Real World Blackhat SEO and What You Need to Know
BlackHat SEO is the process by which you manipulate elements on a website that you believe, or were told, can actually affect your positions with search engine rankings like Google. This is also known as SEO, Search Engine Optimisation, GreyHat, and yes…WhiteHat. I’ve always tried to deliver information that Affiliates and Operators could put to use, rather than twist it in a ‘why they should hire me to do it?’ way. I’ve been heavily criticized for authoring many articles and conference sessions on many of these techniques.
Do I teach how to hack a WordPress site? No. But can we? You better believe it! Want to know how to run a constant DDOS attack or get a website de-indexed? I wouldn’t go that far because there’s always that one nefarious individual who’ll use it against you, and I talk about it so openly. This approach I’ve adopted has obviously given critics reasons to complain.
I have two problems with this criticism: firstly, I started as an Affiliate 20 years ago, so I understand how difficult it can be. Knowing what the competitors may be doing to hurt your income and having the ability to protect yourself should be a no-brainer. If you know what they’re doing or may do in the future, you can protect yourself and be proactive about it. I’d rather have it and not need it than need it and not have it.
Secondly, I do the work for the big guys and Affiliates do the work themselves. I can do this because typically, the giants have a ‘no brand-bidding clause’ in their Affiliate agreement. This doesn’t mean your competition/fellow affiliate isn’t targeting your website. It also doesn’t mean I can’t monitor new domain purchases and scoop your .net and .org or a ccTLD and hold you hostage or rank better than you for your brand and become an Affiliate.
Anything that increases rankings essentially qualifies for BlackHat status. When I write about BlackHat techniques I’m not referring to DDOS attacks, Spoofing or Trojan viruses. I’m referring to the type of rank manipulation,or BlackHat, that anyone can do: a competitor, an upset client or an ex-employee you fired.
The Real World Blackhat Effect
According to a Harvard University study, a single review on Yelp can affect your yearly income by 10%. Another showed that 80% of all online shoppers did their homework online, regardless of whether they actually bought it online or in the brick-and-mortar or offline store. One of the most seemingly “clean” dating sites, eHarmony has almost 2000 negative reviews on Yelp alone. Are the other hundreds of dating sites they compete against doing aggressive BlackHat or is eHarmony actually doing something to cause these? There are many causes, ranging from auto-pay issues to fake profiles. Every dating site has them. It’s inherent. Similar to cheats in online gambling, or Amazon con games that give step-by-step instructions for the Dark Net.
Websites like BlackHatWorld.com and fiverr.com can be used for this and many other services that can hurt your websites rankings and reputation. As an SEO Company that specializes in Reputation Management, we’ve seen these tactics becoming more common and successful. You can either be proactive or reactive. Guess which one is much more expensive? The most popular tactics which manipulate review websites are lesser used tactics (although very effective), like subdomain and subdirectory attacks. I mainly deal with Dating and Casino sites and trust me, there’s no-one more motivated than someone with a broken heart or empty wallet. These people are relentless and will stop at nothing to feel vindicated.
Apart from such types of negative content, your competitor is accountable for the other 40%, and will likely not surrender, unless they can afford a hundred dollars or so per month. Then there’s the issue of combating these attacks when (not if!), they happen. Moreover, there’s the matter of how the right prevention tactics can protect your websites – a well worth it to the investment.
Brand-Bashing Still Works
In certain cases, the internet is a useful consumer tool that puts us in the driver’s seat. As an Affiliate you have competition, as an Operator you have competition and Affiliates to contend with. You’re tasked with dominating the top 10-20 or become a part of that 10% statistic. Reduce your traffic and revenue by 10%, then factor that into a lifetime value… Many companies spend money for CRM and Social Media, yet spend nothing on proactive Brand Protection or reactive Reputation Management. In many cases, they have absolutely zero Engagement as well. Most Brand-Bashing is a result of an unhappy customer that can be made happy.
The following is a list of realistic costs associated with negative content:
Payroll – what it costs to be reactive and pay staff to handle negative sentiment rather than spend their valuable time proactively creating positive sentiment and a game plan for engagement and retention.
