Hotlinking Images

Linking to a website that hosts a particular image will not help that webpage rank for the related keywords. Content delivery networks could soon get locked down.

In a recent Twitter conversation, John Mueller was asked whether a link to an image would pass any rank value to the page in which said image is embedded.

Responding, Mueller cast doubt on this theory and and said that, “links to an image aren’t links to the page (also, it’s hard to tell which page an image really belongs to, e.g links to logo).”

Businesses should always store their own copies of the images to prevent broken images appearing if the third party decides to change their asset structure. Developers, remember when leftpad was deleted from Node NPM?

Action Point

Review third party images that reside on your website. Third party logos should be stored locally and updated if the third party changes their branding. Create a calendar event to review every quarter.

The Trust Project

Over the past year Google has added a variety of labels to stories featured within Google News to help people discern the credibility of sources. These additions have included the Fact Check tag and supplementary information within Knowledge Panels, among others.

The Trust Project Logo

On 16 November Google announced that it was adding to these efforts by incorporating a further eight trust indicators to help people distinguish between quality journalism and promotional and or misinformation.

These indicators include:

  • Best Practices
  • Author Expertise
  • Type of Work
  • Citations and References
  • Methods
  • Locally Sourced
  • Diverse Voices
  • Actionable Feedback

While creating the labels, Google worked alongside over 75 news organisations including the BBC, The Washington Post, the New York Times, and Hearst Television.

Action Point

News publishers should embed markup from into the HTML code of their articles and on their website. Information such as Best Practices, Author Information, Citations & References, and Type of Work can all be parsed. This works like the ClaimReview schema used for fact-checking. Google claims it can present the information directly to the user in various products (exactly what is shown however, is to be confirmed).

Google still needs to understand the best way of displaying trust indicators next to articles. For those wanting to be on the cutting edge of news, they should implement the markup and wait to see which labeling system is therefore used. It is worth noting that cutting edge news may require additional changes as the system becomes more stable to the idea or topic.

Publisher Knowledge Panels

In a further move to help users understand news sources, Google has announced that knowledge panels will now indicate a publisher’s commonly covered topics, awards that it might have won, and claims that it has made which have been reviewed by third parties.

Image showing a "Publisher Knowledge Panel" for the Tennessean newspaper and the type of topics it usually talks about.

The Google help section for news publishers shows that the publisher may therefore be marked up when writing topics of interest. If a publisher is consistently providing information of interest, then the fact checking label could appear in their knowledge panel.

Action Point

This is more of an observation than an action at this point in time. Expect the knowledge panel to move other organic listings further down the search results page and monitor for rank changes.

Warning About Event Markup

A number of publishers have started abusing Event markup, which caused Google to make an announcement on its webmaster blog.

The Event markup allows businesses to gain extra real-estate under their listing in a nicely structured format. Voucher code websites that were using and abusing the markup can in the future expect punishments. Manual penalty actions will therefore be taken against websites that are misleading readers.

Action Point

Read the content guidelines for the Event markup. If your company should not be using Event markup, you must remove it as soon as possible. Otherwise, fact a potential manual rich markup penalty. If you are unsure if your business is on the fence, post a question in the Google Group and seek advice.

Warning About AMP Abuse

Accelerated Mobile Pages (AMP) were designed to show the same content through two different views; a fully fledged version (“desktop”) and thin and fast version with minimal dependencies. Some publishers are using the AMP version as a teaser page, rather than the full, thin and fast version. This allows them to rank in the AMP section and push organic traffic to their web pages.

People are abusing the purpose of AMP content in order to gain ranking benefits.

Google announced a crackdown on AMP abusers and the policy change will come into effect from 1 February 2018.

Webmasters using the teaser technique will receive a manual action message within their Google Search console, which will offer them the opportunity to make amends.

Before the fix takes place however, AMP pages that do not offer parity with their non-AMP page will not rank within the stories section of Google Search, as only AMP pages can show within the top stories carousel.

Google will also redirect searchers to the non-AMP page.

Action Point

If you are only showing snippets of information from a web page with a ‘read more’ link to the main body, change to show the entire main body in the AMP page.
It is possible that Google may subject the domain to an AMP manual penalty similar to the rich snippet penalty, whereby the domain is no longer trusted to provide AMP. The domain can be submitted for a reinclusion request through Google Search Console.

Chromium Drops Support for HTTP Public Key Pinning

Note: This is not directly technical SEO, but could cause loss of revenue if a website is blocked from users and search engines.

HTTP Public Key Pinning (HPKP) was originally a security measure designed by Google to help prevent a “man in the middle” attack over TLS (compromising HTTPS), as described in the RFC 7469 documentation.

Chris Palmer from the Chromium team stated that the support will be removed from Chrome 67, which is scheduled for stable release on May 29, 2018. We expect this to affect other Chromium based projects too.

Ivan Ristic posted concerns about HPKP in September 2016, titled Is HTTP Public Key Pinning Dead? He mentions that it’s easy for webmasters to brick (block) their websites quite easily, so their readers cannot access it. SmashingMagazine did a smashing job of bricking its own website for five days due to HPKP configuration.

Action Point

Before renewing your SSL certificates or migrating from HTTP to HTTPS, make sure HPKP is disabled or reduced to a very short time. Developers should look at using the Certificate Transparency header Expect-CT as an alternative. The draft documentation by E.Stark at Google is available on

Lens Your Look with Pinterest

Pinterest is a great search engine for those in the fashion, ecommerce and design space.

