The awkward part is that you might be doing it without knowing. The offending code often lives in an ad tag, a plugin or a pop-up you never wrote yourself. So the sensible move is to check your own scripts now, before Google’s systems check them for you.
Here is what the policy means in practice. Google announced the change in April 2026 and gave roughly two months’ notice before enforcement. Back button hijacking is when a site interferes with normal browser navigation, so instead of returning to the previous page, users are pushed somewhere they never chose, shown unsolicited ads, or stuck in a loop. It usually works through the JavaScript History API, which is why a clean JavaScript SEO setup matters more than it used to.
Why this is an SEO problem now, not just a UX one
For years Google said this behaviour had no direct effect on rankings. That guidance has changed. Affected pages, or in serious cases a whole domain, can be demoted or dropped from search, and a manual action will show up in Search Console. Crucially, Google has said the responsibility sits with you even when the hijacking comes from a third-party library or ad platform. “I didn’t write it” is not a defence, which is a good reason to fold this into a technical SEO audit.
There was noticeable ranking volatility in the days after enforcement, with some site owners reporting drops of 25% to 50%. Treat those figures with care. They are self-reported by the worst-affected sites, Google has not confirmed a link, and the real average is unknown. The signal to take from it is simply that this is being enforced.
Where it usually hides
Most hijacking is accidental. It creeps in through the parts of your stack you bolt on and forget about, which is exactly where an ongoing technical SEO retainer earns its place.
| Common source | What can go wrong | How to check |
|---|---|---|
| Third-party ad and programmatic tags | Injected redirects or extra history entries | Watch the Network tab as you press back |
| Pop-up and exit-intent plugins | Overlays that re-trigger instead of closing | Close the pop-up, then press back |
| Single-page app routing, React, Vue or Angular | pushState creating navigation loops | Follow a full journey, then press back on mobile |
| Affiliate and content-recommendation widgets | Deceptive pages slipped into history | Compare browser history before and after the widget loads |
| Outdated or compromised theme files | Unexpected history.replaceState calls | Scan recent file changes against a clean staging copy |
Take a familiar case. A UK retailer adds a new exit-intent pop-up plugin before a seasonal sale, and it quietly rewrites the back button so shoppers cannot return to Google. For a store running £15,000 a month through organic search, a demotion at the wrong moment is a genuinely expensive accident. If you run on WordPress, this is worth folding into a WordPress SEO audit, since plugins and theme updates are common culprits.
How to check before Google does
Start with the simplest test. Open a few important pages from Google Search, follow a normal journey, then press back on both desktop and mobile. If you land somewhere you did not choose, you have found a problem. To trace the cause, open Chrome DevTools and watch the Network tab as you press back, the same habit you would use in a page speed audit to find render-blocking scripts.
Once you find the source, disable it in staging before deleting anything in production. Confirm the back button behaves, then, if you have a manual action, submit a reconsideration request. A structured pass using a full SEO audit checklist or a quick 60-minute audit will catch most of this in one sitting.
Where does this leave the bigger picture? Clean navigation is now part of the same job as everything else. Strong organic search services and steady work from technical SEO specialists keep these risks off your site, an SEO audit service gives you a documented baseline, and AI results optimisation benefits too, since the behavioural signals Google trusts feed its AI systems. If a demotion does hit, paid media management can hold visibility while you clean up.
Frequently asked questions
What is back button hijacking? It is when a site stops the back button returning you to the previous page, sending you elsewhere or trapping you on the site.
When did Google start enforcing this? Enforcement began on 15 June 2026, under the malicious practices section of Google’s spam policies.
Can a third-party script get my site penalised? Yes. Google says hijacking from ad platforms or libraries still counts, and the site owner is responsible for fixing it.
How do I check my own site? Open a page from Google, follow a normal journey, then press back on both desktop and mobile.
What happens if I get a manual action? Fix the cause, confirm the back button works, then submit a reconsideration request in Search Console.
Want a second pair of eyes on your scripts?
Most sites that hijack the back button never meant to, and the fix is usually quick once you find the source. If you would rather have a London-based digital agency audit your scripts, ads and pop-ups and hand your developers a clear list, book a free consultation and we will take a look.