Mar 25 2024
Rank Math WordPress SEO Plugin Vulnerability Affects +2 Million Sites via @sejournal, @martinibuster

Rank Math SEO plugin with over 2+ million users recently patched a Stored Cross-Site Scripting vulnerability that makes it possible for attackers to upload malicious scripts and launch attacks.

Rank Math SEO Plugin

Rank Math is a popular SEO plugin that’s installed in over 2 million websites. It has an incredible array of functions that ranges from keyword tracking, Schema.org structured data integration, Google Search Console and Analytics integration, a redirect manager and other features that make it unnecessary to use other plugins for technical or on-page SEO.

A popular feature that users appreciate is that it’s a modular plugin which means users can choose which features they require and turn off those that they don’t which can help make a website perform even faster.

Many turn to Rank Math as an alternative to Yoast. A comparison between the two shows that Rank Math is smaller (61.1k lines of code versus Yoast’s 97.1k lines) and uses less server resources (+0.35 MB of memory versus Yoast’s +1.62 MB).

Authenticated Stored Cross-Site Scripting

Wordfence WordPress security researchers published an advisory of a vulnerability in Rank Math SEO plugin that can lead to a stored Cross Site Scripting (XSS) vulnerability.

A stored XSS vulnerability allows an attacker to upload malicious scripts and attack browsers which can result in stealing a session cookies which enables unauthorized website access and compromising sensitive data.

Insufficient Input Sanitization And Output Escaping

The source of the vulnerability is due to insufficient input sanitization and output escaping. These are common reasons for an XSS vulnerabilities that occur in areas of plugins that allow users to upload or input data.

Sanitizing input data is like filtering out unwanted type of input like scripts or HTML where only text inputs are expected. Output escaping is a process that validates what’s output by the website to block unwanted output like malicious scripts from reaching a website browser.

Wordfence warned:

“The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes.

This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Rank Math’s update changelog responsibly acknowledges what was changed in their plugin and the reason for the update. This transparency makes it possible for plugin users to understand the importance of a given update and to make an informed decision as to the urgency of the updated.

The changelog identifies the patched vulnerability:

“Improved: Strengthened the security of the plugin’s HowTo Block to prevent potential exploitation by users with post edit access. Thanks to [WordFence]
(https://www.wordfence.com/) for revealing it responsibly”

Read the official Wordfence advisory:

Rank Math SEO with AI SEO Tools <= 1.0.214 – Authenticated(Contributor+) Stored Cross-Site Scripting via HowTo block attributes

Featured Image by Shutterstock/Roman Samborskyi

Ecommerce MGMT 0 Comments
Mar 25 2024
WordPress Astra Theme Vulnerability Affects +1 Million Sites via @sejournal, @martinibuster

One of the World’s most popular WordPress themes quietly patched a security vulnerability over the weekend that security researchers say appears to have patch a stored XSS vulnerability.

The official Astra changelog offered this explanation of the security release:

“Enhanced Security: Our codebase has been strengthened to further protect your website.”

Their changelog, which documents changes to the code that’s included in every update, offers no information about what the vulnerability was or the severity of it.  Theme users thus can’t make an informed decision as to whether to update their theme as soon as possible or to conduct tests first before updating to insure that the updated theme is compatible with other plugins in use.

SEJ reached out to the Patchstack WordPress security company who verified that Astra may have patched a cross-site scripting vulnerability.

Brainstorm Force Astra WordPress Theme

Astra is one of the world’s most popular WordPress theme. It’s a free theme that’s relatively  lightweight, easy to use and results in professional looking websites. It even has Schema.org structured data integrated within it.

Cross-Site Scripting Vulnerability (XSS)

A cross-site scripting vulnerability is one of the most common type of vulnerabilities found on WordPress that generally arises within third party plugins and themes. It’s a vulnerability that occurs when there’s a way to input data but the plugin or theme doesn’t sufficiently filter what’s being input or output which can subsequently allow an attacker to upload a malicious payload.

This particular vulnerability is called a stored XSS. A stored XSS is so-called because it involves directly uploading the payload to the website server and stored.

The non-profit Open Worldwide Application Security Project (OWASP) website offers the following description of a stored XSS vulnerability:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.”

Patchstack Review Of Plugin

SEJ contacted Patchstack who promptly reviewed the changed files and identified a possible theme security issue in three WordPress functions. WordPress functions are code that can change how WordPress features behave such as changing how long an excerpt is. Functions can add customizations and introduce new features to a theme.

Patchstack explained their findings:

“I downloaded version 4.6.9 and 4.6.8 (free version) from the WordPress.org repository and checked the differences.

It seems that several functions have had a change made to them to escape the return value from the WordPress function get_the_author.

This function prints the “display_name” property of a user, which could contain something malicious to end up with a cross-site scripting vulnerability if printed directly without using any output escaping function.

The following functions have had this change made to them:

astra_archive_page_info
astra_post_author_name
astra_post_author

If, for example, a contributor wrote a post and this contributor changes their display name to contain a malicious payload, this malicious payload will be executed when a visitor visits that page with their malicious display name.”

Untrusted data in the context of XSS vulnerabilities in WordPress can happen where a user is able to input data.