Payoffs – many clients have elected to offer a payoff or return what this person spent. It’s just the cheapest and quickest way out in some costly circumstances. This is especially true for instances where we’re in the wrong.
Repeat Offenders – They did it once. Who says they can’t create a new Gmail account and repeat whatever they did before and hold you hostage again? However, this time, you have to pay in Bitcoin so you can’t track them and know it’s the same person. Rinse. Repeat.
DMCA – Digital Millennium Copyright Act – 1996 saw this ‘Supermarket Turtle’ rear its head in, ready for action. It can protect you against some of these negative tactics, but besides the average 2 months it takes to get it removed, there’s also the time and money it takes to enforce it by your staff.
Legal – The last and most expensive result. Most of the guys using Real World BlackHat know that a ‘Lawyer Letter’ means nothing. At best, it means they got your attention and are even more motivated. In the worst cases, it could even mean litigation or case filing costs.
And drumroll please….the top reason why being reactive rather than proactive is so expensive?
The Real Estate. Remember the 10% rule; One negative review in the top 10 results = 10% less revenue. Over time this will snowball and then you get two pages/websites at the top 10, then three. It’s all about protecting your real estate.
Besides the obvious places, negative content can end up in search results on such sites like Facebook Pages, Google+ and many other Social Media websites, there are a dozen other techniques anyone can implement. They can learn how to do it themselves on YouTube or they can pay someone to do it for them.
Below are the most common techniques used to steal your real estate:
Subdomain Hijacking/Injection – Imagine a well-ranked site that targets your niche, then add a subdomain. Later, host it on a server in your target geographic region and start building links on some of your other sites using your brand as anchor text, or not. You’ll rank top 10 for your brand or website. An even more seriously nasty tactic that is used along with the next one (WordPress Hacking) is when these guys find a WP security hole and exploit 100k sites running WP or a certain plugin, and then through this newly created back-end access, they add a hidden page the website owner never sees, but the Search Engine Spiders can see.
WordPress Hacking – Probably one of the easiest things to learn in terms of ‘actual’ hacking and can be found all over YouTube. Every time a WordPress update or one of the 15 ‘really cool’ plugins that enhance your site, appears, leaves a gaping hole. Take the easily obtained code and place it alongside the code of the old plugin. Note the differences and employ a good WP guy to find a vulnerability. From here, you can get into the site and change or delete pages, add a no-index command and get completely purged from search results.
Subdirectory Hijacking – There are dozens of people that are the equivalent of website hitmen, and they’re more than willing to sell their services. One of them can take a 50,000 website-strong network and inject 50,000 pages of scraped and scrambled content, putting your brand/website on a new optimized subdirectory page on their websites. No link, just your brand/website in the content and the URL.
Negative Link Buys – Everyone knows you can buy good links, but you can also buy bad links. Alternatively, you can use SEOMoz or Ahrefs and get a trust rank comparison and just choose the de-indexed, penalized or porn sites to post a link to you or the ranking page you have in the search results that you want gone.
Hate-Site Creation – Anyone can buy a domain (with or without your brand/website in the URL), host it and have a WordPress theme installed for under $50. Done correctly, this site can rank for your brand/keyword/domain, especially if you don’t have other pages in this real estate that outperform this new hate-site.
Startup Hijacking – So you spend your time and money obtaining all that’s required to get an Operators license and open a casino, or you’re an Affiliate that is going to market your site that reviews one of these niches. You can use one of the many free tools available to target keywords. DomainTools will email you whenever someone buys a domain with one of these keywords in the URL. Someone sets up a domain sniper that will automatically buy these domains for a few dollars. Now that person owns YourWebsite.net/.org/.co.
Automated Tools and BlackHat Networks – Remember it’s not always about a competitor trying to steal your real estate, it’s also about the haters that will inevitably wish to harm or steal your traffic. ScrapeBox, XRumer and SENuke are just a few of the tools meant for something other than BlackHat techniques when they were created, but they are widely used by the ‘guy next door’ that doesn’t know a thing about coding or hacking.
