Learn how to do your job better

Thumbnail for video explaining how to check website for malware

Is Your Website Infected with Malware? Free Tools to Help You Check.

And You Don’t Even Need to Be “Techy” to Use Them!

Scroll down to watch the video (audio transcript is below that)

Do you know that “bad actors” on the internet will try to infect your site with malware and spam in ways so subtle that you don’t even know they’ve done it? And often they aren’t after your secrets, they just need your website to help them blast spam emails, practice negative SEO, or host hundreds of advertising pages you don’t even know about.

In they process they can hog your website resources and earn you or other websites a bad reputation with Google. For that reasons you need to be able to quickly check your website for unwelcome intruders. Of course there are lots of more technical tools for doing this (if your site is running WordPress our favorite tool for checking and protecting is Wordfence).

In this video we take a look at a number of other tools that require no technical expertise to use, and we find that they are not all created equal.

(Interested in more in depth SEO training? We offer live SEO workshops like this.)

By the way, if you discover that malware is infecting your website, you will need technical help, so be prepared. But whatever you do, don’t ignore this issue. It’s one of the first things we do when we’re doing an SEO Audit.

Audio Transcript

Hi, everyone. I’m Ross with Horizon Web Marketing, and I’m here with another SEO Audit How-To. So, we’ve been working our way through the SEO audit checklist that we use internally when we do an SEO audit on a site and giving you little tips on how you can clear items from your audit checklist. Let’s take a look at the checklist. As we scroll down under the technical factor section of the checklist, you’ll see that one of the sections is security issues, and I’ve done another video that talks about how we can clear these two items. Is the site using https, and is that being served consistently?

detail image of seo audit checklist with the security issues highlighted

Today, we’re going to talk about this question, is the domain clean of hidden malicious code? Now, you may think that your domain is as clean as a whistle, but on the other hand, the people that are out there planting malicious code on websites often do a pretty good job of not letting you know that they’re around. And don’t be going according to the assumption that every time someone hacks into your website, they want to steal something from you. Often they’re hacking into your website so they can do things like blast out spammy emails or put up advertising pages that you don’t know about using your domain, and now also they might use your domain for something called negative SEO, where they plant a whole bunch of really lousy links to other websites to try to take them down, and you’re just the unwitting host of this.

So, here’s how we go about checking a site, and before I do that I’m going to show you this article here and I’ll put a link to this article. It’s a pretty good one, “11 Awesome Tools for Website Malware Scanning.” So I went through there, and I actually saw some tools that I didn’t know about before. They’ve got a list of some. Now, many of these tools are ones you have to install on the backend of your site. What we’re going to focus on today, with the exception of Google Search Console, we’re going to show you tools where you don’t have to have login privileges in order to check out a site.

So, if you do have, when it comes to your own site that you own, probably the first place you’re going to go is to Google Search Console. Now, if you’re not familiar with Google Search Console, you need to change that, and we’ve got some videos that show you how to get set up with it.

When you’re within Google Search Console, on the left you’ll see that there’s a choice called Security Issues, and when we click on that, if Google has picked up on any malware, any malicious code on your site, they’re going to give you a notification here. So typically, they’ll push a notification to you if you have your email entered into Google Search Console, but as a matter of course for sites that we maintain, we make it a practice to check this at least once a month, make sure that Google hasn’t picked up on something that we’ve missed. However, this is a cursory check. It doesn’t catch a lot of stuff. I have had it catch security breaches before, but I don’t think it always does that.

The security issues screen in Google Search Console

Now, some of the checkers that are listed on that page that I showed you are not that great at catching code, so what I did is I decided to go to a website that I know has malware infection because I’ve been following this website for years because they’re a host for what we call negative SEO and have actually been used to launch attacks on at least one of my clients. So, I’m going to go to this website, and here it is. It’s called coopercomputers.com. It’s still up and online. You can see that it’s like an abandoned site. If you dig down into this domain, you’ll see pages like this where basically the pages have been hacked, and then all sorts of images have been placed. And if you dig down into the code, you can find all sorts of shady stuff going on. So, I decided to take this and do a little test on some of the malware checkers that are listed in the article I showed you.