These processes are called Sanitization, Validation, and Escaping, three ways of securing a WordPress website.

Sanitization can be said to be a process that filters input data. Validation is the process of checking what’s input to determine if it’s exactly what’s expected, like text instead of code. Escaping output makes sure that anything that’s output, such as user input or database content, is safe to display in the browser.

WordPress security company Patchstack identified changes to functions that escape data which in turn gives clues as to what the vulnerability is and how it was fixed.

Patchstack Security Advisory

It’s unknown whether a third party security researcher discovered the vulnerability or if Brainstorm, the makers of the Astra theme, discovered it themselves and patched it.

The official Patchstack advisory offered this information:

“An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Astra Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.9.”

Patchstack assessed the vulnerability as a medium threat and assigned it a score of 6.5 on a scale of 1 – 10.

Wordfence Security Advisory

Wordfence also just published a security advisory.  They analyzed the Astra files and concluded:

“The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user’s display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

It’s generally recommended that users of the theme update their installation but it’s also prudent to test whether the updated theme doesn’t cause errors before pushing it to a live website.

Featured Image by Shutterstock/GB_Art

Ecommerce MGMT 0 Comments
Mar 25 2024
YouTube Warns Channels Against Deleting Videos via @sejournal, @MattGSouthern

In a recent public service announcement on Twitter, YouTube’s Product Lead for homepage and recommendation, Todd Beaupre, cautioned content creators against the arbitrary deletion of videos from their channels.

His statement points to the potential negative impact of video removal on a channel’s growth.

YouTube Says Don’t Delete Videos

Beaupre advised in his tweet:

“YouTubers: Don’t delete videos unless you have a very, very good reason. When you delete a video, you delete your channel’s connection to the audience that watched that video. If you want to maximize your growth, keep your videos public or unlist them if you must.”

YouTube’s Creator Liaison, Rene Ritchie, further amplified the message, retweeting Beaupre’s post to ensure wider visibility.

The coordinated effort from two YouTube representatives highlights the significance of the advice for content creators.

Video Deletion May Impact Channel Growth & Discoverability

YouTube’s out-of-the-way PSA on Twitter suggests that video deletion could be a weighty factor in YouTube’s algorithm for homepage recommendations.

The platform may be less likely to recommend videos from channels with a history of removing content, as it could negatively affect user experience and engagement.

YouTube’s recommendation system is designed to connect viewers with content they will likely enjoy and engage with. If a channel frequently deletes videos, it disrupts the viewer’s experience and makes it harder for the algorithm to assess the channel’s value accurately.

Unlist Rather Than Delete

The advice to keep videos public or unlisted, rather than deleting them entirely, offers creators a middle ground for managing their content without compromising its growth potential.

By maintaining a stable video catalog, creators can foster long-term connections and provide a consistent data stream for YouTube’s algorithm to evaluate their channel’s relevance and engagement.

FAQ

How does deleting videos from a YouTube channel affect its growth?

Deleting videos from a YouTube channel can adversely affect the channel’s growth potential.

When a video is removed, the connection that was built between the channel and its audience through that video is lost.

This deletion can lead to reduced visibility and discoverability of the channel within YouTube’s recommendation algorithm, potentially hindering the channel’s ability to attract new viewers and negatively impacting user experience and engagement.

What is the recommended alternative to deleting videos on YouTube?

The recommended alternative to deleting YouTube videos is to keep them public or unlist them.

By doing so, creators can manage their content library without compromising their channel’s growth potential and algorithmic evaluation.

This strategy ensures the creator’s video catalog remains stable, which is beneficial for maintaining long-term connections with the audience and preserving the integrity of the channel’s data for YouTube’s recommendation system.

Featured Image: Muhammad Alimaki/Shutterstock

Ecommerce MGMT 0 Comments
Mar 25 2024
Google Search Liaison: Ads Not A Hindrance To Search Rankings via @sejournal, @MattGSouthern

As Google’s March core update continues, there’s uncertainty surrounding the impact of advertisements on search rankings.

Google’s Search Liaison, Danny Sullivan, took to Twitter to address these concerns, stating that sites with ads can still rank well in Google search results.

Google Clarifies The Impact Of Ads On Search Rankings

Website owner Tony Hill brought the issue to light, inferring from Sullivan’s earlier advice that Google disapproves of ads.

Hill points out the prevalence of ads in Google’s search results pages, especially on mobile devices, and expressed concern that Google’s algorithms may unfairly target smaller sites that rely on ad revenue.

Sullivan clarified that “there are plenty of sites that rank perfectly well in Google Search that have ads, both sites big and small.”

He emphasized that Google’s systems aim to reward sites that provide a good page experience, a long-standing goal that isn’t new.

Ads Aren’t Direct Ranking Factors

Referring to Google’s documentation on page experience, Sullivan noted that Core Web Vitals are direct ranking factors, while other aspects mentioned, such as excessive ads in relation to main content, are not.

The documentation states:

“Beyond Core Web Vitals, other page experience aspects don’t directly help your website rank higher in search results. However, they can make your website more satisfying to use, which is generally aligned with what our ranking systems seek to reward.”

Anecdotal evidence supports Sullivan’s statement, with many sites climbing in rankings following the core update despite having advertisements on their pages.

