Connect with us

SEO

What It Is & How It Works

Published

on

Canonicalization is the process that search engines use to determine the main version of a page. That is the page that will be indexed and shown to users. The chosen version is canonical, and ranking signals like links will consolidate to that page. This process is sometimes referred to as standardization or normalization.

According to Google Webmaster Trends Analyst Gary Illyes, ~60% of the internet is duplicate content.

Canonicalization is complex and often misunderstood. I don’t think most of the duplicates are nefarious. It’s mostly going to be technical issues that cause them. We’ll look at this more in a bit. I’m going to talk about how the canonicalization process works as well as:

A lot of different signals go into the canonicalization process. These include:

  • Duplicates
  • Canonical link elements
  • Sitemap URLs
  • Internal links
  • Redirects

Google looks at all the different signals and weighs them to determine what the canonical version should be. That’s the version of the page they will index and what they usually show to users.

A potential scenario when Google decides on the canonical based on internal links and the canonical URL.

A potential scenario when Google decides on the canonical based on internal links and the canonical URL.

Duplicates

With duplicate content, Google will pick a canonical version to index. All the eligible pages form a cluster of pages, and the signals that go to the pages in that cluster will consolidate at the chosen canonical. That canonical may even change over time.

How duplicate signals consolidateHow duplicate signals consolidate

Some SEOs believe there is a duplicate content penalty, but that’s not true. Generally, you’re going to have one version or another indexed. It may not be the version you want to be indexed, but it will be indexed and rank just as well as any other version of the same page.

Here are some examples of what can cause duplicate pages and sometimes canonicalization issues:

  • HTTP and HTTPS variants (e.g., http://www.example.com and https://www.example.com)
  • Non-www and www variants (e.g., http://example.com and http://www.example.com)
  • URLs with and without trailing slashes (e.g., https://example.com/page/ and https://example.com/page)
  • URLs with and without capital letters (e.g., https://example.com/page/ and https://example.com/Page/)
  • Default versions of the page such as index pages (e.g., https://www.example.com/, https://www.example.com/index.htm, https://www.example.com/index.html, https://www.example.com/index.php, https://www.example.com/default.htm, etc.)
  • Alternate versions of pages. This could include mobile versions (e.g., example.com and m.example.com), AMP versions (e.g., example.com/page and amp.example.com/page), print versions (e.g., example.com/page and example.com /page/print), alternate versions meant for other countries but containing the same content (e.g., example.com/en-us/, example.com/en-gb/, example.com/en-au/), or versions in a dev or staging site (e.g., dev.example.com).
  • URL parameters (e.g., example.com?parameter=whatever). These may exist because of tracking codes, faceted navigation, sorting content, session IDs, etc. There are some instances where parameters may change the page’s content so that it’s not a duplicate.
  • Other pages showing the full content. Google may choose the wrong canonical when another page displays the content in full. This may include the main blog page, paginated pages, tag pages, category pages, or feed pages.
  • Scraped or syndicated content. Content syndication best practices generally recommend having a canonical tag back to the original content or at least a link to the original content. That’s because the canonical chosen can be a completely different domain. They try to select the original source as the canonical, but in some cases, they choose the wrong page.

Most of these aren’t usually issues. As I mentioned, Google will usually choose one version or another as the canonical. There are a few exceptions to this.

  1. Sometimes with content syndication, the original source isn’t chosen as the canonical. This is a real problem. How would you feel if someone else started ranking for an article you wrote?
  2. Hreflang does not solve duplication on international sites. Google will generally try to swap to show the correct version, but it’s not guaranteed, and this setup often breaks. When this happens, users see pages from the wrong country. It’s best to avoid having the same content on multiple pages for international websites.
  3. With some JavaScript sites (typically app shell models), the initial code for the pages can look like other pages or even the code from other websites. Sometimes these pages get canonicalized to other pages on the same or even different websites.

I believe part of the problem with both hreflang and the JavaScript content is that Google may be running the duplicate detection via crawl algorithms that detect duplication patterns, again after just seeing the code, and yet again after rendering the pages.

Google’s render path marked up where I believe duplicate detection systems are run.Google’s render path marked up where I believe duplicate detection systems are run.

Google’s render path marked up where I believe duplicate detection systems are run.