Review Websites – Sites like SiteJabber and TrustPilot are showing up in the top 20 results for almost every brand/ website search that has a review posted. They carry a lot of trust with Google and the other search engines. For a hefty and ongoing price, you can have some control over what’s posted about you, but again, the time and cost factors need to be considered in the overall business equation. Add to this to the powerhouse presence Social Media has become and the real estate thins significantly.
The Defense – Fortunately, most of these tactics can be proactively prevented from happening.
Subdomain Hijacking/Injection – Probably one of the worst and easiest methods because the only defense you have against this is reaction rather than prevention. Once you’ve been hit, the only way to fix it is by contacting each website via email or WhoIs Webmaster/Admin details and notify them of the page so they take it down. Usually, telling them it’s a scrambled/ spun mess of non-relevant content will motivate them to remove it. In some cases, there’s no one to do it. They paid a friend of a friend to install a WordPress site and it is still running an antiquated version of WordPress, the theme or a plugin. This means you may have to take the DMCA route through Google. But not updating it will just invite another attack.
WordPress Hacking – Personally I avoid WP whenever possible. Primarily because it can slow sites down for several reasons like running cache on them or code-heavy plugins, but also because it creates a need for additional security measures that cost money, and also constant updating that’s required depending on the number of plugins you have.
Subdirectory Hijacking – This can happen on a private network of their own, or on lots of sites running WordPress but not updating them or installing SiteLock or taking other security measures. But again, the only way to fix it is by contacting each website owner via email or WhoIs Webmaster/Admin details, and notifying them of the page so they remove it.
Negative Link Buys – Run a tool that analyses your backlinks once a week. SEOMoz, LinkAssistant and Ahrefs are among a few that can do a comparative analysis and identify the spammy links. Create a disavow file. This states you don’t approve the link. Be sure to disavow at the domain level to prevent future attacks and be careful when selecting links, because you can hurt your site if you’re lazy and don’t do the research.
Hate-Site Creation – These can get very serious because anyone can create them with little or no knowledge. If they find a few people that feel the same as they do then online sentiment starts to kick in and you get the ‘snowball effect’. It may not rank now, but let it get a few good backlinks and it comes out of nowhere. We’ve seen this time and time again. Remember, broken hearts and empty wallets are a big motivator – in some cases they replace searching for a date or a gambling habit.
Startup Hijacking – This one is easy. Someone buys the.org and .net domains for a few dollars, creates typepad or other simple site immediately. Add an RSS feed if you’re lazy or add content to the primary domain and forward the others. Do a few social bookmarks and manually submit it through Google Search Console to get it indexed and you’re good to go.
Automated Tools and BlackHat Networks – Because of the sheer number of tools and techniques widely available to the people looking for them, these networks and tools they use are constantly evolving. If you aren’t budgeting at least the same amount you do for CRM and legal networks/staff on Reputation Management and a proactive plan to defend your property, then you need to run the numbers and see for yourself why this is an essential part of your overall strategy.
Review Websites – I despise these sites. I despise them like I despise decaffeinated coffee and people who give me road rage. But alas, these are some things I cannot change. The difference is, that I can’t add caffeine to my coffee, or ask the turtle in front of me to move it along…calmly, but I can defend my rank status on most review sites. You must be prepared and have your Social Media and CRM people working together with your Rep Management people to proactively reduce your risk and exposure.
We use it for data analysis. And did I say it’s free forever? It’s software called WebGenius. It monitors a brand, website or even your name. Where most tools fall short is that they only use Google’s API. If the negative content is on a de-indexed page, you’ll never know about it. It still counts as negative sentiment and potential risk. Or maybe it gets re-indexed and suddenly appears. This tool covers all Search Engines, data centers, forums, blogs and 2-3 tiers deeper than the tools currently available. And they cost money! Negative content poses a potential threat. Create positive sentiment, engage with your client, and rule Social Media for your site or brand. This is how to protect yourself against Real World BlackHat.
Author: Gary R Beal, MD, Vanguard Online Media