This suggests that ads alone don’t necessarily hinder a site’s ability to rank well in Google search results.

Analyzing Sullivan’s Statement

Considering Sullivan’s statements and the wider conversation surrounding ads and search rankings, several additional points are worth mentioning.

First, while ads may not be a direct ranking factor, their implementation can indirectly impact SEO.

Excessive or intrusive ads that significantly disrupt the user experience could negatively impact search rankings. Therefore, you must carefully consider ads’ placement, quantity, and quality.

Google’s increasing reliance on ads in search results pages has drawn criticism, with some arguing that it creates a double standard.

The debate sparked by Hill’s comments also raises questions about the fairness of Google’s approach to smaller websites that rely heavily on ad revenue. While Sullivan affirms that sites of all sizes can rank well with ads, some website owners may feel that the playing field isn’t level.

While ads are a legitimate means of monetization, they shouldn’t diminish a website’s core value.

In Summary

The debate surrounding ads and search rankings highlights the delicate balance between user experience and website financial sustainability.

As Sullivan points out, ads make much of the web accessible and free for users. However, page experience remains crucial in how Google’s algorithms assess and rank websites.

As website owners navigate the March core and spam updates, Sullivan’s clarification confirms that advertisements don’t inherently conflict with achieving strong search rankings.

Ecommerce MGMT 0 Comments
Mar 25 2024
Google Offers Advice For Those Affected By HCU via @sejournal, @martinibuster

Google’s SearchLiaison answered a question asking for advice on how to diagnose content that’s lost rankings because of the Helpful Content update. SearchLiaison offered advice on how to step back and think about what the problem could be and if there even is a problem to consider.

Question On Fixing HCU Affected Pages

Someone on X (formerly Twitter) expressed frustration with the advice SEOs have offered because it was understood (erroneously it turns out) that the Helpful Content issue is a sitewide signal which complicates identifying pages that didn’t need fixing.

Lee Funke (@FitFoodieFinds) tweeted:

“I keep getting advice from SEOs to “look at the pages with the biggest drops” and figure out why they dropped. If we were hit by HCU then the sitewide signal has made ALL pages drop, making it difficult to analyze helpful vs. unhelpful. Any advice?”

SearchLiaison Answers HCU Question

SearchLiaison first addressed the perception that the Helpful Content ranking system is a single signal.

He tweeted:

“We had this in our Search Central blog post, but it’s probably worth highlighting that the helpful content system of old is much different now:
https://developers.google.com/search/blog/2024/03/core-update-spam-policies

“Just as we use multiple systems to identify reliable information, we have enhanced our core ranking systems to show more helpful results using a variety of innovative signals and approaches. There’s no longer one signal or system used to do this, and we’ve also added a new FAQ page to help explain this change.””

Next he explained that the Helpful Content System (commonly referred to as the HCU) is not a sitewide “thing” but rather it affects websites at the page-level.

He followed up with:

“The FAQ page itself is here, and it explains it’s not just a site-wide thing now:
https://developers.google.com/search/help/helpful-content-faq

“Our core ranking systems are primarily designed to work on the page level, using a variety of signals and systems to understand the helpfulness of individual pages. We do have some site-wide signals that are also considered.””

Drops In Rankings: Not Always About Fixing Pages

The next bit of advice that he offered is that a drop in ranking doesn’t necessarily mean that there’s something wrong that needs fixing. He’s right. A common mistake I see website publishers and SEOs make is to immediately assume that there’s something wrong that needs fixing but that’s not the case when the problem is related to relevance.

A site that loses rankings because of relevance can sometimes come back but in extreme cases the old rankings can never come back, ever. An SEO with experience knows how to tell the difference.

SearchLiaison tweeted:

“So then to the all pages dropping questions. Pages could drop in ranking for a variety of reasons, including that we’re showing other content that just seems more relevant higher. Sort of what I was talking about here:
https://twitter.com/searchliaison/status/1768681292181434513”

That tweet he referred to offered the advice to wait until the update finished rolling out before making any changes. He also said that rankings can change by themselves without changing anything and that user trends can affect site traffic, it’s not always due to rankings.

Self-Assess Pages That Lost Rankings

Returning to the answer to Lee Funke (@FitFoodieFinds), SearchLiaison suggested identifying the pages that are receiving less traffic and to focus on self-assessing those pages together with the Helpful Content FAQ documentation and the HCU Self-Assessment page as guides.

He tweeted:

“If it’s more than just moving down a bit, then I’d look to some of the pages that I’d previously gotten a lot of visits to and self-assess if you think they’re helpful to your visitors (the FAQ page covers this). If you do, carry on.”

Is Google’s FAQ Contradictory?

The person who tweeted the original question had some follow-up questions and concerns. They tweeted felt that the HCU FAQ was contradictory in that it said that the Helpful Content signals were at a page level but that it also suggests there are sitewide factors that can bring the entire site down.

This is what the person who started the discussion tweeted:

“Also the FAQ about HCU sounds a bit contradictory. It says that the systems work primarily on a page level but then unhelpful/thin content can weigh down the success of other pages which feels site wide. I’m just trying to understand what these massive drops resulted from!”