On November 14 Pinterest introduced a new way to let users search for outfit ideas using clothes they already own.

Named “Lens Your Look”, the function allows people add a photo of an item from their wardrobe and into text search; enabling a blended search function using text and imagery to find complimentary shoppable garments.

Pinterest also announced a partnership with ShopStyle, enabling an increase of more than five million purchasable products across 25,000 brands.

It also stated that users can now download the Pinterest extension on Firefox, enabling users of the browser the ability to store ideas while also using images as the starting point of search.

Action Point

We expect that Pinterest may start partnering with other brands in the near future. It may be time to review your Pinterest rich snippets (Rich pins). Watch for spikes and deviations in traffic from Pinterest.

Pinterest Pincodes

Another form of QR codes have been introduced, called Pincodes by Pinterest. Instead of the square box, the app company has opted for a shiney, more colourful version.

Pincodes are Pinterests very own version of QR codes - here is an example.

It is only a matter of time before a developer creates a QR to Pincode converter.

Action Point

If you have brick and mortar stores, consider placing Pincodes around when they become available. The Pinterest API documentation does not show how to create the Pincodes (yet), so keep a watch for updates for Q1 of 2018.

Firefox Replaces Yahoo with Google

Towards the close of November, Mozilla Firefox unveiled Firefox Quantum, and at the same time switched its stock engine to Google from Yahoo.

Although Mozilla had a five year deal with Yahoo, starting in 2014, the developer announced that it was cutting short the deal in order to provide a better product to users.

Denelle Dixon, Mozilla’s chief business and legal officer, said: “We exercised our contractual right to terminate our agreement with Yahoo! based on a number of factors including doing what’s best for our brand, our effort to provide quality web search, and the broader content experience for our user.”

According to Recode, any company that acquires Yahoo still might have to pay annual payments of $375 million to Mozilla through to 2019 if it doesn’t want to work with the purchasing company.

Action Point

It’s worth bearing in mind that the Yahoo market is still small in comparison to Google, so we should not see any large movement in keyword research. No action required.

GhostWriter Attack – Using Amazon S3 to Steal Information

It has been discovered that silent Man-in-the-Middle attacks can be carried out on exposed Amazon S3 buckets, leaving both users and companies vulnerable to infiltration.

A hacker can use what’s known as a GhostWriter technique to scan the internet for exposed Amazon S3s, which are detectable if a server owner has forgotten to restrict access, or the bucket has been misconfigured.

This means that original files can be replaced with modified versions that can be used for exploitation to the extent that hackers can reconfigure the code within a bucket so that they receive a website’s ad revenue, or even intercept and redirect subscription payments.

Unfortunately the attack is hard to detect and the technique could allow a hacker to penetrate deep within an internal network, in the search for sensitive data. One exposed bucket is all it takes for infiltration.

Much-trusted cloud servers are prime targets for attacks and a Chinese cyber-espionage group was able to carry out an attack earlier in the year using a similar approach to an Amazon S3 bucket infiltration.

A recent scan of over 1,600 Amazon S3 buckets by Skyhigh Networks found that no less than 4% were vulnerable to Ghostwriter attacks, while in another scan, the company found that 7% of all Amazon S3 buckets are exposed to remote users.

Action Point

If your company is using third party data storage that has the ability to become exposed, review the policies of those storage facilities. Amazon has best practices for managing access to the S3 buckets. Security should be defensive by nature. Lock down permissions early on and enable access as required for use cases.

Protecting Sensitive Data from Search Engines

We published the article last week on how to detect and prevent your sensitive data from leaking to search engines and becoming indexed. Common documents including invoices, receipts, contracts, and employee/employer relationships are high among the items that could be being recorded.


Use timelock URLs to allow users to access specific resources for a period of time.

Do not use content management systems to:

1) Save your employee data.
2) Save your contracts for suppliers and customers.
3) Save accounting information – invoices, receipts, credit notes.
4) Save anything else that you do not want accessible online.

Disavow File

The topics and questions from PubCon November 2017 yielded some interesting discoveries and further questions. One of which involved the use of the disavow tool when there is no manual penalty. Creating a disavow file can be an extremely time consuming task, depending on the backlink profile of a domain. Gary Illyes stated that, “if you do not have a manual action then you do not need to submit a disavow.” I’m sure this will bring joy to many businesses who may have engaged in link building schemes in the past, which are now considered bad practice.

Action Point

John Mueller confirmed Gary’s assertion during the Webmaster Hangouts session. Google is after all pretty good at identifying links.

That said, if you want to be 100% sure that Google has ignored those bad backlinks, you should still submit a disavow for peace of mind. You must both submit a disavow file and file a reconsideration request for any manual penalty action taken against you.

Additional Reading

Breaking <head>, Quietly

Oliver Mason is known for his how can I break my website SEO experiments. If you are interested, it is advised that you do not try to replicate them on a production website. This month however, he wrote about an experiment in which he was breaking the <head> of a webpage. With browser rendering engines trying to fix common problems and closing tags, the content became part of the <head>.

You can read the full article for Breaking Head Quietly.

Service Workers

Caching is still one of the biggest problems in computer science and can cause havoc for data distribution. Cloudflare introduced it’s own service workers at the end of September. Dan Fabulich wrote about service workers breaking the browser’s refresh button.