Another week, another batch of search engine optimisation news from digital denizen Tom Williams. This week, he covers security flaws in the popular WordPress SEO plugin Yoast, Google’s new ‘Blocked Resources’ report in Webmaster Tools, and a whole lot more…
A crippling security bug has been uncovered in the popular Yoast Wordpress plugin, according to The Hacker News (THN).
Wordpress SEO by Yoast is one of the most popular plugins for Wordpress users, with more than 14 million downloads registered on its website. This means potentially millions of sites are now at risk, with hackers able to breach the plugin and access confidential data.
The flaw is an ‘SQL injection’ vulnerability, reports THN. To quote its report:
SQL injection (SQLi) vulnerabilities are ranked as critical […] because it could cause a database breach and lead to confidential information leakage. Basically in SQLi attack[s], an attacker inserts a malformed SQL query into an application via client-side input.
Despite the potential for misuse, the vulnerability has already been patched in the latest version of the Yoast plugin (1.7.4).
Our director of web development, Alan Rowe, was impressed with the speed at which the exploit was blocked:
It shows how great the open source community is, and how important this particular plugin is, because within a very short space of time, Yoast had patched the issue and released an update.
What’s more, those of us on pro-active Wordpress hosting packages like WP Engine were sent an email telling us to update the plugin, or have it automatically updated within seven days.
However, “all versions prior to 22.214.171.124 […] are vulnerable”, says THN. So if you’re still running an old version, it’s imperative that you update it as soon as possible.
The new feature, announced on Wednesday, displays issues found in a handy graph, as well as providing drop-down lists of sites hosting the resources, and the pages using them, so problems can be easily resolved and tracked.
Google says the report currently only shows issues caused by resources hosted on sites that “you might have influence over”, and will not show hosts accessed by many different sites, such as analytics services.
It also recommends prioritising resources that “make the most important visual difference when blocked”.
The new report is accompanied by a revamped Fetch and Render tool.
The tool, which shows how Googlebot ‘sees’ a site when crawling the web, now also displays a side-by-side comparison with your site as a human user sees it.
Google says around 0.5% of security certificates on the web are broken, and is considering labelling these sites in search results.
According to Search Engine Land (SEL), Google’s Gary Illyes said he was working on an “internal experiment” to flag the offending sites and warn searchers that it may not actually be secure.
Illyes also said he was “not sure” whether the experiment would be carried over to live search results.
The news comes after Google’s decision, back in August, to reward secure HTTPS sites with a ranking boost (albeit a “very lightweight” one). SEL reports that this ranking boost may be increased for secure login pages, as a means to combat ‘phishing’ attempts.
And last month, Google began testing ‘slow’ labels in mobile search, for sites whose sluggish speed could affect user experience.
Gary Illyes has clearly been thinking long and hard about the ‘HTTPS issue’. Shortly after he spoke of his planned “internal experiment” to flag broken security certificates, he posted a Google+ update with some firm advice for webmasters.
He wrote: “Here’s something for y’all web wranglers: please tell search engines about your HTTPS URLs!”
According to Illyes, a “small-scale analysis” showed that a staggering 80% of HTTPS URLs that are eligible for indexing are not showing in Google search results.
This is simply because webmasters are failing to tell Google they exist.
Illyes highlights site owners who “use the HTTP variant in their sitemap files, [and] in the rel-canonical and rel-alternate-hreflang elements” as offenders.
He signs off with another stern suggestion: “If your site supports HTTPS, please do tell us: use HTTPS URLs everywhere so search engines can see them!”
Google is giving up inches of valuable search real estate to place a banner ad urging Firefox users to switch their default search engine, reports SEL.
Back in November, Mozilla announced that its Firefox browser would no longer default to Google Search in the US – and instead struck a deal with Yahoo!, making it the default search choice for thousands of users.
As a result, Yahoo!’s search market share jumped from 8.6% in November to 10.9% in January, according to StatCounter estimates reported by SEL.
It’s likely that this move from Google is an attempt to claw back some of this lost user base.
If you’ve been following these SEO news updates, you might remember that, just last month, Google began testing multi-coloured line separators between results in mobile search.
Now, according to SEL, this very sweet little feature is now in the process of rolling out for everyone, based on the fact that reporter Barry Schwartz can now replicate it on his own mobile devices.
However, I am still unable to see the colourful separators. So either I’m being left out of the fun, for some reason, or the feature has yet to reach Google UK.
The line separators appear in the colours of Google’s logo – blue, red, yellow/orange and green.
Read last week’s SEO news roundup: What We Know About Google’s Mobile Usability Ranking Factor