The FAQ doesn’t cite thin content but it does mention unhelpful content affecting other pages in a way that goes beyond page level.

This is what it says:

“Our systems work primarily at the page level to show the most helpful content we can, even if that content is on sites also hosting unhelpful content.

This said, having relatively high amounts of unhelpful content might cause other content on the site to perform less well in Search, to a varying degree. Removing unhelpful content might contribute to your other pages performing better.”

That’s kind of vague and contradictory.

  • Does Google mean that if most of the content on a website is unhelpful that it would drown out the value of a handful of pages that are helpful?
  • Is Google implying that a website that’s infested with a preponderance of unhelpful content won’t ever get links or user enthusiasm because nobody would be able to find the actual good content?

It’s not unreasonable to say that Google’s documentation could use a little more clarity.

Non-Self Self-Assessing

I would suggest sticking with the self-assessment suggestions in Google’s Helpful Content FAQ.

A fresh set of eyes can see things with more clarity than someone who authored the page.

Featured Image by Shutterstock/Roman Samborskyi

Ecommerce MGMT 0 Comments
Mar 25 2024
Google Testing AI Chat On Developer Pages via @sejournal, @martinibuster

Google is rolling out a beta test of an AI Chat feature across the developers pages subdomain that is able to answer questions about anything that’s in the developers pages such as in the SEO, structured data and ranking documentation.

The beta feature is supposed to become available on all developer pages to answer questions about the page a site visitor is on or any other webpage in the developer documentation.

Developer Profile Required

The new feature, called Side Panel Chat, is only available though desktop devices, not on mobile. It’s available in many regions but requires users to register for a Developer Profile. Signing up requires signing into a Google account to create a developer profile but it doesn’t require confirming your email address.

Google side panel chat requires a developer profile

Google’s documentation explains that the developer profile allows it to personalize the chat panel responses. The developer profile itself is gamified with achievements for unlocking and badges that can be earned.

Side Panel Questions

The AI chat answers questions about anything that’s in the developer pages documentation but it’s possible for it to go off the rails a little bit. I asked a question about link building and one of the responses was questionable.

The question asked:

What are five hot ways to build links?

The one arguably sketchy answer was:

Guest posting:
Write high-quality guest posts for other websites in your industry or niche.
Make sure to include a link back to your website in your author bio.”

It also advised creating infographics but it didn’t suggest to require backlinks.

Side Panel Chat Button

Side panel chat icon for activating a chat in one of Google's developer pages

I next asked the side panel chat for the top 5 tips for ranking in the top of Google’s search results.

Google’s new AI chat offered the following suggestions plus an explanation for each:

  1. Create high-quality, relevant content
  2. Build high-quality backlinks
  3. Optimize your website for technical SEO
  4. Promote your content
  5. Monitor your results and make adjustments

Limited Answers

The chat is limited to answering questions that are related to the developer pages documentation. It cannot answer questions that are outside of that scope.

Because the AI chat is in beta, which means it’s in a testing phase, it may incorrectly say it cannot answer a question or offer questionable answers. Google asks that users provide feedback so as to improve the service.

Google’s documentation states:

“If you encounter errors with valid questions, consider rephrasing your question. If the chat incorrectly indicates that it cannot respond to your question, you can report this issue by clicking the Send feedback icon at the top of the Side Panel Chat.”

Read more about Google’s developer pages side panel chat:

Side Panel Chat

Featured Image by Shutterstock/Tada Images

Ecommerce MGMT 0 Comments
Mar 23 2024
Google Answers If Different Content Based On Country Affects SEO via @sejournal, @martinibuster

Google’s John Mueller answered a question on Reddit about whether showing different content based on IP address of the site visitor affected SEO. His answer offered insights into Google’s crawling and indexing.

Showing Banners For Specific Countries

The person asking the question managed a website that wanted to show a banner on the side of the page with country-specific content. Their concern was how that might affect rankings in different countries.

Here’s the question:

“I got one question on how content for different geoip effect for seo?

Some marketers in my company asking me about to place side banner for users of certain geo ip – for example for UK visitors they want to show banner about event that coming in UK), but main geo for website: US.

Does it affect SEO for website overall? How Google classifies that type of placement? Is this kinda sort of cloaking (without purpose to cheat on google systems)?”

John Mueller’s Answer

The person asking the question asked three questions and Mueller limited his response to the one about how it affects SEO.

Mueller answered:

“Google generally crawls from one location – and that’s the content which would be used for search.

If you want something to be indexed, you need to make sure it’s shown there (or shown globally). The rest is up to you :-)”

Googlebot generally crawls from United States IP addresses and if it’s geographically blocked by IP address then it’ll switch over to an IP from another country.

How Google Classifies Side Banner

One of the questions that went unanswered was about how Google classifies the “placement” by which I assume the person means the content located in the sidebar.

This is what they asked:

“How Google classifies that type of placement?”

Assuming that the person is asking how Google classifies the content in a sidebar then the answer to that question is that Google identifies the main content of a page and more or less ignores the non-main content for ranking purposes.

We know that Google identifies the different sections of a webpage and one example is provided in an interview with Google’s Martin Splitt. Splitt talked about how Google identifies the different parts of the webpage like the main content, navigation, and other boilerplate so that it could score the different parts differently (“weighted” differently is how he described it).