Google’s render path marked up where I believe duplicate detection systems are run.

With the pages using hreflang, if they decide that the pages are duplicates without crawling them, they may not be able to swap them properly.

Before a page is even rendered, it may “look” like another page based on the HTML content. Google may choose the canonical based on this initial version and may not prioritize it for rendering because it’s already deemed a duplicate page. This usually resolves itself after rendering, but it can take some time to clear up.

Google has a couple of rules they generally follow when it comes to canonicalization of duplicates.

1. They prefer HTTPS pages over HTTP pages

They will generally index the HTTPS version, but there are a few issues or conflicting signals that may cause them to choose the HTTP version instead, such as:

  • Having an invalid security certificate
  • HTTPS page links to HTTP resources on the page (excludes images)
  • HTTPS redirecting to HTTP
  • HTTPS page having a rel=“canonical” link element pointing to the HTTP page

2. They prefer shorter URLs over longer URLs

This has been misconstrued over the years by SEOs to say that all your URLs should be shorter. But that’s not what was meant by the original statement. What Google said was that if you had, for instance, a clean short version of a URL and a longer version with parameters attached, they would generally choose the shorter version of the URL without the parameter as the canonical version.

Canonical link element

This is also commonly referred to as a canonical tag. It looks like this:

<link rel=”canonical” https://www.example.com />

The canonical tag is sometimes referred to as a hint because it’s just one canonicalization signal. Google ignores it if other signals are stronger.

If the canonical tag is respected, all signals like links will pass. However, if the canonical is ignored, no value is passed. The value isn’t lost; it stays with the original page or goes to whatever page Google chooses as the canonical.

A canonical link element can be implemented in two different ways. It can be in the <head> section or the HTTP header.

A fun anecdote. Google’s SEO Starter Guide used to be a PDF. They didn’t have a canonical tag set in the HTTP header, and people used to “steal” the listing with their own duplicate version.

Sometimes the <head> section of a page will end before it should. This is usually caused by a tag in the <head> not closed out properly. When that happens, a canonical tag may be put into the <body> section instead. If that happens, your canonical tag won’t be respected.

Invalid canonical tag located in the<body></noscript><img class=

Invalid canonical tag located in the <body> section

Sitemap URLs

The URLs you include in your sitemap are also a canonicalization signal. Most of the time, you only want to include URLs of pages that you want to be indexed.

There are some exceptions to this because sitemap URLs also help with crawling. After a website migration, you should create a sitemap that still lists the old pages, even though they aren’t canonical. This will help the redirects be processed faster. You’ll want to delete this sitemap after most of the redirects have been picked up and processed.

Internal links

It matters how you link to pages. Internal links are another canonicalization signal.

Generally, you should link to the version of a page you want to be canonical and update the links to any URLs that may have changed. However, there are exceptions to this, such as with faceted navigation. In some cases like this, what is best for users may trump what is best for SEO.

Redirects

There are several different types of redirects, and they’re all canonicalization signals. They pass PageRank and help determine which URL gets shown in Google’s index.

301s and 308s send signals forward to the new URL. 302s and some 307s send signals backwards to the redirected URL. If a 302 is left in place long enough or the URL it’s redirected to already exists, it may be treated as a 301 and send signals forward instead. It requires enough signals to flip the scale we saw earlier for canonicalization signals. As links build up, internal links are changed, sitemap URLs are updated, etc., more signals point to the new URL than the old URL, and the flip occurs.

At some point the scale flips for 302sAt some point the scale flips for 302s

At some point the scale flips for 302s

A 307 has two different cases. In cases where it’s a temporary redirect, it will be treated the same as a 302 and attempt to consolidate backward. When web servers require clients to only use HTTPS connections (HSTS policy), Google won’t see the 307 because it’s cached in the browser. The initial hit (without cache) will have a server response code that’s likely a 301 or a 302. But your browser will show you a 307 for subsequent requests.

There are also other types of redirects like those implemented with JavaScript. These are also canonicalization signals and pass the full value just like other redirects as long as they can be seen and processed by Google. They’re fine to use in most cases.

How to check the canonical

Your main source of truth for what Google chose as the canonical will be the URL Inspection tool in Google Search Console. Enter the URL, and it will show what the declared canonical is and what Google chose as the canonical.

