(Not just another Google Help rehash post)
Verifying a site in Google Search Console may seem like a pretty straightforward procedure not requiring a dedicated post but there are details you might want to be aware of if you aren’t yet. Also, considering some scams going around, it doesn’t hurt to know what to watch for not to become their victim yourself. I have tweeted that Sucuri post the other day mentioning it’s not quite factually correct – we’ll get back to it a bit later – but interestingly, this is not the only thing to keep an eye on.
To get some context, let’s summarise the essense of GWT / Search Console verification. Verifying your site via Google Search Console enables you as a site owner to get access to the reports and data Google provides for the site, including crawl stats, links, sitemaps stats and errors, average ranking and CTR from organic SERPs data, etc. It is not enough to just create a Google Webmaster Tools Search Console account and add your site, you also have to prove your ownership to Google before it lets you in on all that info. As of today, verification is possible via one of the 5 ways:
There are pros and cons to every method, as well as not all these methods may be suitable for every site. It’s enough to use just one – any one, and at least one but it can be more than one – and your site becomes verified. It’s important to stress that there can be multiple sites under one Search Console account (obviously, do not do it if you don’t want Google to make a connection between your different sites), as well as multiple owners of the same site. The verification is checked by Google every 30 days, or as soon as a new verification is added, so it’s important to keep your verification file/meta tag/TXT record at the registrar or connection to Analytics or Tag Manager intact once it’s created unless you want your ownership revoked.
Now, please note than site owners are not necessarily the same as Search Console users with access to the site data as users can be added by the owner with full or restricted permissions and it’s a separate process not connected to verifying the site ownership (which is where the Sucuri post is not quite factually correct):
You can delete users but you cannot delete owners unless the verification is revoked (by removing whatever was used for verification).
Obviously, having your Google verification file or meta tag on the site at all times makes it possible for anyone to copy it and do whatever they wish with it. Skewing your Search Console data is just one most obvious result of it.
Before anyone rushes to cloak their verification file (which could have been a viable solution for sites verified via an html file), I’d say we need to first get Google’s official stance on it, desirably from somebody who knows for sure what they are talking about, not any random Googler. There’s not much that I can think of right now that could be done to the meta tag to protect it.
Verification via the domain name registrar is probably the most obscure method not used by many site owners, and it would seem like a safer one. After all, to access the domain owner’s account at the registrar, you HAVE to be the domain owner (although domainers may tell you otherwise and quote some of the domain reappropriation scams going on). But of course not every domain owner even knows what a TXT record is or how to edit their DNS zone file at the registrar.
However, I had a chance to observe something else in the wild and that is quite interesting. Apparently, some registrars do not drop the DNS zone file records when a domain changes owners. More surprisingly, this refers not only to active, live domains but also to expired domains bought via the same registrar as it was initially registered with. The most typical example: a domain registered via GoDaddy expires, goes into auctions, gets acquired by a new owner. If it was previously verified at the Search Console via the registrar, the new owner gets the old TXT record tying the domain to the old owner’s Search Console account.
This is probably not as bad as a complete stranger getting access to your Search Console data – but still not the way you want it to be ideally.
All that said, here are a few things you want to do to keep your domains safe:
- Check your site owners list and verification history regularly
- Check how your domain is verified, make sure you are aware of all the methods Search Console lists and none of them surprises you
- Make sure your users have only the absolutely necessary level of permissions (not directly related to domain ownership hijacking but worth noting)
- When buying a previously owned domain (not necessarily from current owner but also an expired one e.g. via GoDaddy Auctions), check the TXT record in the DNS zone file
- When considering dropping a domain or selling a domain, clean up your TXT record if that’s how the site has been verified
Stay safe!