Google then identifies where the main content of the page is and summarizes it into what he called the Centerpiece Annotation. Martin said that the Centerpiece Annotation is an identification of what the topic is.

In the context of the Reddit question Google would probably classify the banner in the side panel as not a part of the main content and consequently not use it for ranking purposes.

Is Changing Content Based On IP Address Cloaking?

Cloaking is a spam technique that in general identifies Googlebot by IP address and shows it content created specifically for Google and then shows different content for everybody else. Cloaking therefore is showing different content specifically for Google and everyone else.

That’s not the case with the scenario described by the Redditor.

Googlebot crawls from United States IP addresses so in general Google won’t crawl and index content that’s switched out for other countries. It will see and index only the United States content. Swapping out content based on the country origin of the site visitor doesn’t qualify as cloaking in the sense of cloaking for spam purposes either.

Read the post on Reddit:

Q: banners for certain geo-ip addresses? how it affect for seo?

Featured Image by Shutterstock/Asier Romero

Ecommerce MGMT 0 Comments
Mar 21 2024
Google’s Advice For Ranking: Stop Showing via @sejournal, @martinibuster

Google’s SearchLiaison responded to a tweet that was kind of “thinking out loud” about whether a particular tactic might be useful for recovering from the Helpful Content Update system. SearchLiason offered his opinion on why that might not be a good idea.

One thing that SearchLiaison made clear is that he didn’t want his tweet to come off as if he was rebuking Lily Ray.

He tweeted:

Being More Than An Affiliate/Review Site

SearchLiaison responded to Lily Ray who was making connections between sites hit by the Reviews update in September 2023 and the current March Core Algorithm udpate. There is a fair bit of context that needs to be seen in order to understand SearchLiaison’s response because a cursory reading doesn’t show the full picture because what SearchLiaison responded to wasn’t just about the one thing he called attention to. It’s worth putting his response into context in order to better understand what was meant.

Lily noted that the sites under discussion had more than just content, that they had an ecommerce side.

She tweeted:

Then tweeted:

The discussion progressed to discussing possible “overlapping signals” between sites hit by the Reviews system and the Helpful Content system (HCU), with Terry Van Horne tweeting:

With Lily Ray responding:

“Yeah, tons of crossover from what I’m seeing. But at this point, a site is “lucky” if it only got hit by the Reviews updates, not HCU”

Terry responded by mentioning his doubts about suggestions made by others that being an affiliate site might be a connection, that it was not about the type of advertising that contributed to triggering issues but other factors.

He tweeted:

“The “lucky” might be the “anomalies” that help in determining which signals overlap. For instance a lot of chatter about “affiliate links” but I’m positive it’s more about where ads on page are placed, number and no disclosure of ads/sponsorships. Not the type of ads”

That’s how the discussion flowed and morphed into discussing affiliate sites.

Someone responded to the second tweet about sites having more than one component:

It was the following tweet by Lily Ray that SearchLiaison responded to:

“Yeah… I’m wondering if integrating ecommerce is something that could help many HCU-affected sites recover over time.

I realize this is much easier said than done… but it shows Google that your site does more than just affiliate/review content.”

Lily wasn’t suggesting that integrating ecommerce would be helpful to recovery, she was just throwing it out there as in, “wondering” or maybe even thinking out loud.

SearchLiaison responded by cautioning against doing things to “show Google” which means being motivated to doing something for Google instead of focusing on users.

SearchLiaison tweeted:

“I wouldn’t recommend people start adding carts because it “shows Google” any more than I would recommend anyone do anything they think “shows Google” something. You want to do things that make sense for your visitors, because what “shows Google” you have a great site is to be … a great site for your visitors not to add things you assume are just for Google.

Also Lily, I don’t mean this toward you in particular or negatively. It’s just shorthand common thinking that so many understandably deal with.

Doing things you think are just for Google is falling behind what our ranking systems are trying to reward rather than being in front of them. Everything I said here: https://twitter.com/searchliaison/status/1725275245571940728

SearchLiaison continued on the topic of websites that try to “show” by listing examples of the kinds of things that fall into the dead-end of focusing on the wrong things.

He continued:

“Stop trying to “show Google” things. I have been through so many sites at this point (and I appreciate the feedback), and the patterns are often like this:

– Something saying an “expert” reviewed the content because someone mistakenly believes that ranks them better

– Weird table-of-content things shoved at the top because who knows, along the way, somehow that became a thing I’m guessing people assume ranks you better

– The page has been updated within a few days, or even is fresh on the exact day, even though the content isn’t particularly needing anything fresh and probably someone did some really light rewrite and fresh date because they think that “shows Google” you have fresh content and will rank better.

– The page end with a series of “hey, here are some frequently asked questions” because someone used a tool or other method to just add things they think people search for specifically because they heard if you add a bunch of popular searches to the page, that ranks you better not because anyone coming to your page wants that

– I can barely read through the main content of pages because I keep getting interrupted by things shoved in the middle of it. Which isn’t so much a “show Google” think as much as it is just an unsatisfying experience”

He acknowledged that Google’s algorithms aren’t perfect and that there are likely many examples of top ranking sites that do the things he just said not to do.