The declared and Google-selected canonical via Google Search ConsoleThe declared and Google-selected canonical via Google Search Console

If you don’t have access to Google Search Console, the recommended way to check the version of a page Google has indexed is to paste the URL into Google. The top result is usually the canonical.

Similarly, if you check the cached version of a page in Google and a different page is shown, Google has selected a different version of the page.

Warning: Don’t use site: searches for checking canonicals. It shows what Google knows about, not necessarily what’s indexed or the selected canonical.

Within Site Audit, we show many issues related to canonicalization. Keep in mind that we’re flagging best practices in most cases. Because the canonical is a hint, Google and other search engines will have to choose which version of a page to index.

Canonicalization issues in Ahrefs' Site AuditCanonicalization issues in Ahrefs' Site Audit

Even if your website has lots of issues related to canonicalization, search engines may be able to figure out what version should be indexed and where they should consolidate signals. It may not create any real problems for them.

Fun fact. When running a Site Audit, we only count the canonical version of pages as crawl credits. Some other tools count every version of a page towards the credits. On many sites, this can eat multiple credits per page!

There’s a lot that can go wrong with canonicalization. Let’s look at some common mistakes.

Mistake #1: Blocking the canonicalized URL via robots.txt

Blocking a URL in robots.txt prevents Google from crawling it, meaning that they cannot see any canonical tags on that page. That, in turn, prevents them from transferring any “link equity” from the non-canonical to the canonical.

Unless you have a crawl budget issue, it’s probably better to let all the signals consolidate. Even if you’re going to block or noindex some versions, you still may want to check for versions with links that you should canonicalize instead. However, as Google tends to crawl non-canonical pages less over time, you may just want to wait.

Mistake #2: Setting the canonicalized URL to ‘noindex’

Never mix noindex and rel=canonical. They’re contradictory instructions.

As John Mueller states, Google will usually prioritize the canonical tag over the ‘noindex’ tag.

Mistake #3: Setting a 4XX HTTP status code for the canonicalized URL

Setting a 4XX HTTP status code for a canonicalized URL has the same effect as using the ‘noindex’ tag: Google will be unable to see the canonical tag and transfer “link equity” to the canonical version.

Mistake #4: Canonicalizing all paginated pages to the root page

Paginated pages should not be canonicalized to the first paginated page in the series. Instead, self-referencing canonicals should be used on all paginated pages.

Why? As Google’s John Mueller stated on Reddit, this is improper use of the rel=canonical.

The main thing to avoid, since this post is about canonicalization, is to use the rel=canonical on page 2 pointing to page 1. Page 2 isn’t equivalent to page 1, so the rel=canonical like that would be incorrect. 

John MuellerJohn Mueller

We have a guide on pagination for SEO and best practices if you’re interested.

Mistake #5: Don’t use the URL removal tool in Google Search Console for canonicalization.

This can remove all versions of a URL, effectively deindexing your page from search.

Mistake #6: Not keeping canonicalization signals consistent.

As we talked about earlier, there are many different canonicalization signals.

Having different signals suggest different canonicals means that you will be relying on Google to select a canonical for you. The more consistent signals you show them with your preferred version, the more likely it is that version will be the chosen canonical.

Mistake #7: Not using canonical tags with hreflang

Hreflang tags specify the language and geographical targeting of a webpage.

Google states that when using hreflang, you should “specify a canonical page in the same language, or the best possible substitute language if a canonical doesn’t exist for the same language.”

Mistake #8: Having multiple rel=canonical tags

Having multiple rel=canonical tags will usually cause Google to ignore them. In many cases, this happens because tags are inserted into a system at different points, such as by the CMS, the theme, and plugin(s). This is why many plugins have an overwrite option meant to ensure they are the only source for canonical tags.

Another area where this might be a problem is with canonicals added with JavaScript. If you have no canonical URL specified in the HTML response and then add a rel=canonical tag with JavaScript, it should be respected when Google renders the page. However, if you have a canonical specified in HTML and swap the preferred version with JavaScript, you send mixed signals to Google.

Mistake #9: Rel=canonical in the <body>

Rel=canonical should only appear in the <head> of a document. A canonical tag in the <body> section of a page will be ignored.

