Google’s John Mueller answered a question in the SEO Office-hours hangout about whether a security vulnerability had any effect on SEO. He said technically it’s not an SEO issue. But that a vulnerability had the seeds of becoming an SEO issue in the future.
When Does Something Become an SEO Issue?
In a way this is a somewhat philosophical question. Someone I know who does a lot of site audits was surprised to hear that I included a security screening as part of all SEO audits.
The reason I did it is because a vulnerability can become an SEO problem if the site gets hacked and Google blocks it from the search engine results pages (SERPs).
In my opinion, just because the effect on SEO is in the future doesn’t mean that it’s not an SEO issue. Why wait for a vulnerability to become an SEO issue before addressing it to fix the SEO?
If it has the potential to become an SEO issue in the future, much like cloaking or paid links, then in my opinion it’s an SEO issue.
But that’s just my opinion.
Here is the question:
“After doing a Lighthouse report on our site we noticed a common JavaScript library we used was flagged as having two security vulnerabilities.
Do these vulnerabilities have any effect on SEO? Or would you say this is more just to let us know?”
A JavaScript library is a set of functionalities that are bundled together. JS libraries make it easier for plugin and theme developers to include certain functionalities without having to code them from scratch.
All they have to do is pull the library off the shelf (so to speak) and write the code that triggers the JS to make things happen.
Some older JS libraries contain vulnerabilities.
These JS Libraries generally sneak onto websites through a theme or a plugin. Fixing it can be as easy as updating the theme or plugin but sometimes that doesn’t fix it.
And it’s not always possible to update a JavaScript library because the old one might be responsible for a function in the theme that breaks when that specific library is missing.
In those situations fixing it requires replacing the theme or plugin with another one that is more responsible in their choice of JS library.
John Mueller answered:
“So Lighthouse is I think a tool within Chrome and also a standalone tool, I think. Not sure if it’s just in Chrome.
But it’s basically from the Chrome side.
It’s not by definition an SEO tool.
But it does have a lot of things that you can use for SEO.”
Mueller’s right that Lighthouse isn’t by definition an SEO tool. But it does have some light SEO functions and the performance audit itself is SEO related because performance in the form of Core Web Vitals is a ranking factor.
Mueller continued:
“And specifically, the security vulnerabilities are not something that we would flag as an SEO issue.
But if these are real vulnerabilities on scripts that you’re using …that means that your website ends up getting hacked, then the hacked state of your website, that would be a problem for SEO.
But just the possibility that it might be hacked, that’s not an issue with regards to SEO.So from that point of view, I would take this as something to double-check together with maybe developers or double-check if you can update those libraries.
But I wouldn’t see it as something that will change your rankings immediately.”
Vulnerability is Not Something to Change Rankings Immediately
John is correct, of course that a vulnerability is not something that will have an immediate SEO effect.
A vulnerability however, carries the potential of becoming an SEO problem and for that reason it may be prudent to regard site security as an SEO issue.
Citation
Vulnerabilities are Not an SEO Issue… Until You’re Hacked
Watch at the 37:27 Minute Mark