SearchLiaison made it clear that if an SEO is doing something because they think that’s what Google’s signals are looking for or that it’s a signal of quality then they’re doing it for the wrong reasons and are at a dead-end. The whole focus should be on whether it’s good for the user, not whether Google is looking for a particular signal.

He explained:

“And yes. A million times yes. You will find pages that are still ranking, both from big sites and small sites, that do these things. Because our ranking systems aren’t perfect, and after this current update, we’ll continue to keep working at it, which I also covered before: https://twitter.com/searchliaison/status/1725275270943293459

And I very much hope our guidance will get better to help people understand that what Google wants is what people want. “

It’s Probably Google’s Failure To Communicate

SearchLiaison blamed Google’s documentation, a failure to communicate, if SEOs were walking around recommending adding that something was reviewed by an “expert” and so on.

He also gave a sneak preview of what the draft document currently says.

He wrote:

“I’m pushing for us to have an entire new help page that maybe makes this point better. Part of the current draft says things like:

“The most important key to success with Google Search is to have content that’s meant to please people, rather than to be whatever you might have heard that ‘Google wants.’ For example, people sometimes write content longer than is helpful to their readers because they’ve heard somewhere that ‘Google wants’ long content.

What Google wants is content that people will like, content that your own readers and visitors find helpful and satisfying. This is the foundation of your potential success with Google. Any question you have about making content for Google will come back to this principle. ‘Is this content that my visitors would find satisfying?’ If the answer is yes, then do that, because that’s what Google wants.””

SearchLiaison pointed out that he’s not a part of Google search and that his role is to be the liaison communicating back and forth between the people on both sides of the search box.

He then returned to urge the search marketing community to stop focusing on trying to figure out what they think Google’s algorithm rewards and then to show that. While he didn’t mention it, that very likely includes scouring the Search Quality Rater Guidelines for things to do.

Seriously, you’ll always get better results by scouring your site visitor’s feedback, which includes both the explicit feedback (where they tell you how they feel) and the implicit feedback (where an analytics like Clarity shows you how site visitors feel through their user interaction signals).

SearchLiaison continued:

“Those providing quality experiences, I personally want you to succeed.

But please. If you want to succeed, stop doing a lot of the things you’ve heard second, third, whatever that are supposed to “show Google” something and show your visitors a great, satisfying experience. That’s how you show Google’s ranking systems that you should do well.””

Spirit Of Google’s Guidelines

Nine years ago I wrote an article about User Experience Marketing that explained the value in optimizing for people instead of keywords.

I suggested:

Optimize For People, Not Keywords.
Doing this will change how you write content, how it’s organized, how you link internally and in my experience it will always be good for ranking.

Want Links? Optimize For User Experience
Links are the expression of people’s enthusiasm. People link because they feel good about it. Anything you do that makes people be enthusiastic is going to increase links, increase user interaction signals, increase everything that gets a site rolling.

For whatever reason, the search industry keeps trying to show Google that they’re relevant, to show Google their content is authoritative, that they are expert. Some go as far as to invent fake authors with AI generated photos and fake profiles on LinkedIn, because they thought that would show Google that the content is expert.

But really, just be it, right?

Featured Image by Shutterstock/RYO Alexandre

Ecommerce MGMT 0 Comments
Mar 21 2024
AI Spam Sites Beat Google’s March 2024 Spam Update via @sejournal, @martinibuster

While honest websites experienced the ups and downs of Google’s March 2024 update, SEOs and recipe bloggers noticed AI spam sites surging to the top of search results. One example as of yesterday ranked for over 217K queries, 14.9K of which rank in the top 10 – and that number has increased a day later. This is what’s going on and how the spammers continue to beat Google.

Surge In March 2024

The site that’s ranking is a subdomain. The main domain has been around since the summer of 2020. The spammy subdomain was first spotted by the Internet Archive on November 30 2022, coincidentally the launch date of ChatGPT. The subdomain was in a half-finished and essentially dormant until March 2024 when it rapidly expanded and immediately began to rank for thousands of search queries.

Wednesday March 20th the site was ranking 14.9k search queries in the top 10. Thursday March 21st the site had 15.6K in the top 10. Even though Google just concluded their spam update, this particular site (and others like it) continue to rank for thousands of search queries and Google appears powerless to stop them.

Food Writer Reacts To AI Spam

A food writer and recipe book author, Robin Donovan (Instagram), called my attention to the AI site, telling me that others in a private Facebook group were livid about AI sites surging for recipe search queries.

It’s super obvious that the content is AI generated, even the images accompanying the articles are 100% AI. So it’s especially hurtful to those with experience, expertise and authoritativeness to see obviously AI content outrank them.

Robin was understandably upset:

“How on earth is this the best content? And meanwhile, bloggers who are professionally trained chefs, recipe developers, cookbook authors, and others with decades of training and experience are watching their sites be decimated with these updates. Sites that they’ve spent years building with well-researched, well-written (human-written!) articles, recipes that have been professionally developed and carefully tested, photographs they have spent hours prepping for and shooting.

They’ve done all the things Google has told them to do for years—write your own content, take your own photos, develop unique, high-quality recipes, be an expert in your subject area and have credentials to show it, don’t try to game the system, be genuine, create HELPFUL content. For what?”

