Migrating to Bootstrap 4 Alpha, sorry about the mess in the mean time!
Disa Johnson

Request information.
20+ years experience in search and programming, innovating tech SEO since 1997 and writing native app code today, discover for yourself why International agencies, major brands and independent practitioners turn to SearchReturn for strategy and implementation.

"Possesses amazing depth." Peter DeLegge (Motorola)
"One of the few true leaders." Craig Fifield (Microsoft)
"Disa Johnson's claim to fame." Danny Sullivan (First Generation SEO)


A popular email list with 18,000+ subscribers re-imagined as a blog.

View details »


Apps and websites prepared with digital marketing implementation.

View details »

Open Source

Ongoing GitHub professional repositories to Swift starter guides.

View details »

SEO Security for Web Developers

We see security bulletins often enough in our line of work that unfortunately too many people tune out. Security sounds complicated. Security professionals sound alarmingly paranoid. And then it happens; a bulletin you notice is about software you use regularly. That should prompt you to update and you need to stay wary about security. More sophisticated attacks are coming this year. Spider image Copyright holder: https://commons.wikimedia.org/wiki/User:Fir0002

Recent bulletins about vulnerabilities in Yoast (SEO plugin for Wordpress) prompted me to write this but not until after I also fielded calls this morning from an industry friend about a machine that had apparently fallen victim to ransomeware, and communication through Facebook from an industry friend of private content being held for ransom. That's twice in one day from SEO professionals.

If you're in the SEO business, a Web Developer for SEO agencies or a Web Developer in any case, make wise technology choices in consideration for security as well as for marketing reasons. You are often given power over technology choices for the clients you are consulting in SEO. Be aware that Wordpress is a prime target for hackers and users of its language, (PHP), are prime targets.

Wordpress is the SEO CMS of choice. Wordpress gets compromised in ways that are unique to SEO. A wonderful tool, it is fraught with peril left in the wrong hands. Clients empowered by Wordpress install shiny new things they see in its gallery. This can lead to adding malware, or just jumbling up spaghetti code for you to untangle when things start going awry. Reduce from admin user permissions.

Free themes frequently encode links back to their author. It's perfectly reasonable to do so, though not professional. Don't always choose free. Some free theme code is written with links or malware encoded Base-64. That makes tricks not as easy to find and fix. Plugins can have control over what's in your database. That could lead to a serious security compromise.

Update plugins and regularly, screen new plugins and themes installed by your clients to avoid publishing junk or malware. Make sure you are running the latest copy of Wordpress with automated updates enabled. I was notified yesterday that all my installs were successfully updated- automagically. That's peace of mind. Understand copyright notices. Only use code which allows you to fully edit.

On the other hand if you're a Web Developer you have the luxury to choose another solution (unless you're dictated to). Why not choose from among all the fantastical new open-source frameworks? Less popular choices are attacked less often. That's a more secure choice than Wordpress. It can also mean more handiwork, unless you lazily pick Squarespace or Grid.

It's smart to make one's own versions of CMS so that one can still create amazing websites and applications which go beyond what canned sites offer. It's preferable to choose host. Things to consider: Does a client need to update content or to blog? Are we storing data such as credit card numbers? Can another developer easily modify or contribute to the codebase now, or in the future?

You need to choose a framework that is indexable. Wordpress is the choice for the SEO community because it is indexable and client friendly. Those considerations limit your choice away from some of the fantastical new frameworks, even from ones by Google (Angular), which can require routing modifications to publish indexable references and HTML rendering.

If this stuff sounds too complicated, then stick with what you know. Just make sure that if it's Wordpress, keep it up to date and secure it. If you have the wherewithal to figure out and deploy a new MVC framework that is indexable, then you still have a lot of neat tech to choose from. Be wary of security and if you're starting with something less common, at least it means fewer attacks.

Latest update: The machine held for ransom is on its way back to safely rejoin the network and the most sensitive content was successfully removed from where it was published and held for ransom, without paying any criminals. Who knows if that would have been successful? I've read that sometimes it is. It is wise to remain acting cautiously. Very glad it worked out. All in a day's work.