The first one that I went to is this one here called virustotal.com. I ran that site through it, came back pretty clean. This is basically a meta check, so it goes and it goes through a lot of different checks. Notice it shows Quttera’s listing this as suspicious. Quttera is another one of the sites that we’re going to take a look at.

Web Inspector, another one here we go to, and boy, it looks like it’s pretty clean so far. And then I’ve gone to Rescan.Pro, which is another resource. We’ve scanned the site and once again, looking good. Alright. Now we’re going to go to the site that we always use when we do a check like this on a client’s website or on a prospect that we’re looking, for example, for a link partnership arrangement. We’re going to go to Sucuri, and a lot of developers know Sucuri. They really know their stuff pretty well. Plugged in the website. Notice, not so clean. “Warning: malware detected. Critical Security Risk. Known Spam detected. Your site is hacked and needs immediate attention. Malicious code was detected on your site.” Notice down here, “Malware detected by the scan and injected spam detected.” So, obviously this site is not as clean as some of these tools would have made it out to be.

picture of results page of check on coopercomputers

Our Go-To Web-Hosted Site Check Is Sucuri

Now, I have plugged this same homepage of this site into Sucuri, and it’s come back clean, even with this tool. As a matter of fact, just last week I was doing a demo where I plugged this computer in. Sucuri came back and said that the homepage was clean, so I had to go and put an internal page into the checker in order to discover the code. The moral of that is when you’re doing a check on your site, don’t stop at the homepage. Pick a couple of internal pages and run them through a couple of different checkers.

Now here, Google has their own what they call a Safe Browsing Report. Notice Cooper Computers came back clean with Google’s own report. But, Sucuri is not the only one. There is Quttera. Remember they were mentioned. It says, “Potentially suspicious content detected on this website.” And you scroll down here and it’ll tell you that it has potentially malicious files that it found on this site.

Also, Siteguarding here, another tool, actually gave me an extremely good readout on this site although it’s a little bit on the technical side. It says, “The website is infected.” Now, this is the one that was probably the most surprising to me because they actually identified the infection as “Spam SEO Linking Anomaly,” which goes along with the negative SEO. That’s a subject for another time, but basically the bottom line is they were able to pick up on the infection at Siteguarding. I think I have one more example here. Nope. No more examples.

So, there we’ve just walked through a few tools. I would say if you’re in doubt, I would typically recommend Sucuri as my first bet go-to site. But as I’ve shown you, these tools are not entirely perfect, and they don’t claim to be. There’s only so much that a tool can do running a scan, but this will give you a good start in checking whether your website is infected.

So, I hope this has been useful to you. Let me know if you have any comments, suggestions for this video or for any others, and definitely subscribe with the big red button. Next to it there’s a little bell icon. Make sure you click on that too because that’s the only way you’ll actually get notifications pushed to you from Google.

I also drop a few more resources and links down in the description, so be sure that you click on the ‘Show More’ button underneath the description to see everything that’s available with this video. And definitely come back and check out our other videos when you have a minute. I’ll see you next time.

Ross Barefoot is the Chief Technology Officer at Horizon Web Marketing. In his work with Horizon Ross brings 35 years of small business management experience, 25 years programming experience, 20 years web development experience, and 13 years experience as a professional SEO. Ross is also currently a certified SEO trainer with the Search Engine Academy and serves on its board of directors.
      

Thumbnail for video explaining how to check for https secure protocol implementation

Secure Protocol 101: How to Check the HTTPS Implementation of Your Website (video)

Another SEO Audit How-To Video

Google wants your website to be secure! That’s why they are favoring websites that use “https” instead of “http”

Image of a website running https

Above is an image of how a website will show in a browser if it is running https

 

Image of a website showing a not secure warning

Above is an image of a site that has not implemented https, or has done it incorrectly

This is another video in our series of SEO Audit Essentials how-to’s. In this video I discuss one of the items we always check when we’re doing an audit on a website, namely whether it’s running on secure protocol (in other words, using “https” instead of “http”), and then, if it is, whether that https protocol has been implemented correctly (often it has not).

Since Google is valuing https in their ranking we always want to make sure that Google doesn’t think the https implementation on a website is broken. It might negatively impact the trustworthiness of the site.