Details About The Spam Sites Look Like

1. Hosted On Squarespace

The spam site is on a subdomain and both the subdomain and the main site are hosted on Squarespace. Why Squarespace? Just a guess but maybe that infrastructure tends to generally appear legit to Google (or it might not play a role).

2. All Images Are Colorful And Simple

All of the images are AI generated, created in a flat colorful style similar to what might be seen in an infographic, indicating that a templated prompt was used to create the thousands of images accompanying the articles.

The images are an important component of the articles. Each article features about seven images that relate to the overall topic of the article. Every article is very colorful. I don’t know if the images are intentionally colorful but the use of strong colors help images stand out in the SERPs and Google Discover when Google displays them.

I uploaded one of the images to ChatGPT and asked it to generate a prompt based on the image to create a new one in the same style.

Here’s an example of an AI generated image in the same style as the AI spam sites:

Example Of An AI Generated Image Used By A Spam Site

AI Spam Sites Beat Google’s March 2024 Spam Update

3. All Articles Follow A Rigid Template

The articles follow a templated structure, which varies depending on the type of article. Article topics range from comparisons, local destination travel, lifestyle, recipes, health benefits of certain foods and so on.

The health related articles follow this exact article structure:

a. Introduction 
Introduces the concept topic being discussed and its relevance to a specific health related topic. The concept topic can be a particular food, a type of diet and so on.

b. Health Benefits
Following the introduction, every discusses the health benefits associated with the concept topic.

c. Fundamentals
This section discusses the basics of the health topic that is being focused on (oral health, diabetes...), the importance of nutrition, and common problems or diseases associated with the health topic.

d. Nutritional Guidance And Key Nutrients

e. Dietary Choices And Impact On Health

f. Tips and Lifestyle Advice

g. Conclusion - A summary of the benefits

4. Underlying Prompt For AI-Generated Articles

I was curious about what a prompt that generates that content would look like so I asked ChatGPT to create one.

This is a generalized prompt that could have been used to create the health and diet articles:

"Write an article exploring the connection between [concept of dietary choice] and [specific health focus], following the template below:

Introduction: Begin by introducing the concept of [concept of dietary choice], its definition, and why it's relevant to [specific health focus]. Discuss its growing popularity and how it aligns with contemporary health and lifestyle trends.
Health Benefits: Elaborate on the general health benefits associated with [concept of dietary choice], focusing on its potential to enhance [specific health focus].
Fundamentals of [Health Topic]: Provide a background on the [specific health focus], including essential anatomy, the significance of nutrition, and prevalent conditions affecting this aspect of health.
Key Nutrients and Their Impact: Detail the crucial nutrients that play a significant role in [specific health focus], including their sources and the health benefits they offer. Highlight the importance of certain vitamins, minerals, and other compounds.
Influence of Dietary Choices: Analyze how specific dietary choices influenced by [concept of dietary choice] can impact [specific health focus], positively or negatively. Recommend beneficial foods and advise against certain types that may harm [specific health focus].
Practical Advice for Diet and Lifestyle: Offer practical suggestions for integrating beneficial foods into one's diet and making lifestyle adjustments to support [specific health focus]. This might include tips on meal preparation, portion control, and balancing different types of foods.
Conclusion: Conclude the article by summarizing how adopting [concept of dietary choice] can contribute to improving [specific health focus]. Emphasize the balance and variety of nutrients this approach provides and its potential benefits beyond [specific health focus].
Ensure the article provides a comprehensive overview that is both informative and engaging, catering to readers interested in understanding the relationship between [concept of dietary choice] and [specific health focus]."

5. Content Tested By AI Checker Tools

The weird thing about these articles is that every article I tested with GPTZero AI Content Detector scored 100% as AI-generated. The Originality.AI content checker offered similar scores.

Screenshot Of GPTZero Score

AI Spam Sites Beat Google’s March 2024 Spam Update

Screenshot Of Originality.AI Score

AI Spam Sites Beat Google’s March 2024 Spam Update

The Squarespace templates are professional and the articles themselves are in a dry style that is informative but lacks signals of human authorship such as expressions of insight or experience and a complete absence of colloquialisms.  Every article tested failed the AI detection tests.

6. How Do AI Spam Sites Rank?

It’s my hypothesis that the reason these spam sites rank is that they’re taking advantage of a loophole in Google’s algorithms that allows new content to receive an initial boost, what Google’s John Mueller has described as Google testing the website or the webpages out. This happens all the time and excites people when they publish a new site and see it ranking almost right away.

What is happening with this one AI generated website is that it is publishing massive amounts of webpages every day and those pages receive a boost to the top of the search engine results pages (SERPs) for the first 24 to 48 hours. They then begin to slip down the top ten and eventually into the second pages of the SERPs.But by that time there are new pages begining that journey from the initial boost, every day. This is a classic old school strategy known as churn and burn.

John Mueller has commented in the past about why Google ranks new websites at the top of search results.

He explained:

“In particular, with completely new websites, one of the difficulties that we have is we might not have a lot of signals for those websites so we have to make estimates.

And depending on how we make estimates, it can sometimes mean that in the beginning we show this website a little bit more visibly than like it turns out that the signals tell us in the end.

