Cloaking
Definition
Cloaking is a technique that intentionally serves different content to search engine crawlers and regular users. Google sees a page rich in E-E-A-T and keywords; actual users see spam, ads, or unrelated pages.
Google's Spam Policy defines cloaking as "showing users content that is different from what Google indexed, in order to provide relevant results to both users and Google," and explicitly prohibits it.
Summary
Self-check for cloaking: In GSC URL Inspection, capture "Page as Google saw it" and open the same URL in a normal browser to compare. If the two views differ, you have cloaking or cloaking-like behavior.
How Cloaking Works
Method 1: User-Agent-Based Branching
Check the User-Agent header in HTTP requests. Return an optimized page for Googlebot, a different page for normal browsers.
if "Googlebot" in request.headers.get("User-Agent", ""):
return optimized_page() # Page shown to Google
else:
return spam_page() # Page shown to users
Method 2: IP-Based Branching
Googlebot crawls from known IP ranges. Return a good page for Googlebot IP ranges, a different page otherwise.
Method 3: JavaScript-Based Cloaking
Googlebot may not execute some JavaScript or executes it with delay. Branch content based on JS execution. Server-side rendered keyword-rich content for Googlebot; ad pages or redirects for users.
Method 4: CSS/Style-Based Hiding
HTML contains keywords for Googlebot but CSS hides them from users.
.hidden-keywords {
display: none; /* Hidden from users; bot reads HTML */
}
Why Google Punishes Cloaking Strictly
User Deception
Users trust search results and click. Cloaking creates mismatch between search results and the actual landing page, deceiving users.
Search Result Quality Degradation
When cloaked pages rank well, information users need gets pushed down. This threatens Google Search trust itself.
Malware and Spam Funnel Paths
In many real cloaking cases, users are funneled to malware downloads, phishing sites, or gambling/adult sites.
Cloaking vs. Legitimate User Customization
[COMPARISON_TABLE: Cloaking (Prohibited) vs. Normal User Branching (Allowed)]
Cloaking (Prohibited)
- Intentionally different core content for bots and users
- Mismatch between ranking keywords and actual page topic
- High-quality content for bots, worthless content for users
Legitimate User Customization (Allowed)
- Content adjusted for user language, location, device
- Same content essence, different presentation
- Googlebot can see the same content core as users
Edge Cases
Paywall: Partial preview + full content after payment is allowed. Structured data must declare paywall status.
A/B testing: Allowed when temporary and limited in scope. Bots must always see real content.
Multilingual: Different URLs per language with hreflang, handled consistently for bots, is allowed.
Penalties for Cloaking
Immediate Manual Action
When Google discovers cloaking, it applies manual actions most quickly. Cloaking is classified as "intentional fraud" and handled more strictly than other violations. See Google Manual Actions for details.
Sitewide Index Removal
Severe cloaking can remove the entire site from Google's index. Recovery is very difficult and time-consuming.
SpamBrain Auto-Detection
Google SpamBrain learns cloaking patterns and detects them automatically. Google regularly verifies sites through its own crawl infrastructure. See SpamBrain for details.
Cloaking Diagnosis Methods
Using GSC URL Inspection
- GSC → URL Inspection → enter URL
- Check "Rendered page" (screenshot of what Google saw)
- Open same URL in normal browser
- Compare the two views
If content essence differs, cloaking is possible.
Site Audit Tools
- Chrome DevTools: Change User-Agent to Googlebot and compare responses
- Third-party "Fetch as Googlebot" tools: View page from Googlebot perspective
Code Self-Audit
Review server code for User-Agent or IP-based branching. Sites where SEO agencies modified code in the past require mandatory review.
Cloaking Remediation Steps
- Remove cloaking code immediately: Delete User-Agent and IP-based branching code
- Serve identical content to all users: Bot = same content as regular users
- Clear server cache: Ensure cached cloaking responses are gone
- Request URL recrawl in GSC: Request recrawl after fixes
- Submit manual action reconsideration: If manual action existed, request review in GSC
English-Language Market Considerations
Cloaking Patterns Found in the Market
- SEO agency injected code: Past cases of SEO agencies inserting cloaking code on client sites. Code audit needed during site migration or redesign.
- Hacked site cloaking: Gambling/adult sites hacking normal sites to insert cloaking code. Found in GSC Security Issues tab.
- Keyword cloaking: Ranking in Google for high-traffic keywords then funneling to unrelated pages.
Recommended Self-Checks
During site operation, check for cloaking if you see these signals:
- Clicks in GSC but no GA visits (users redirected)
- Abnormally high bounce rate on specific pages
- GSC URL Inspection view differs from actual browser view
FAQ
Q. Am I penalized if cloaking happened by accident?
A. Google cannot easily prove intent. Even technical errors serving different content to bots and users can trigger algorithmic penalties. Fix immediately upon discovery; if manual action occurred, explain it was unintentional in the reconsideration request.
Q. Is showing different content to logged-in vs logged-out users also cloaking?
A. No. Content differences by login state are allowed. However, Googlebot always accesses logged-out, so logged-out content gets indexed. If core content appears only after login, indexing problems occur.
Q. Is showing different pages to mobile users also cloaking?
A. If content essence is the same and only UI/layout differs, it is normal. Redirecting mobile devices to different URLs (m.example.com) or responsive layouts are allowed. Googlebot must be handled the same way.
Q. Are there cases of cloaked sites recovering?
A. Yes. Cases exist where cloaking code was fully removed, reconsideration submitted, and manual actions lifted. However, if cloaking persisted long term, recovery may take months, and in some cases domain trust is too low for recovery.
Q. Cloaking occurred due to hacking. What should I do?
A. Immediately ①remove malicious code ②patch security vulnerabilities ③change all passwords ④confirm GSC security issue report ⑤submit reconsideration. Clearly stating victim status in the reconsideration request helps Google process faster.
Sources
- Google Search Central (2024). Spam policies for Google web search — Cloaking. https://developers.google.com/search/docs/essentials/spam-policies#cloaking
- Google Search Central (2024). Hacked sites. https://developers.google.com/search/docs/monitor-debug/security/hacked
- Search Engine Journal (2024). What Is Cloaking in SEO? Definition, Examples & How to Avoid It.