(This video is designed to complement our SEO Audit Essentials free checklist. To get a copy of that checklist for your SEO work, click here)

An audio transcript appears below the video.

Audio Transcript

Hi, everybody. This is Ross Barefoot with Horizon Web Marketing. I’m here with another tip for how to use our SEO audit checklist. As you may already know, and may already have a copy, we offer as a free download a checklist similar to the one we use in house for performing an SEO audit on your website. So, we’re just going to drill down into one small aspect of that, and show you how you can do a check on your site. And in this case, it’s for the security protocol that your site is operating under.

Let’s take a look at the checklist. You can see it here. It’s set up in a spreadsheet format.

image of seo audit essentials checklist

If we scroll down a little bit, you’ll see it there’s a setting that says security issues. And the first question is, is the site using HTTPS? Of course, as you probably know, Google is pushing everyone to use a secure protocol and here I’ve got a project site to take a look at. You’ll see up at the top left that the site is using HTTPS, as opposed to just HTTP. Whenever you visit a website, typically, if it’s running this secure protocol, if you’re using Chrome browser, it’s going to show secure, other browsers will show something similar.

Your first step is, if you’re going to check out your site is try typing in the address, just like I’ve done it here without any protocol [ed: without http or https] and hit Enter, and then see what it defaults to. In this case, it defaults to HTTPS. So, so far, so good. I’d click around to a few pages on a few links, see if it’s running HTTPS. Okay, so at this real basic level, it looks to be running HTTPS. But I’m going to check one other thing, and that is what about if somebody has a link out there with just the standard old-fashioned HTTP? So, I’m going to put that in for this site and I’m going to hit enter. Now notice that it redirects again to HTTPS.

So, some sites do not force it to check. Part of what you’re going to do is you’re going to check by taking out that S, and running it through and seeing if it redirects back to the secure protocol. But typically, you’re not done there.

Using the Insecure Content Report in Screaming Frog

Now tool that we use quite a bit, and I’ve talked about on some of my other videos is Screaming Frog [ed: for a link to any tools mentioned in this video, see the description of the video on YouTube]. It’s free for up to about 500 URLs. It’s a free download. Otherwise, if you have to buy it, it’s a good tool to have. I’ll do other videos on what we use it for, a whole bunch of different stuff. I’ve done a crawl here on a somewhat abandoned site called rockymountainsearchacademy.com. Once I do a crawl using Screaming Frog, they have a report that is called insecure content. When you click on that, it’ll prompt you to download a spreadsheet.

image of the dashboard of Screaming Frog

What the spreadsheet looks like is right here. You’ll notice that it will show me every page that has a link on it that points to an insecure destination. In this case, on my page, How To SEO Courses, you’ll see here under the column destination, notice how the protocol over here is HTTP. That’s not really the best case. Now in our situation, we do have what are called redirects in place. So, if someone clicks on that link, they are forced to a secure version of this page. But that puts an unnecessary step in the process. So, this would be an area that I would need to give some attention to, to change these links here to HTTPS.

Using JitBit to Double Check for Page Resources Called Insecurely

Now there’s one other free tool that I’m going to show you how to use. We’ll go back here, and we’ll check this tab. This is a cool little site called JitBit. You can go there and do an SSL check. Now, this will only go up to about 200 pages. But it gives you a good idea whether you might have a problem or not. Notice you have to tweet to gain access? That’s a small price to pay. So, I go ahead and tweet, and I’m going to show you what the result is when I did a check on Rocky Mountain search engine Academy. And you can see in the screen capture here, that it finds just one insecure item. Now, this is because it’s looking for actually where the website is calling some sort of a resource that is using something to build the page that is insecure. Now, this is something that Screaming Frog did not pick up on. And so, in essence, you really have to do a variety of different checks.

At this point, if you find that you do have a problem, and you’re not really technical, here’s where you call in your developer or an outside developer if you feel that your developer, or the person you’re working with, can’t handle this. And you say, “Well, here’s what I find:” In the case of Rocky Mountain search Academy, I have a bunch of insecure links that need to be swapped out. That can be done with a one-step database replacement operation. I would also show them the JitBit document, because it shows where an external script is being called insecurely. Both of those are red flags to Google. And so, they would need to be dealt with. Once you deal with them, you can mark this off your list.

