DEV Community

Roy Morken
Roy Morken

Posted on • Originally published at ismycodesafe.com

What Happens If Your Website Is Not Secure? Google Penalties Explained

#webdev #seo #security #beginners

The 2014 HTTPS Ranking Signal 

    Google made it official in August 2014: [HTTPS is a ranking signal](https://developers.google.com/search/blog/2014/08/https-as-ranking-signal). Sites served over HTTPS get a ranking boost. At launch, they called it a "lightweight" signal affecting less than 1% of queries. That weight has increased steadily.




    With over 95% of Chrome traffic now using HTTPS, the remaining HTTP sites face growing competitive disadvantage. Two identical pages — one HTTPS, one HTTP — the HTTPS version ranks higher. The gap widens as more signals correlate with HTTPS adoption.


  ## Chrome's "Not Secure" Label


    Chrome 68 (July 2018) started marking all HTTP pages as "Not Secure" in the address bar. For users, this is a red flag — especially on pages with forms, login fields, or payment information.




    The behavioral impact is measurable. Users see "Not Secure," hesitate, and leave. Bounce rates increase. Time on site decreases. These engagement signals feed back into rankings. A site that users abandon quickly signals low quality to Google, regardless of the content.


  ## Safe Browsing Warnings


    [Google Safe Browsing](https://safebrowsing.google.com/) maintains lists of URLs associated with malware, phishing, and unwanted software. When a user navigates to a flagged URL, Chrome shows a full-page red warning: "Deceptive site ahead" or "The site ahead contains malware."




    This doesn't just reduce traffic — it kills it. Almost no one clicks through a red warning page. Search results for the affected site also show a "This site may be hacked" or "This site may harm your computer" warning, which has the same effect.




    Recovery requires cleaning the infection, fixing the vulnerability that allowed it, and submitting a review request through Search Console. The review process takes days to weeks.


  ## Search Console Security Issues


    Google Search Console has a dedicated "Security issues" section that flags problems it finds during crawling:




    - **Hacked content** — Spam or malicious content injected by an attacker
    - **Malware** — Pages that attempt to install malicious software
    - **Social engineering** — Phishing pages or deceptive download buttons
    - **Unwanted software** — Pages that promote software violating Google's guidelines




    When Google finds these issues, affected pages may be removed from search results entirely. The site owner receives notifications in Search Console and via registered email.


  ## What to Do About It


    - **Get HTTPS.** Use [Let's Encrypt](https://letsencrypt.org/) for free certificates. Most hosting providers offer one-click TLS setup.
    - **Set HSTS.** Ensure browsers always use HTTPS, even for first visits.
    - **Monitor Search Console.** Check the Security issues section weekly. Set up email alerts.
    - **Keep software updated.** Outdated CMS, plugins, and frameworks are how most sites get hacked.
    - **Scan regularly.** Run [ismycodesafe.com](/) after deployments to catch misconfigurations before Google does.
Enter fullscreen mode Exit fullscreen mode

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

Top comments (0)