In This Issue:
SEO & Search News
Google Algorithm Updates
The past week has been relatively quiet on the Google Algorithm Update front, although the volatility is higher than the typical volatility seen during the second half of December.
There was a spike in volatility in the SERPs around the 20th January, but I did not see much chatter about this. Personally, I saw a decent uptick in traffic around this time, but it was shortlived.
You can see the latest SERP volatility chart below:
You can find details of all past Google Updates here, including a discussion of the January 9th update that I covered in my previous edition of the Webmaster Newsletter two weeks ago.
Disavowing Links is not dead… Yet!
In a recent Google Hangout, John Mueller was asked a question related to whether you should disavow medium quality links that are not ultra spammy. In particular, he was asked “Let’s say they didn’t get a manual action. Can those links hurt them algorithmically?”
John Mueller replied:
That can definitely be the case. It’s something where, our algorithms, when they look at it, if they say, Oh, there are a bunch of really bad links here, then, maybe they’ll be a little bit more cautious in regards to links in general for the website. So if you clean that up, then the algorithms look at it and say, Oh, it’s ok. It’s not bad.
You only want to really disavow they very worst of the links. If your site is performing well, then I would not use the disavow tool at all. If you previously built some spammy links, suffered from negative SEO, or if your site is performing poorly, you may want to consider doing a backlink audit and disavowing the worst of the links.
I personally recommend the SEMrush backlink audit. You can link your Search Console backlink data, and Majestic to get good coverage of your backlinks. The SEMrush backlink audit tool is very good, and you can filter your backlinks based on various criteria, such as deindexed domains, or link networks.
You can see a screenshot of my own backlink audit below:
If you want to give it a try, you can sign up to SEMrush with a 7-day free trial here.
Just remember to use the disavow with care. In many cases, Google is able to just ignore spammy links, and removing links via the Disavow file risks removing good links. If you do find your rankings drop after disavowing, then you can just remove the “less shady links” from the disavow file and resubmit.
Most webmasters will not need to disavow. I only use a disavow file due to prior negative SEO, and even then I was very selective about the links I disavowed.
Google now showing Featured Snippets from PDF files
On January 16, 2019, Kevin Indig posted a screenshot of a search result where the PDF content has been used for the featured snippet.
You can see a screenshot below:
Google has been indexing PDF files since at least 2011. Google can crawl PDF’s, follow links in them, and generally index the content (apart from images). PDF’s can even rank as high as web pages.
I wrote in detail about the indexation of PDFs (including about the featured snippets) here.
Most features in the old Search Console to be removed by the end of March 2019
In a recent blog post, Google has set out what features and changes are likely to be seen in the Search Console by the end of March 2019.
Here is a summary of the main changes:
|What's being removed in the Old Search Console||What to use now in the New Search Console|
|Crawl errors report and API||Index Coverage report |
|Old Sitemaps report||New Sitemaps report |
|Fetch as Google||URL inspection tool |
|User-management||Settings section of the new Search Console|
|Structured data dashboard||Replaced with multiple new reports. |
|Property Sets||No Replacement|
|HTML suggestions||No Replacement|
|Android Apps features||No Replacement. Most features are now in Firebase.|
|Blocked resources report||No replacement. Use URL inspection tool.|
 - Google will remove the list of crawl errors. It will change the focus to highlighting only the issues that site owners need to fix. When issues are fixed, site owners can now request the errors to be revalidated, decreasing the time it takes to reprocess the changes.
 - Google is aiming to bring the remainder of the information from the old report into the new report, specifically for images and video.
 - New reports have been added, including Jobs, Recipes, Events, and Q&A. Other Structured Data types that are not supported with Rich Results features will be removed.
Google: You focus too much on Backlinks
John Mueller has been hinting that people should focus more on content (implied) than backlinks:
You focus too much on backlinks :)— 🍌 John 🍌 (@JohnMu) January 22, 2019
You focus too much on links, imo -- I'm glad that we use 100s of factors in our crawling, indexing, and ranking algorithms.— 🍌 John 🍌 (@JohnMu) January 22, 2019
This makes sense. Create great content, and the links will come, right? (Hint: They do.)
Google is aware of when Domains change ownership
In a question on the Webmaster Central Help Forum, a user asks whether redirecting a domain using 301 redirects to a legitimate domain will have an effect on the reputation of the new domain.
Aaseesh, Webmaster Trends Analyst at Google, replied saying that:
Google understands when domains change ownership so it won’t necessarily rank for the queries it used to rank pre change of ownership. So if the sole purpose of buying a domain is to get search traffic from the old domain, I would suggest against doing so since there’s no benefit.
Gary Illyes, Webmaster Trends Analyst, confirmed in July 2016 that 301 redirects no longer lose PageRank:
30x redirects don't lose PageRank anymore.— Gary "鯨理／경리" Illyes (@methode) July 26, 2016
However, if you redirect your penalty ridden site to a new domain, then the penalty may flow to the new domain because of the redirects.
From a negative SEO perspective, John Mueller has already gone on record saying they usually catch those instances whether a competitor redirects a penalty hit site to yours.