Again, my name is Ross Barefoot with Horizon Web Marketing and Horizon Web Marketing Academy. I hope this has been useful to you. Please subscribe for more tips like this, and also click on the bell icon next to the subscribe button. That way, you’ll actually get a notification when we have new videos come out that will help you work through these tough SEO questions. Bye for now.

Ross Barefoot is the Chief Technology Officer at Horizon Web Marketing. In his work with Horizon Ross brings 35 years of small business management experience, 25 years programming experience, 20 years web development experience, and 13 years experience as a professional SEO. Ross is also currently a certified SEO trainer with the Search Engine Academy and serves on its board of directors.
      

Video thumbnail How to Set the Preferred Domain in Google Search Console

How to Set the Preferred Domain in Google Search Console

SEO How-to Video: Make Sure to Set the Right Version of Your Website in Search Console

There are at least two versions of your website, and it’s important you tell Google which version of your site is the “preferred” one. In this video I will walk you through the “why it’s important” and also “how to get it right.”

(If you prefer reading to watching, the text version of the video is below)

Audio Transcript

Did you know that Google sees different versions of your website? That’s the case even if you never intended to create different versions of your website. Did you also know that it’s extremely important to know which version of your website you’re looking at or working with when you’re using Google’s search console.

Well, that’s the subject of our video today in business basic SEO, so stick with us and I’ll be right back.

Hi, I’m Ross Barefoot with Horizon Web Marketing and the Horizon Web Marketing Academy where we help business people understand SEO. Now today we’re going to be talking more about the search console, this is a free tool that Google offers to web masters, business owners, anyone who’s working in digital marketing or SEO and who wants to do better with Google.

Now, search consoles are a very valuable tool as a matter of fact in our consulting business, we work with it all the time. In our training academy we teach about using it all the time. Let me explain a little bit what I’m talking about when I say that there are different versions of your website. I’m going to jump over to a website that’s sort of an under developed website. It’s very plain looking, but it will serve the purpose for us.

Now, this website is called artisansofcolorado.com, and you’ll notice up in the address bar, up here for search. Notice the details of how that’s represented, h-t-t-p-s www.artisansofcolorado.com. Now that website also could be reached if I typed in, for example just artisansofcolorado.com. If I type that in it’s actually going to go to the same website, but Google actually views those as two different variations of the same website. As a matter of fact, it’s technically possible for you to have completely different content on the www version of your website, than you have on the non www version of your website.

It goes beyond that, this particular website is running over what we call a secure protocol, and Google has been pushing most site owners to run over a secure protocol. That’s always shown with http and then an S, after the http. So, in essence for any website that’s running securely, there are four different ways to reach that website. Http://artisansofcolorado.com, http://www.artisansofcolorado.com. Https://artisansofcolorado, and https://www

Screen capture of the various versions of artisansofcolorado.com that can appear in Google Search Console

Now, the interesting thing about this is when you’re working with your website, and Google search console each of those variations really should be setup as if you had four different websites. We’re going to switch over now to Google search console, and I’m going to just show you a little bit about how you do this, and how you indicate to Google which one is what we call your preferred domain when it comes to working with Google search console.

Now first of all, adding a website to Google search console and getting setup with Google search console is a little bit more involved and we do have a video that walks you through that process. So, if you have never added your site to Google search console before, I’m going to put a link on screen. I’m also going to put a link down in the notes for this particular video and you’ll be able to link over to that. I’d recommend you stop at this point, go over, learn how you add and verify a website in Google search console. Then come back and conclude with this.

So, what I’m going to do right now is I’m going to use this red button up in the top right, add a property and I’m going to use https//artisansofcolorado.com, and what Google will do is it will add this, it will ask me to verify it.

screenshot of Add a Property button in Search Console

Now, because I don’t want to bog down this video, I’m going to go ahead and complete these steps and then I’ll come back into the video when I’m done, and then we’ll move forward from there. So, here we are back at the search console and I’ve taken a moment and added and verified four different websites, but you and I both know this is really one website.