Where this can become a problem is with the parsing of a document. Even if the page’s source code has the rel=canonical tag in the correct place, many different things such as unclosed tags, JavaScript injected, or <iframes> in the <head> section can cause the <head> to end prematurely while rendering. In these cases, a canonical tag may be accidentally thrown into the <body> of a rendered page where it will not be respected.

Final thoughts

Many of the tools SEOs had for handling canonicalization have been taken away, such as the URL Parameters Tool and Preferred Domain setting in Google Search Console. However, there are still plenty of other signals to help Google choose a canonical.

If you have questions, message me on Twitter.

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

SEO

The Lean Guide (With Template)

Published

on

The Lean Guide (With Template)

A competitive analysis (or market competitive analysis) is a process where you collect information about competitors to gain an edge over them and get more customers.

However, the problem is that “traditional” competitive analysis is overkill for most businesses — it requires impractical data and takes too long to complete (and it’s very expensive if you choose to outsource). 

A solution to that is a lean approach to the process — and that’s what this guide is about. 

In other words, we’ll focus on the most important data you need to answer the question: “Why would people choose them over you?”. No boring theory, outtakes from marketing history, or spending hours digging up nice-to-have information.

In this guide, you will find:

  • A real-life competitive analysis example.
  • Templates: one for input data and one for a slide deck to present your analysis to others.
  • Step-by-step instructions.

Our template consists of two documents: a slide deck and a spreadsheet. 

The Slide deck is the output document. It will help you present the analysis to your boss or your teammates.

The spreadsheet is the input document. You will find tables that act as the data source for the charts from the slide deck, as well as a prompt to use in ChatGPT to help you with user review research.

Competitive analysis template — spreadsheet sneak peek.Competitive analysis template — spreadsheet sneak peek.

We didn’t focus on aesthetics here; every marketer likes to do slide decks their own way, so feel free to edit everything you’ll find there. 

With that out of the way, let’s talk about the process. The template consists of these six tasks: 

  1. Identify your direct competitors. 
  2. Compare share of voice. 
  3. Compare pricing and features.
  4. Find strong and weak points based on reviews.
  5. Compare purchasing convenience.
  6. Present conclusions.

Going forward, we’ll explain why these steps matter and show how to complete them. 

1. Identify your direct competitors

Direct competitors are businesses that offer a similar solution to the same audience. 

They matter a lot more than indirect competitors (i.e. businesses with different products but targeting the same audience as you) because you’ll be compared with them often (e.g. in product reviews and rankings). Plus, your audience is more likely to gravitate towards them when considering different options. 

You probably have a few direct competitors in mind already, but here are a few ways to find others based on organic search and paid search ads

Our basis for the analysis was Landingi, a SaaS for building landing pages (we chose that company randomly). So in our case, we found these 3 direct competitors. 

Slide 1 — direct competitors.Slide 1 — direct competitors.

Look at keyword overlap

Keyword overlap uncovers sites that target the same organic keywords as you. Some sites will compete with you for traffic but not for customers (e.g. G2 may share some keywords with Landingi but they’re a different business). However, in many cases, you will find direct competitors just by looking at this marketing channel. 

  • Go to Ahrefs’ Site Explorer and enter your site’s address. 
  • Scroll down to Organic competitors
  • Visit the URLs to pick 3 – 5 direct competitors.
Top organic competitors data from Ahrefs.Top organic competitors data from Ahrefs.

To double-check the choice of competitors, we also looked at who was bidding for search ads on Google.

See who’s advertising 

If someone is spending money to show ads for keywords related to what you do, that’s a strong indication they are a direct competitor. 

  • Go to Ahrefs’ Keywords Explorer.
  • Type in a few broad keywords related to your niche, like “landing page builder” or “landing page tool”. 
  • Go to the Ads history report. 
  • Visit the sites that have a high presence of ads in the SERPs (Search Engine Result Pages). 
Ads history report in Ahrefs' Keywords Explorer.Ads history report in Ahrefs' Keywords Explorer.

Once you’re done checking both reports, write down competitors in the deck. 

You can also take screenshots of the reports and add them to your deck to show the supporting data for your argument. 