There is no time limit for algorithm changes to take effect
John Mueller, Webmaster Trends Analyst at Google, responded to a user on Twitter asking how long it takes to get out of an algorithmic penalty:
There is no fixed timeframe for algorithmic changes to take effect, past the need to recrawl & reprocess pages from the site. In general, these are not penalties, so instead of just waiting, I’d recommend getting objective input from peers early on, eg by posting in a forum.
In other words, recovering from an algorithmic penalty should be relatively quick. If you guess a site move can take around 3 months or so to process, I would imagine you are looking at a minimum of a few months.
Naturally, this assumes you have carried out all the necessary tasks to recover from the algorithmic penalty. John Mueller suggests many webmasters may be under a mistaken impression here, and that a peer review is sometimes helpful.
I recommend posting in the Google Webmaster Central Help Forum. John Mueller is even known to provide feedback there on occasion.
Google tells some Ad customers that it will start optimizing their campaigns
There is an interesting article in Search Engine Land which reports that Google has sent out notices saying that it will start optimizing campaigns unless users opt out, seven days after a user receives an email.
Aaron Levy, director of PPC at Elite SEM, tweeted a copy of the email.
In a response to Search Engine Land, Google said:
Our sales teams are always looking for ways to help customers get the best results from Google Ads. We are rolling out a pilot program that we believe will help businesses optimize their accounts. As always, we build customer feedback into the final product. Customers are in full control of the account and can accept or reject recommendations as they desire.
One of the key points made is that customers are still responsible for their accounts, and can either accept or reject the recommendations. Aaron Levy also posted a copy of the disclaimer, which says:
You can review or edit this change anytime by visiting your Google Ads account. Google doesn’t guarantee or promise any particular results from implementing these changes, including impact on your campaign performance or spend. Make sure you monitor your account regularly so you udnerstand what’s happening and can make campaign adjustments.
Is it just me, or does this sound like a terrible idea?
Web Development News
WordPress.com to build a publishing platform for news organizations
WordPress has announced plans to develop a next-generation publishing platform, Newspack by WordPress.com. The new platform is expected to launch near the end of July 2019.
Here is what WordPress had to say about why they are launching the new project:
With many local news organizations struggling to find sustainable models for journalism, we’re seeing a need for an inexpensive platform that provides the technology and support that lets news organizations build their businesses and focus on what they do best — providing critical reporting for their communities.
Our hope with Newspack is to give them a platform where they can continue to focus on what they do best, while we focus on providing world-class technology and support across their editorial and business operations.
Some of the features expected include:
- Gutenberg support (Blocks)
- Email integration for both marketing, and editorial
- Programmatic ad integration
- Real-time backups
- Revenue generating tools for subscriptions and e-commerce
NewsPack is currently inviting small and medium-sized digital news organizations, including local, single topic, and general interest, to apply to be charter participants in the development of the platform.
While there are no charges during the development of the platform, there will be a fee after the launch of between $1000 and $2000 per month. If you are interested, you can apply here.
Google Chrome changes could ‘destroy’ ad-blockers
In a document posted to a key discussion list for Chrome), Google said it wanted to restrict Origin Access, so that host permissions are granted at runtime, rather than install-time. Origin Access permissions are used to determine the sites an extension can interact with and will affect many APIs, script injection, cookies and more.
This will affect a large number of extensions, including Ad Blocking (For example, UBlock and Ghostery), Accessibility Extensions, and other website enhancement extensions.
A statement by ad-blocking developer Ghostery, given to Gizmodo, said:
This would basically mean that Google is destroying ad blocking and privacy protection as we know it.
They pretend to do this for the sake of privacy and browser performance, however in reality, users would be left with only very limited ways to prevent third parties from intercepting their surfing behavior or to get rid of unwanted content.
Gutenberg Phase 2 to Update Core Widgets to Blocks, Classic Widget in Development
There are more changes afoot in the WordPress ecosystem.
WordPress plans to change Widgets to Blocks sometime in 2019. There will also be a classic Widget block to deal with third-party widgets that haven’t yet converted to blocks.
I recommend watching Matt Mullenweg at State of the Word 2018 where he talks in detail about blocks. You can view the video at the recommended time below:
You can find a more detailed discussion on the proposed changes at WPTavern.
Former employee hacks WPML WordPress plugin. Sends email to all users warning of vulnerabilities.
On January 19, 2019, the popular WorldPress Multilingual Plugin (WPML) was hacked by an ex-employee who retained access to WPML via a back door.
The ex-employee then sent out an email to every user warning of several vulnerabilities and adised them no to store any personal or otherwise sensitive data in the database.
WPML responded on Twitter on January 20th:
We’re very sorry to report that our WEBSITE got hacked. Looks like an ex-employee backdoor. There is NO exploit in the WPML plugin we doublechecked. Payment information was NOT compromised as we don’t store this information. We strongly advise changing your WPML account password.
