Back to Blog
seodomainsdnstechnical-seonegative-seo

Redirect Domains SEO Risk: How My Old Domains Leaked Toxic Links (Simply Explained)

A plain-language guide to redirect domains seo risk. No jargon, no tech speak, just what it means for your business.

By Mike Hodgen

Want the full technical deep dive? Read the detailed version

A normal marketing move that became a security hole

I run a fashion brand in San Diego. Handmade goods, the kind of business where the brand name is the whole asset.

Like every brand owner, I bought up a bunch of extra versions of my domain name over the years. The .net version. The .store version. The common typo someone might land on. The ones a competitor might grab if I didn't.

This is normal. You protect your name. And the standard move is to point all those extra domains at your main store. Type in the .net version, you land on the real site. Clean and tidy.

It feels completely harmless. Everyone does it. I did it years ago without a second thought.

Then I got hit with a link attack, and those harmless redirects turned into an open back door.

What I didn't know about those redirects

When you point one domain at another, you're not just forwarding visitors. You're also forwarding reputation.

Think of it like a forwarded phone line. If someone calls the old number, the call rings through to the new one. Good calls and bad calls. The line doesn't judge.

Google works the same way with links. Links pointing at your website tell Google whether your site is trustworthy. Good links help you rank. Spammy, junk links hurt you.

So when an attacker started aiming a flood of toxic junk links at one of my forgotten extra domains, all that poison flowed straight through to my homepage. My most valuable page. The one that ranks for my brand and makes the most money.

Let that sink in. The page worth the most to my business was inheriting the most damage, through a domain I'd forgotten I even owned.

The only reason I caught it is that I already had an AI system watching my link reputation in real time during the attack. A digital security guard that never sleeps. Without it, I'd have had no idea the poison was even coming in.

Hunting down the leaks

Once I knew the redirects were the problem, I had to find every single one.

My domains were scattered across three different companies where I'd bought them over the years. Different accounts, different eras, different setups I barely remembered.

The first batch was fine. Those domains were set up as true dead ends. Type them in, you hit a wall, nothing forwards through. Past me had done something right, probably by accident.

The second batch is where it fell apart. Four of my domains were quietly forwarding to my homepage, and I never set them up that way on purpose. The company's default settings did it for me, years ago, without telling me.

Four open pipes I didn't know existed, all pointed at my money page.

Here's the kicker. When I tried to shut them off, the system claimed there was nothing to shut off. The dashboard said one thing, the live behavior said another. I had to go in by hand, domain by domain, and verify each one was actually closed.

The lesson burned in deep: you cannot assume "I set it up right once" stays true. Settings drift. Companies change their defaults under you. The setup you made in 2019 is not the setup running today, and nobody sends you a memo.

My new rule: every extra domain is a wall, not a door

I didn't just want to fix four domains. I wanted to make this whole problem impossible going forward.

So I made a simple rule. Only my main store is allowed to be a real destination. Every other domain I own is now a hard dead end. Type it in, you hit a wall. Nothing forwards through. Good or bad.

Now, the obvious question: doesn't that throw away the typo traffic I was trying to catch?

A little, yes. But let's be honest about what that's worth. The handful of people who manually type a .xyz version of my brand is tiny. Protecting my most valuable page from inherited poison is enormous. Not a close call.

Why this matters for any business

Here's the part that should bother you. This attack is cheap and easy.

A competitor doesn't need your passwords. They don't need access to your website or your server. They just need to find which of your domains are still forwarding to your homepage. That information is public. Anyone can look it up.

Then they blast garbage links at whichever of your domains still forward. Your homepage inherits all of it. And you did the hard part for them years ago when you set up the redirect.

The reason this hole existed is the same reason most security holes exist. The setup happened years ago, under assumptions nobody wrote down, and nobody ever checked it again. The decision was reasonable at the time. It just quietly became a liability.

The 20-minute check you can run today

You don't need me for this part. Here's the exact process.

First, list every domain you've ever bought. Not the ones you remember. All of them. Check old email for renewal receipts. Check every account you've ever logged into. The domain you forgot is the one that gets you.

Second, for each domain, check what it actually does right now. Free redirect-checker tools online will tell you. You're looking for any extra domain that still forwards to your main site.

Third, for every one that does, switch it to a dead end. Then double-check it actually changed. This is where most people quit too early. They hit save, see a confirmation, and walk away. But those dashboards lie. I learned that the hard way. Verify it for real.

Most hidden risks aren't bugs. They're forgotten decisions.

This is the real pattern I find when I audit a business. Not exotic hacks. Just stale settings and forgotten choices that quietly turned into liabilities.

The redirect that made sense in 2019. The integration nobody owns anymore. The access nobody ever revoked. They sit there behaving exactly as designed, until an attack comes along and finds them.

I catch these because I'm building and re-checking these systems every week, in my own brand and for clients. When you're this hands-on, you develop a nose for the decision that made sense once and never got a second look.

If you inherited a setup you've never re-examined, that's exactly the kind of thing worth having me look at. I'll tell you what's actually live versus what you think is live. Those are usually two very different things.

Want to explore what AI could do for your business?

Book a free 30-minute strategy call. No pitch deck, no sales team, just a real conversation about your operations and where AI fits.

Book a Discovery Call

Get AI insights for business leaders

Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.

Ready to automate your growth?

Book a free 30-minute strategy call with Hodgen.AI.

Book a Strategy Call