 Slide 2 — direct competitors by organic traffic. Slide 2 — direct competitors by organic traffic.

2. Compare share of voice

Share of voice is a measure of your reach in any given channel compared to competitors. 

A bigger share of voice (SOV) means that your competitors are more likely to reach your audience. In other words, they may be promoting more effectively than you. 

In our example, we found that Landingi’s SOV was the lowest in both of these channels. 

Organic: 

Slide 3 — share of voice on Google Search.Slide 3 — share of voice on Google Search.

And social media:

 Slide 4 — share of voice on social media. Slide 4 — share of voice on social media.

Here’s how we got that data using Ahrefs and Brand24.

Organic share of voice 

Before we start, make sure you have a project set up in Ahrefs’ Rank Tracker

Create a new project in Ahrefs' Rank Tracker.Create a new project in Ahrefs' Rank Tracker.

Now: 

  • Go to Ahrefs’ Competitive Analysis and enter your and your competitors’s sites as shown below. 
Create a new project in Ahrefs' Rank Tracker.
Create a new project in Ahrefs' Rank Tracker.
  • On the next screen, set the country with the most important market for your business and set the filters like this:
Content gap analysis filter setup.Content gap analysis filter setup.
  • Select keywords that sound most relevant to your business (even if you don’t rank for them yet) and Add them to Rank Tracker
Common keywords found via Ahrefs' Competitive Analysis.Common keywords found via Ahrefs' Competitive Analysis.
  • Go to Rank Tracker, open your project, and look for Competitors/Overview. This report will uncover automatically calculated Share of Voice
Organic share of voice data in Ahrefs.Organic share of voice data in Ahrefs.
  • Add the numbers in corresponding cells inside the sheet and paste the graph inside the slide deck. 
Filling the share of voice template with data.Filling the share of voice template with data.

It’s normal that the numbers don’t add up to 100%. SOV is calculated by including sites that compete with you in traffic but are not your direct competitors, e.g. blogs. 

Social share of voice 

We can also measure our share of voice across social media channels using Brand24.

  • Go to Brand24.
  • Start a New project for your brand and each competitor. Use the competitors’ brand name as the keyword to monitor. 
  • Go to the Comparison report and compare your project with competitors. 
Using Brand24's Comparison tool for competitive analysis.Using Brand24's Comparison tool for competitive analysis.
  • Take a screenshot of the SOV charts and paste them into the slide deck. Make sure the charts are set to “social media”.
Social media tab in share of voice report.Social media tab in share of voice report.

3. Compare pricing and features

Consumers often choose solutions that offer the best value for money — simple as that. And that typically comes down to two things: 

  • Whether you have the features they care about. We’ll use all features available across all plans to see how likely the product is to satisfy user needs.
  • How much they will need to pay. Thing is, the topic of pricing is tricky: a) when assessing affordability, people often focus on the least expensive option available and use it as a benchmark, b) businesses in the SaaS niche offer custom plans. So to make things more practical, we’ll compare the cheapest plans, but feel free to run this analysis across all pricing tiers.

After comparing our example company to competitors, we found that it goes head-to-head with Unbounce as the most feature-rich solution on the market. 

Slide 5 — features vs. pricing.Slide 5 — features vs. pricing.

Here’s how we got that data. 

  • Note down your and your competitors’ product features. One of the best places to get this information is pricing pages. Some brands even publish their own competitor comparisons — you may find them helpful too. 
  • While making the list, place a “1” in the cell corresponding to the brand that offers the solution.
Filling data in the spreadsheet.Filling data in the spreadsheet.
  • Enter the price of the cheapest plan (excluding free plans). 
Adding pricing data inside the spreadsheet.Adding pricing data inside the spreadsheet.
  • Once finished, copy the chart and paste it inside the deck. 

4. Find strong and weak points based on user reviews

User reviews can show incredibly valuable insight into your competitors’ strong and weak points. Here’s why this matters:

  • Improving on what your competitors’ customers appreciate could help you attract similar customers and possibly win some over.
  • Dissatisfaction with competitors is a huge opportunity. Some businesses are built solely to fix what other companies can’t fix. 

Here’s a sample from our analysis: 

 Slide 6 — likes and dislikes about Competitors. Slide 6 — likes and dislikes about Competitors.