On January 21, 2019, relaunched their rebuilt WPML.org site (following it being defaced with the same message contained in the email), and again advised everyone using the plugin to change their password:
We finished rebuilding our https://t.co/PNgrXNs87B site after it was hacked this weekend. Please, be sure to update your WPML account password and use a secure one. Again, the plugin was not compromised. Thanks for all the support messages and apologies for the whole situation.— WPML (@wpml) January 21, 2019
WordPress to show warnings on servers running outdated PHP versions
WordPress will now show a warning in the admin panel if your web hosting server is running an outdated version of PHP.
WordPress currently supports PHP versions going back to 5.2.4, but will now be showing a warning to users for PHP5 5.5 and below. The warning contains a link to a help article with further information on how site owners can update their PHP Version, and what to do before you update (i.e., make backups, check themes and plugins for compatibility using the PHP Compatibility Checker plugin).
You can see a screenshot of the warning below (via ZNet):
It is interesting that WordPress is not encouraging its users to upgrade to a more modern version.
Currently, only PHP 7.1 and above are still receiving security fixes. Anyone who is using PHP 7.0 and below may be subject to unpatched security vulnerabilities. Even PHP 7.1 will be marked the end of life in December 2019, as the following chart shows:
Bob Ross Doing the Floss in Pure CSS
Now for something a little more fun.
I came across an awesome pure CSS Bob Ross doing the Floss, created by Steve Gardner. The Floss has been around for a while, but came to prominence in the popular game Fortnite. Pretty cool, right?
Feel free to click the HTML and SCSS tabs to see the code.
Web Hosting News
World’s largest web hosting companies hit by security fears
DreamHost, HostGator, OVH, iPage, and Bluehost are among the many web hosting companies that are affected by security flaws that may put millions of users at risk, according to a Paulos Yibelo, a security researcher, who has recently disclosed dozens of bugs:
All five had at least one serious vulnerability allowing a user account hijack
Paulos Yibelo set out in detail the various vulnerabilities in a detailed post. I have summarized a few of the attack vectors below:
- DreamHost - In a similar method to BlueHost, DreamHost was vulnerable to a cross-site scripting (XSS) attack. Again, allowing the attacker to replace the email, and reset the account password.
- Hostgator - Again, a similar CSRF flaw allowed an attacker to trick cross-site script countermeasures from running allowing an attacker to modify the email address and reset the password.
- iPage - This was a unique attack vector, in that the attacker could craft a web address allowing them to reset the account password to one chosen by the attacked. No existing or current password was required, making it a very simple, yet effective, attack.
- OVH - OVH had a couple of vulnerabilities. Again, they were vulnerable to a CSRF attack, but also their API was vulnerable allowing important data to be read.
If I have learned anything from these attacks, it is to make sure to log out of important online accounts as soon as possible, and definitely before browsing other sites on the web, or clicking any links on Social Media or emails. I am pretty sure these are not the only companies to be vulnerable to attacks of this nature.
All of the companies (except OVH) have now fixed the vulnerabilities.
We currently have a fix in production that should prevent leveraging CSRF from our old panel.dreamhost.com/id/ submit forms and are making efforts to increase security and sanitize inputs across the rest of our endpoints.
EIG (owner of Bluehost, iPage, and Hostgator) commented:
I wanted to… let you know that after an internal analysis of the vulnerabilities you shared, we’ve taken steps to address and patch the potential vulnerabilities you identified.
In Episode 1 of this Newsletter, I reported how Igor Kromin discovered that GoDaddy was injecting a script to provide Real User Metrics (RUM). GoDaddy acknowledged in a help article that there is a chance some customers might experience issues or slower site performance as a result.
Following an outcry, GoDaddy confirmed that they were no longer automatically opting users into RUM. Here is their full response (via zdnet):
We only collect performance data, nothing more. We don’t collect personal information. The data we collect is used to monitor our internal systems, optimize DNS resolution, improve network routing and server configurations, and help us improve the performance of our customers’ websites.
Domino’s Pizza: A landmark case for Web Accessibility
An important legal case in the US has forced Domino’s Pizzas to make their App and Website fully accessible to blind users.
The court case followed a complaint by a blind customer who had struggled to change toppings, use vouchers, and complete a purchase via Domino’s iPhone app. He argued that this was in breach of the Americans with Disabilities Act 1990, which makes it unlawful for businesses to deny people with disabilities access to their goods and services unless it would cause “undue burden” to the business.
Despite losing the case in Federal Court in 2017, a three-judge appeals panel reversed that decision, finding in favor of the complainant.
One of the easiest ways to be compliant is to use an accessibility compliant framework such as Bootstrap or Foundation. There are many other accessible frameworks, but these are a couple of the most popular examples.
The easiest way to test for accessibility of your web pages is to use Google’s own tool at web.dev. You can see the relevant part of the report for The Webmaster below:
Jonathan Griffin Editor, SEO Consultant, & Developer.
Jonathan Griffin is The Webmaster's Editor & CEO, managing day-to-day editorial operations across all our publications. Jonathan writes about Development, Hosting, and SEO topics for The Webmaster and The Search Review with more than nine years of experience. Jonathan also manages his own SEO consultancy, offering SEO developer services. He is an expert on site-structure, strategy, Schema, AMP, and technical SEO. You can find Jonathan on Twitter as @thewebmastercom.