To Google however they’re going to treat it as four. I have the http version of artisans of Colorado without the www, and I have it with the www, and then I have the same thing for the https version. Both different variants of the site. Google does recognize that these sites are probably supposed to be tied together, but they still recommend that you set which one of these in the settings of search console is your preferred domain. Which one should be dominant? So, how do we determine which of those is which? I’m going to suggest that the easiest way to do it particularly if you’re non technical is to let the internet make the decision for you.

So, go to a browser, and then notice how I’ve typed in just the domain name, now the domain name is whatever word is to the left, followed by whatever is to the right of the period. So, in this case it’s just straight out artisansofcolorado.com and I don’t add in www. I don’t put in http, I just put in the domain name and I hit enter. Notice how the address bar in the top has changed, https and www have been added. So, this indicates to me that this website is setup in such a way that it should default to that particular variant. Let’s return to search console and here’s how we tell Google that, that should be our preferred domain.

screenshot of the settings gear icon in Search ConsoleWe’ll click on this one here, the www version, and then we’ll click on the gear at the top right, and we’ll select site settings. Often when you first set this up, Google will choose one of those as the default. In this case, if it comes up set as don’t set a preferred domain, you’re going to now change that setting and we will here. We’re going to select the radio button. Remember we want to be with the www, we’ll click save. Now, I’m going to show you something interesting about this. Google of course tells us that it views these as four different websites in effect, but once I’ve made this change if I go to any of these other variants. Let me take this one here, and I click on settings.

screenshot of the site settings in GSCNo, it’s changed it for this one as well. So, in other words this does indicate that Google recognizes, as I said earlier that these are supposed to be part of a matched group. Basically we have done what we need to do. Now, the last thing that I need to tell you is, when you come back to search console as data has started to accumulate here, you will not see the same data in each of these various websites. So, the account that you go to for your most consistent, most complete information is going to be the one that you set here and proceeded by your default protocol in the http versus https. That defines what we call protocol.

So, typically when we come back and we want to manage this site, submit site maps to Google search console or see things like for example crawl errors and so forth. We want to focus on that particular property. Now, there is a way where we can further tie all of these websites together and it’s something called the set, but I’m going to leave that for another video. So, for now I’m going to just let you go and set your preferred domain if you haven’t already done so. Of course if you haven’t added your websites to Google search console, then go and look at the other video that I’ve referenced in the description. Then go and add those sites to Google search console. That’s one of the first steps that you do when you’re optimizing a site for search.

I hope this bit of business basic SEO has been helpful to you. If you like tips like this, and they are useful to you, make sure that you subscribe to our YouTube channel down below. Also, go ahead and leave us a comment if you’d like to see videos that we don’t have within our channel. In the mean time, thanks for tuning in and we’ll see you next time.

Ross Barefoot is the Chief Technology Officer at Horizon Web Marketing. In his work with Horizon Ross brings 35 years of small business management experience, 25 years programming experience, 20 years web development experience, and 13 years experience as a professional SEO. Ross is also currently a certified SEO trainer with the Search Engine Academy and serves on its board of directors.
      

picture of man who's overwhelmed by the thought of SEO training

Looking for Some Real World SEO Training?

Kate: Can you imagine a life where everything was just easy?  You know, like where you ask for things, and then people just bring them to you?

Jack: It’s wonderful…

– “The Family Man” (2000)

Ah yes, wouldn’t it be nice if you could read some sage bit of Search Engine Optimization or Digital Marketing advice, call in one of your well trained staff members, ask them to implement and simply wait for them to bring you the results?

Welcome to the Real World

picture of man who's overwhelmed by the thought of SEO training

Is SEO training just one more thing on your plate? Then only worry about the essentials!

I don’t know about you, but that ain’t the business world I operate in.  I grew up in small business, literally, and I’ve spent the last 35+ years in a world where managing a business or a department tends to be like fighting 5 fires in a high wind with a garden hose and a shovel.

Taking time away from all the other concerns of a hectic day to become an expert in SEO simply isn’t an option for most small business managers.  If you’re like me, you long for information that is stripped down to the essentials.

It’s to fill that need in SEO that we created a new online training course called “Real World SEO: Essentials.”  This course is designed to cut through all the stuff that no one in the “real world” will ever do and focus on the meaningful concepts and the realistic actions most busy small businesses CAN take based on knowing those concepts.