And here’s how we collated the data using ChatGPT. Important: repeat the process for each competitor.

  • Open ChatGPT and enter the prompt from the template.
ChatGPT prompt for competitive analysis.ChatGPT prompt for competitive analysis.
  • Go to G2, Capterra, or Trustpilot and find a competitor’s reviews with ratings from 2 – 4 (i.e. one rating above the lowest and one below the highest possible). Reason:

businesses sometimes solicit five-star reviews, whereas dissatisfied customers tend to leave one-star reviews in a moment of frustration. The most actionable feedback usually comes in between.

  • Copy and paste the content of the reviews into ChatGPT (don’t hit enter yet). 
  • Once you’re done pasting all reviews, hit enter in ChatGPT to run the analysis.
Sample of ChatGPT output with charts.Sample of ChatGPT output with charts.
  • Paste the graphs into the deck. If you want the graphs to look different, don’t hesitate to ask the AI. 

There’s a faster alternative, but it’s a bit more advanced. 

Instead of copy-pasting, you can use a scraping tool like this one to get all reviews at once. The downside here is that not all review sources will a have scraping tool available. 

5. Compare purchasing convenience

Lastly, we’ll see how easy it is to actually buy your products, and compare the experience to your competitors. 

This is a chance to simplify your checkout process, and even learn from any good habits your competitors have adopted.

For example, we found that our sample company had probably nothing to worry about in this area — they ticked almost all of the boxes. 

Slide 7 — purchasing convenience.Slide 7 — purchasing convenience.

Here’s how to complete this step:

  • Place a “1” if you or any of your competitors offer convenience features listed in the template. 
  • Once done, copy the chart and paste it into the deck.

Step 6. Present conclusions

This is the part of the presentation where you sum up all of your findings and suggest a course of action. 

Here are two examples: 

  • Landingi had the lowest SOV in the niche, and that is never good. So the conclusion might be to go a level deeper and do an SEO competitive analysis, and to increase social media presence by creating more share-worthy content like industry surveys, design/CRO tips, or in-house data studies.
  • Although the brand had a very high purchasing convenience score, during the analysis we found that there was a $850 gap between the monthly full plan and the previous tier. The conclusion here might be to offer a custom plan (like competitors do) to fill that gap. 

We encourage you to take your time here and think about what would make the most sense for your business. 

Tip

It’s good to be specific in your conclusions, but don’t go too deep. Competitive analysis concerns many aspects of the business, so it’s best to give other departments a chance to chime in. Just because your competitors have a few unique features doesn’t necessarily mean you need to build them too.

Final thoughts 

A competitive analysis is one of the most fruitful exercises in marketing. It can show you areas for improvement, give ideas for new features, and help you discover gaps in your strategy. It wouldn’t be an exaggeration to say that it’s fundamental to running a successful business. 

Just don’t forget to balance “spying” on your competitors with innovation. After all, you probably don’t want to become an exact copy of someone else’s brand. 

In other words, use competitive analysis to keep up with your competitors, but don’t let that erase what’s unique about your brand or make you forget your big vision. 

Got comments or questions? Ping me on X



Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

SEO

Critical WordPress Form Plugin Vulnerability Affects Up To +200,000 Installs

Published

on

By

Critical WordPress Form Plugin Vulnerability Affects Up To +200,000 Installs

Security researchers at Wordfence detailed a critical security flaw in the MW WP Form plugin, affecting versions 5.0.1 and earlier. The vulnerability allows unauthenticated threat actors to exploit the plugin by uploading arbitrary files, including potentially malicious PHP backdoors, with the ability to execute these files on the server.

MW WP Form Plugin

The MW WP Form plugin helps to simplify form creation on WordPress websites using a shortcode builder.

It makes it easy for users to create and customize forms with various fields and options.

The plugin has many features, including one that allows file uploads using the [mwform_file name=”file”] shortcode for the purpose of data collection. It is this specific feature that is exploitable in this vulnerability.

Unauthenticated Arbitrary File Upload Vulnerability

An Unauthenticated Arbitrary File Upload Vulnerability is a security issue that allows hackers to upload potentially harmful files to a website. Unauthenticated means that the attacker does not need to be registered with the website or need any kind of permission level that comes with a user permission level.