…But that can go both ways. It can go in the direction of like you’re shown very visibly in the beginning.

And it can also be that maybe you’re shown less visibly in the beginning and as we understand your website and how it fits in with the rest of the web then we can kind of adjust that.

…Sometimes it’s also new websites that show up that we try to pick up really quickly.”

7. AI Spam Is A Longstanding Problem With Google

Google has had a long problem with AI generated sites dominating certain search results and this is not the first time that Google has been overwhelmed by spam, particularly for relatively longtail phrases. This one spam site is not alone and is not an outliers. There are many others just like it following the same methods for ranking.

What makes this example noteworthy is that it went live at the same time that Google launched a spam update and it continued ranking at the top of the SERPs for hundreds of thousands of search queries (with 15.6K queries currently in the top 10).

The AI spam site has now popped out on the other side of the spam update and is thumbing it’s nose at Google. It is a humiliating and demoralizing experience for the thousands of  honest and experienced bloggers  who are outranked by content that lacks credibility, experience and authoritativeness- these articles  don’t even list authors.

Featured Image by Shutterstock/ViDI Studio

Ecommerce MGMT 0 Comments
Mar 21 2024
Google Unifies Conversion Reporting Across Ads & Analytics via @sejournal, @MattGSouthern

Google has announced an update to Google Analytics 4 (GA4) to provide marketers with more insightful measurement tools and a consistent view of conversions across Google Ads and Analytics.

The update, which is being rolled out today, includes the following changes:

  • Introduces ‘key events’ to replace conversions in behavioral analytics.
  • Aligns the definition of conversions between Google Ads and Analytics.
  • Brings cross-channel conversion reporting to the Advertising workspace in GA4.

The changes address long-standing discrepancies in conversion reporting that have frustrated marketers.

GA4 and Google Ads users don’t need to take any action, as the changes will be implemented automatically.

Key Events Replace Conversions In Behavioral Analytics

One of the significant changes in this update is the introduction of key events in GA4.

Key events will replace what currently exists as conversions for behavioral analytics.

As Ginny Marvin, Google’s Ads Liaison, explains on Twitter:

“Key events indicate the events that are important to your business for behavioral measurement purposes. Conversions in the report and explore modules will become key events and retain the exact same measurement capabilities as the legacy conversion concept.”

Consistent Conversions Reporting Across Google Ads & Analytics

With this update, conversions will be defined consistently across Google Ads and Analytics, providing marketers with a unified view of their advertising performance.

In a blog post, Google states:

“In this improved, more unified experience, we are addressing the differences in conversions reporting that marketers have experienced across Google Ads and Analytics, a long-standing request that we are happy to have resolved for our customers.”

Cross-Channel Conversion Reporting In The Advertising Workspace

The update brings new cross-channel conversion reporting beyond Google Ads to the Advertising workspace in GA4.

Marvin advises advertisers to “consider the Advertising section your hub for Ads conversion performance reporting.”

This change will give marketers a clear view of performance where it matters most.

Privacy-First Solutions

GA4 will soon support the Chrome Privacy Sandbox’s Protected Audience API, allowing marketers to continue reaching their audiences without third-party cookies.

Additionally, Google has recently increased support for enhanced conversions in GA4. This supplemented existing conversion tags with hashed, consented first-party user-provided data for more accurate performance measurement.

Enhanced conversions can now be seamlessly sent from GA4 to Google Ads, making it easier for advertisers to get started.

No Action Required For GA4 & Google Ads Users

According to Marvin, GA4 and Google Ads users do not need to take any action in response to this update.

She explains:

“Legacy conversions will be changed to key events automatically and any conversions shared with Google Ads will be labeled as conversions and reported on in the Advertising section.”

In Summary

The updates aim to provide marketers with more accurate, actionable insights while evolving GA4 to align with the industry shift towards increased privacy.

Marketers should find reporting more consistent across Google’s ads and analytics products moving forward.

FAQ

How will the introduction of ‘key events’ affect the current conversion tracking in GA4?

The introduction of ‘key events’ in GA4 is set to replace the traditional conversion tracking in behavioral analytics. This update will:

  • Formalize critical events to a business’s analytics as ‘key events.’
  • Retain the same measurement capabilities as the legacy conversion tracking method.
  • Align the behavioral analytics more closely with user interactions that matter most to marketers.

What benefits does the unified conversion reporting offer marketers using Google Ads and Analytics?

The unified conversion reporting across Google Ads and Analytics offers several benefits, including:

  • A consistent definition of conversions across the two platforms simplifies analysis.
  • The ability to view cross-channel conversion reporting within the Advertising workspace of GA4.
  • Improved accuracy in reporting and a clearer understanding of advertising performance.

Can you explain the significance of the enhanced support for privacy-first solutions in GA4?

GA4’s enhanced support for privacy-first solutions is significant for several reasons:

  • It helps marketers adapt to a cookie-less future and comply with privacy regulations.
  • Includes support for Chrome Privacy Sandbox APIs, maintaining audience reach without relying on third-party cookies.
  • Improved accuracy in conversion measurement through enhanced conversions, which utilize hashed, consented first-party data.

Ecommerce MGMT 0 Comments