The course is divided into 9 modules and is approximately 6 hours of video training.

Who is the Course For?

Business owners and managers

This course wasn’t just designed for business owners.  It is designed for ANYONE who has to get their website seen while managing other business operations.

Independent web developers

It’s also a perfect class for Web developers who need to perform SEO for their clients but need to focus ONLY on the essentials that will have the best shot at results.

Marketing professionals

Finally, if you’re a marketing professional who is expected to manage, or simply know about, Search Engine Optimization, this course is a compact way to bring you up to speed on those concepts that will benefit your clients and put you ahead of most other marketing agencies who are after their SEO business.

Get the First 3 Modules for Free

Already know you want the full course?  Sign up here and take $50 off (this introductory offer is only good through January 31st, 2017)

 Try it Out for Free

We know how valuable your time is, otherwise you probably wouldn’t have been interested in the premise of this post.  So instead of forcing you to commit to a purchase of the full 9 modules, we’re giving away the first 3 absolutely free.  Once you sign up you’ll also get a downloadable free bonus: our SEO Workflow Journal, a template similar to what our agency uses for managing an SEO project.

The free sampler we’re giving away carries a double benefit: Not only will you have an idea of the value of the training before you purchase the full course, but regardless of whether you get the full course, you’ll get valuable and actionable insights.

What you’ll learn in Real World SEO: Essentials

Get the First 3 Modules for Free

Already know you want the full course?  Sign up here and take $50 off (this introductory offer is only good through January 31st, 2017)

Module 1 – Introduction (34 minutes)

  • The Starting Point: pragmatic SEO
  • Be ready to roll up your sleeves and do some work
  • Expectations for the course
  • What you will need
  • What the goals of the course are

Module 2 – Basic Understanding (22 minutes)

  • How search engines find web pages
  • How they organize and store web page content
  • The anatomy of a SERP
  • Why certain sites are ranked higher than others

Module 3 – Evaluating Your Website (36 minutes)

  • How to evaluate your current website
  • The importance of KPI’s
  • Getting started with Google Analytics and Google Search Console
  • Resources for evaluating your website such as Open Site Explorer

Module 4 – Make it Search Engine Friendly (SEF) (62 minutes)

  • What SEF means
  • How to check for health problems using Google Search Console (GSC)
  • How to create an XML sitemap and let Google know about it, also using GSC
  • What a robots.txt file is, and why you need to check yours

Module 5 – Keyword Research (58 minutes)

  • Why keyword research is foundational to SEO success
  • How to do keyword research using Google’s “keyword planner”
  • How to determine whether a keyword is really competitive
  • Why “themes” are more important than “keywords”
  • How to set priorities for your SEO using your keyword research

Module 6 – Relevancy (56 minutes)

  • The important principle of “relevancy”
  • Key parts of the page for SEO
  • How to optimize a page for relevancy
  • What Panda is, and how to check your content for Panda-proof quality
  • The importance of a content-creation strategy

Module 7 – Authority (43 minutes)

  • The second pill ar of SEO success: Authority
  • What PageRank is and how it changed the search engine game
  • The impact of Google’s Penguin updates
  • Link-building basics

Module 8 – Conversion Optimization (27 minutes)

  • Why visits are meaningless without conversion
  • What factors keep people from taking action on your website
  • What conversion boosters will help you to get the most out of your SERP rankings
  • How higher conversions can also help your organic SEO efforts

Module 9 – Managing Your SEO (21 minutes)

  • Learn the difference between urgent and important
  • How to avoid SEO paralysis
  • How to get the most out of the SEO Journal that we provide as a bonus
  • What options are available to you to take your study of SEO and Internet Marketing to the next level

Bonus Materials

  • Sample SEO Workflow Journal (a handy team document for tracking and managing your SEO)
  • Google Special Search Operators for Keyword Research
  • Match Type cheat sheet to help you get the most out of Google’s Keyword Plan

Get the First 3 Modules for Free

Already know you want the full course?  Sign up here and take $50 off (this introductory offer is only good through January 31st, 2017)

Horizon Web Marketing is a digital marketing company.