These kinds of vulnerabilities can lead to remote code execution, where the uploaded files are executed on the server, with the potential to allow the attackers to exploit the website and site visitors.

The Wordfence advisory noted that the plugin has a check for unexpected filetypes but that it doesn’t function as it should.

According to the security researchers:

“Unfortunately, although the file type check function works perfectly and returns false for dangerous file types, it throws a runtime exception in the try block if a disallowed file type is uploaded, which will be caught and handled by the catch block.

…even if the dangerous file type is checked and detected, it is only logged, while the function continues to run and the file is uploaded.

This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”

There Are Conditions For A Successful Attack

The severity of this threat depends on the requirement that the “Saving inquiry data in database” option in the form settings is required to be enabled in order for this security gap to be exploited.

The security advisory notes that the vulnerability is rated critical with a score of 9.8 out of 10.

Actions To Take

Wordfence strongly advises users of the MW WP Form plugin to update their versions of the plugin.

The vulnerability is patched in the lutes version of the plugin, version 5.0.2.

The severity of the threat is particularly critical for users who have enabled the “Saving inquiry data in database” option in the form settings and that is compounded by the fact that no permission levels are needed to execute this attack.

Read the Wordfence advisory:

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution

Featured Image by Shutterstock/Alexander_P

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

SEO

How SEOs Make the Web Better

Published

on

How SEOs Make the Web Better

SEOs catch flak for ruining the web, but they play a crucial role in the search ecosystem, and actually make the internet better for everyone.

Let’s get the criticism out of the way. There are bad actors in SEO, people who seek to extract money from the internet regardless of the cost to others. There are still scams and snake oil, posers and plagiarists. Many parts of the web have become extremely commercialized, with paid advertising and big brands displacing organic and user-generated content.

But while there are situations where SEOs have made things worse, to fixate on them is to ignore the colossal elephant in the room: in the ways that really matter, the web is the best it’s ever been:

  • It’s the easiest it has ever been to find information on the internet. Searchers have a staggering array of tutorials, teardowns, and tips at their fingertips, containing information that is generally accurate and helpful—and this was not always the case.
  • Bad actors have a smaller influence over search. Search is less of a Wild West than it used to be. Once-scam-ridden topics are subject to significant scrutiny, and the problems and loopholes in search that need fixing today—like big brands and generic content receiving undue prominence—are smaller and less painful than the problems of the past.
  • More people use search to their benefit. Online content is the most accessible it has ever been, and it’s easier than ever to grow a local business or expand into international markets on the back of search.

SEOs have played a crucial role in these improvements, poking and prodding, building and—sometimes—breaking. They are Google power users: the people who push the system to extremes, but in doing so, catalyze the change needed to make search better for everyone.

Let’s explore how.

SEOs help regular people benefit from search

SEOs are much-needed intermediaries between Google and the rest of the world, helping non-technical people acquire and benefit from search engine traffic.

There is a huge amount of valuable information locked up in the heads of people who have no idea how to build a website or index a blog post. A carpet fitter with a bricks-and-mortar business might have decades of experience solving costly problems with uneven subfloors or poor moisture management, but no understanding of how to share that information online.

SEOs provide little nudges towards topics that people care about and writing that’s accessible to people and robots. They help solve technical problems that would hinder or completely block a site from appearing in search results. They identify opportunities for companies to be rewarded for creating great content.

It’s a win-win: businesses are rewarded with traffic, searchers have their intent satisfied, and the world is made a little richer for the newfound knowledge it contains.

SEOs turn helpful standards into real websites

SEOs do many things to actively make the web a better place, tending to their own plot of the Google garden to make sure it flourishes.

Take, for example, the myriad standards and guidelines designed to make the web a more accessible place for users. The implementation of these standards—turning theoretical guidelines into real, concrete parts of the web—often happens because of the SEO team.

Technical SEOs play a big part in adhering to the Web Content Accessibility Guidelines, a set of principles designed to ensure online content is “perceivable, operable, understandable, and robust” for every user. Every SEO’s fixation with Core Web Vitals fuels a faster, more efficient web. Content teams translate Google’s helpful content guidelines into useful words and images on a page.

(Case in point: check out Aleyda Solis’ Content Helpfulness Analyzer.)

