especially if a compromised site begins serving malware or worse. If a "webmaster" isn't willing to take steps to protect their site following a breach of security, do they deserve to be ranked as high as a site which takes necessary precautions?
It would be harsh to permanently punish a site for a first offence, but for repeat offenders it seems a reasonable stance to take.
An obvious consequence of this is it will raise the bar for security, in the long term will this be such a bad thing?
The main flaw in this is that hackings can happen in a multitude of ways, the Shop Talk podcast has a fascinating episode where the author was victim to a social engineering attack on his hosting company which lead to not only his websites being compromised but his personal information being posted on the dark web.
Should a website be punished because a hosting company, in this case a very reputable one, had a vulnerability in their account authentication? Technically the author did absolutely nothing wrong so to be punished seems incredibly harsh, especially when it was the hosting company at fault.