Google warning: is your site abused through redirects?

Google recently wrote in one of its official blogs that it is possible for spammers to take advantage of your website without ever setting a virtual foot in your server. Spammers can do this by abusing open redirects.

What are open redirects?

Many websites use links that redirect their website visitors to another page. Some redirects are left open to any arbitrary destination. These redirects can be abused by spammers to trick web surfers and search engines into following links that seem to be pointing to your website although they redirect to a spammy website.

That means that people who think that they visit your website will be redirected to highly questionable web pages that might contain adult content, viruses, malware or phishing attempts.

Which redirects on your website could be abused?

Spammers are very inventive. According to Google, they have managed to use the redirect spam on a wide range of websites, including the websites of large well-known companies and the websites of small local government agencies.

For example, the following redirection types can be abused:

1. Scripts that redirect users to a file on the server can be abused by spammers. The links on your website could look like this:

   http://www.example.com/download.php?url=http://www…

   http:///www.example.com/get/pdf/?http://www…

2. Site search result pages with automatic redirect options. If the result pages of your internal site search feature contain an URL variable that sends your website visitors to other pages, spammers might be able to exploit them:

   http://www.example.com/search?q=keyword&page=1&url=…

3. Affiliate tracking links. Affiliate tracking links often allow people to direct website visitors to other pages. Spammers might enter their own URLs in the tracking links. Example:

   http://www.example.com/track.php?affid=123&url=…
   

4. Proxy pages. Proxy sites send people through to other websites and they can be abused by spammers:

   http://myproxy.example.com/?url…
   

5. Interstitial pages. Some websites show an interstitial page when users leave a website to let users know that the information found on the link is not under their control. These URLs usually look like this:

   http://www.example.com/redirect/http://www…

   http://www.example.com/out?http://www…

   http://www.example.com/cgi-bin/redirect.cgi?http://www…

How to find out if your website is abused

Even if you find none of the URLs above on your website, your site still may have open redirects. Do the following to check if your website is abused by spammers:

1. Make a site search on Google

   Go to Google.com and search for “site:yourdomain.com”. Replace yourdomain.com with your own domain name. If you see web pages that have nothing to do with your website then it’s likely that someone exploits a security hole on your website.

2. Check your web server logs for URL parameters like “=http:” or “=//”. If your redirection URLs get a lot of traffic, this could also be caused by spammers.
3. If you get user complaints about content or malware that you know cannot be found on your website then your website users might have seen your URL before they were redirected to the malware site.

What you can do to protect your website

It’s not easy to to make sure that your redirects aren’t exploited. The reason for that is that an open redirect is not a bug or a security flaw. There are some things that you can do to protect your website:

1. Check the referrer. Your redirect scripts should only work if they area accessed from another web page of your website. The redirect script should not work if the user accesses the script directly or from a search engine.
2. If possible, make sure that the script can only redirect to web pages and files that are on your own websites. You could use a whitelist of allowed destination domains.
3. Use the robots.txt file of your website to exclude search engines from the redirect scripts on your website. That will make your website less attractive for hackers.
4. Add a signature or a checksum to your redirect links so that only you can use the script.

Open redirect abuse is a big issue for Google right now. If you secure your scripts, spammers will move over to other websites and leave your website alone.

How the bounce rate of your website can affect your Google rankings

Does Google use the bounce rate of a web page to specify the position of that page in the search results? What does this mean for your website rankings and what can you do to get a better bounce rate?

What is the bounce rate?

There are two definitions: the bounce rate of your website is the percentage of visitors who see just one page of your website or the percentage of visitors who stay on your site for a small amount of time (only a few seconds).

The bounce rate helps you to measure the quality of traffic that your website gets and it also helps you to find out where your web pages could be improved.

Google’s definition of the bounce rate

The Google Analytics documentation defines the bounce rate as follows:

“Bounce rate is the percentage of single-page visits (i.e. visits in which the person left your site from the entrance page). Bounce rate is a measure of visit quality and a high bounce rate generally indicates that site entrance (landing) pages aren’t relevant to your visitors.”

This Google definition already indicates that Google thinks that web pages with a high bounce rate aren’t relevant to website visitors. If your web pages have a high bounce rate for a search term, Google might lower the rankings of your website for that search term.

Does Google use the bounce rate as a ranking factor?

Google has the ability to collect the bounce rate with the Google toolbar and Google Analytics. In addition, Google can measure the time between visits to their search engine by the same user and they can use the Google Chrome browser to measure the complete surfing behavior of users.

Last month, a webmaster performed a test that showed a significant ranking change as a result of a significant bounce rate change. The test is not very conclusive but chances are that Google really uses the bounce rate as a ranking factor.

The bounce rate alone might not be used by Google but combined with other factors, it could have an effect on the rankings. For example, Google could measure how many people start a new search for the same topic after visiting your web page. That would be an indicator that your website is not suitable for the chosen keyword.

What can you do to lower the bounce rate of your web pages?

A high bounce rate is usually a sign of a low quality web page. This means that your web page either doesn’t offer what the visitor is searching for or the usability of your web page isn’t good.

If you improved the contents and the usability of your web pages, you might lower your bounce rate from 75% to 65%. This would lead to a remarkable 40% increase in conversions (35 out of 100 visitors now stay on your website instead of 25 out of 100 visitors).

In addition to improving the usability of your web pages, you can lower your bounce rate by tailoring your landing pages to the keywords and ads that you run. If your landing pages offer the information that the searchers are looking for then you will get a lower bounce rate.

Lowering the bounce rate of your web pages has two major benefits: it’s likely that you will get more visitors from search engines and you will get a higher conversion rate. The only exceptions to the scenario above are one page websites and web pages that offer very compelling content on a single web page (for example Wikipedia pages).

Search engines use many more ranking factors than just the bounce rate. If you want to get high rankings on Google and other search engines, you should make sure that your web pages offer all elements that are necessary to get high rankings.