Screenshot: Aleyda Solis' helpful content GPTScreenshot: Aleyda Solis' helpful content GPT

There is a lot of overlap between “things that help users” and “things that improve search performance.” Even if the motive behind these changes is as simple as generating more traffic, a well-optimized website is, generally speaking, one that is also great for real human beings trying to engage with it.

SEOs pressure-test Google’s systems

The biggest criticism leveled at SEOs is that they break things. And they do! But that breakage acts as a type of pressure testing that strengthens the system as a whole.

Abuse of spintax and keyword stuffing forced Google to develop a better understanding of on-page content. Today, that loophole is closed, but more importantly, Google is much better at understanding the contents of a page and its relationship to a website as a whole.

Hacks like hiding keywords with white text on a white background (or moving them beyond the visible bounds of the screen) forced Google to expand its understanding of page styling and CSS, and how on-page information interacts with the environment that contains it.

Even today’s deluge of borderline-plagiarised AI content is not without benefit: it creates a very clear incentive for Google to get better at rewarding information gain and prioritizing publishers with solid EEAT credentials. These improvements will make tomorrow’s version of search much better.

This isn’t just Google fixing what SEOs broke: these changes usually leave lasting benefits that extend beyond any single spam tactic and make search better for all of its users.

Illustration: how fixing problems leads to smaller future problems and improved search experienceIllustration: how fixing problems leads to smaller future problems and improved search experience

This is not to argue that blackhat SEO is desirable. It would be better to make these improvements without incurring pain along the way. But Search is huge and complicated, and Google has little incentive to spend money proactively fixing problems and loopholes.

If we can’t solve every issue before it causes pain, we should be grateful for a correction mechanism that prevents it—and more extreme abuse—from happening in the future. SEOs break the system, and in doing so, make future breakages a lot less severe.

SEOs are the internet’s quality assurance team

Some SEOs take advantage of the loopholes they discover—but many don’t. They choose to raise these issues in public spaces, encourage discussion, and seek out a fix, acting like a proxy quality assurance team.

At the small end of the spectrum, SEOs often flag bugs with Google systems, like a recent error in Search Console reporting flagged independently by three separate people, or Tom Anthony famously catching an oversight in Google’s Manual Actions database. While these types of problems don’t always impact the average user’s experience using Google, they help keep search systems working as intended.

At the other end of the scale, this feedback can extend as far as the overarching quality of the search experience, like AJ Kohn writing about Google’s propensity to reward big brands over small brands, or Lily Ray calling out an uptick in spam content in Google Discover.

SEOs are Google’s most passionate users. They interact with it at a scale far beyond the average user, and they can identify trends and changes at a macroscopic level. As a result, they are usually the first to discover problems—but also the people who hold Google to the highest standard. They are a crucial part of the feedback loop that fuels improvements.

SEOs act as a check-and-balance

Lastly, SEOs act as a check-and-balance, gathering firsthand evidence of how search systems operate, letting us differentiate between useful advice, snake oil, and Google’s PR bluster. 

Google shares lots of useful guidance, but it’s important to recognize the limits of their advice. They are a profit-seeking company, and Search requires opacity to work—if everyone understood how it worked, everyone would game it, and it would stop working. Mixed in with the good advice is a healthy portion of omission and misdirection.

Google Search plays a vital role in controlling the flow of the web’s information—it is simply too important for us to leave its mechanics, biases, and imperfections unexplored. We need people who can interrogate the systems just enough to separate fact from fiction and understand how the pieces fit together.

We need people like Mic King, and his insanely detailed write-up of SGE and RAG; Britney Muller and her demystification of LLMs; the late Bill Slawki’s unfaltering patent analysis; or our own Patrick Stox’s efforts in piecing together how search works.

Screenshot from Patrick Stox's presentation, How Search WorksScreenshot from Patrick Stox's presentation, How Search Works

Final thoughts

The web has problems. We can and should expect more from Google Search. But the problems we need to solve today are far less severe and painful than the problems that needed solving in the past; and the people who have the highest expectations, and will be most vocal in shaping that positive future, are—you guessed it—SEOs.

To SEOs: the cause of (and solution to) all of the web’s problems.



Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

Trending