



On the Google Office Hours podcast, Google's Gary Illyes answered a question about the 404 Page Not Found error that coincided with the drop in rankings.

Fake external 404 error

There are likely many reasons for a 404 error created by a bot. One of the reasons for these error responses may come from automated scanners that look for files or folders typical of a particular vulnerable plugin or theme.

Checking the IP address and user agent of the bot causing the 404 server error response may also provide clues as to whether the 404 response is from an automated scanning bot. If the IP address shows that it's from his web host, or his IP address in Russia or China, it's probably a hacker. If your user agent is an older version of Chrome or Firefox, it could also be a hacker's bot. That's just one of many reasons.

Google answers your questions

The asker associated the ranking drop with the 404 Page Not Found server response.

The questions asked were:

“I'm getting a fake 404 URL coming to my website from an external source. Could this be related to the ranking drop? How can I fix it?”

Google's Gary Illyes replied:

“It's not reasonably possible that false 404s that Googlebot may have crawled are the cause of the ranking drop. It's normal to have any number of 404s on your site, and you don't need to fix them. No. However, if my analytics software shows that a large number of real users are also accessing these 404 URLs, I would personally try to convert them to relevant content instead, for example. Tell the user in some way, such as by displaying it.

Rankings drop and 404 page not found

Gary said 404s are normal and unlikely to cause a drop in search rankings. Yes, 404 errors are common. Generally there is no problem. In most cases, you do not need to modify anything.

404 generated by real users

In other cases, 404s are created by real people who followed a link from somewhere and received a “Page Not Found” response. This can be easily diagnosed by checking whether the URL your site visitor is trying to access closely resembles your actual URL. This indicates that someone misspelled the URL and the way to fix it is to create a redirect from the misspelled URL to the correct URL.

About drop-in ranking

Gary didn't mention it, but it's worth mentioning that there's a small chance that the bot discovered the vulnerability, and that the scanner that was scanning for the vulnerability before finally finding it. This means you may have received a 404.

One way to check that is to use the server app phpMyAdmin to view the database table in the users section and see if there are any unrecognized users.

Another option if your site is hosted on WordPress is to use a security plugin to scan your site to see if it uses vulnerable themes or plugins.

Jetpack Protect is a free vulnerability scanner created by the developers at Automattic. It does not fix vulnerabilities, but it does alert users if vulnerabilities related to plugins or themes are found. The paid premium version offers more protection.

Other reliable WordPress security plugins are Sucuri and Wordfence. Both have different features and are available in free and premium versions.

However, if this is not the case, the drop in ranking is purely coincidental and the real reason lies elsewhere.

Listen to the Q&A at around 12:27 on the Office Hours podcast.

Featured image by Shutterstock/Asier Romero

