What is Back Button Hijacking, and why should you care?

Back button hijacking is now a Google spam violation – check your site before June 15th

You know that thing where you’re on a website, you click the back button, and instead of going back to where you came from, you end up on some other page entirely? Or worse, you’re trapped on the same page no matter how many times you click? That’s back button hijacking. And as of June 15th, Google is classifying it as a spam violation.

The penalty if you’re caught: manual spam actions, automated ranking demotions, or both. For a site that depends on organic traffic, that’s not a minor inconvenience, it’s a fucking disaster.

The problem is – you might be doing this without knowing a single thing about it.

What is back button hijacking and does it affect your site?

When you click back in your browser, you expect to go back. Every person who has ever used the internet expects this. It’s been working this way since the mid-1990s.

Back button hijacking breaks that. It works by abusing something called the browser History API – a piece of web technology that lets sites interact with your browser’s navigation. Used properly, it’s a legitimate tool. Used badly, it lets a script silently manipulate your browser, so when you press back, you land somewhere unexpected. An ad. A pop-up. A “wait, don’t go!” overlay. Or just the same page again.

Some sites doing this are being deliberately manipulative. A lot of them aren’t. They just installed something that does it on their behalf. That pop-up that loads when someone presses back, to get people to sign up to your website? The annoying “you might want to read these articles as well” page you land on when clicking back on a news site? Back button hijacking. And it’s fucking annoying, right? Well, now it’s spam.

Why third-party scripts are the most common cause of back button hijacking

Of course, the scripts most commonly responsible for this aren’t called “back button hijacking scripts.” They have much friendlier names.

Exit-intent tools

These sit and wait for the moment you try to leave a page, then fire an overlay or redirect. Some of them intercept back button navigation specifically, because that’s one of the clearest signals that someone’s trying to leave your website, and of course keeping them on your site is the most important thing, right? WE CAN’T LET THEM LEAVE! 🫣

Ad monetisation plugins

Certain ad networks and monetisation scripts inject history states as part of how they serve ads. It’s not always the main feature – sometimes it’s buried in the code doing something else entirely.

Engagement and analytics tools

Scroll-depth trackers, session recording tools, and “reduce bounce rate” widgets sometimes manipulate browser history as a side effect of how they work. The tool promises to improve your engagement metrics. It doesn’t mention that it does it partly by making it harder to leave.

This is the same pattern I’ve written about before – a cottage industry of tools packages manipulative techniques alongside genuinely useful features, enough businesses install them that the behaviour becomes widespread, and then Google cracks down, and the penalty lands on your domain, not on the people who sold you the tool.

Google’s own guidance makes clear they’re holding site owners responsible even when the offending code comes from a third-party library. Ignorance is not a defence.

Why Google is only cracking down on back button hijacking now

Google has been asked about this before and said there was no penalty for it. That’s changed because they’ve seen a significant rise in the behaviour – which tells you something about how many monetisation and engagement scripts have quietly started doing it over the past couple of years.

The timing isn’t random. As AI overviews have eaten into organic traffic, publishers have scrambled for any tool that promises to keep visitors on their pages longer. Some of those tools deliver by improving content. Others deliver by making it harder to leave. Google tolerated it, the behaviour spread, and now here we are with eight weeks’ notice.

To be fair, two months is more warning than Google usually bothers with. That doesn’t make it less frustrating that sites are being handed a deadline for something Google waved through for years.

What Google’s back button hijacking penalty means for your search rankings

After June 15th, pages caught doing this face manual spam actions from Google’s webspam team, automated ranking demotions, or both. For a site that depends on organic traffic, the impact can be serious and – depending on whether it’s manual or algorithmic – not always immediately obvious what caused it.

If you receive a manual action, you can request a review through Google Search Console once you’ve fixed the problem. The algorithmic side is harder – there’s no review process, you just have to fix it and wait.

Either way, it’s considerably easier not to get fucked in the first place.

How to check your site for back button hijacking before the June 15th deadline

Start by checking your site yourself. Open it in a browser, navigate through a few pages, then click back. Does it behave the way you’d expect? If you end up somewhere strange, or find yourself clicking back multiple times to escape a page, then look into it.

Then talk to your developer and your SEO. Your developer can audit the third-party scripts running on your site – ad networks, consent tools, exit-intent plugins, anything that might be interacting with browser navigation. Your SEO should be across this already, but if they haven’t raised it, ask them directly.

If you’re on WordPress, look at your active plugins carefully. Anything promising to reduce bounce rate, recover abandoning visitors, or improve engagement metrics is worth scrutinising.

June 15th is close enough that this is worth doing now.

Not sure whether your site is doing any of this? Book a 1:1 call and I’ll take a look with you – we can go through your scripts, your plugins, and anything that might land you in trouble before June 15th.

---