Google began enforcing its new "back button hijacking" spam policy on June 15, 2026. Sites that prevent users from pressing the back button to return to Google Search are now at risk of manual spam actions and algorithmic ranking demotions. This is not an algorithm update — it's a spam policy with teeth, and enforcement is active right now.
What Changed
In April 2026, Google published a new spam policy specifically targeting back button hijacking. Enforcement started June 15, 2026.
What is back button hijacking? It's when a website interferes with a visitor's browser navigation so that pressing the browser back button doesn't take them back to where they came from. Instead, the user might be:
- Redirected to a page they never visited
- Shown an unsolicited ad or popup
- Caught in a navigation loop
- Blocked from leaving the site normally
This is classified under Google's "malicious practices" spam category — the same tier as cloaking, hidden text, and other serious violations.
Timeline:
- April 2026: Policy announced
- June 15, 2026: Enforcement begins — manual actions and algorithmic demotions can now be applied
- Sites had two months to remove offending code. That window has now closed.
Who is responsible: Google places the penalty on the website, not on the third-party vendor whose code caused the problem. If a widget on your page hijacks the back button, your site gets penalized — even if you didn't write the code.
Why It Matters for Your Rankings
Back button hijacking is one of the user experience signals Google has been watching for years. Trapping users on a page — or stopping them from returning to search results — is a trust signal violation. Google's enforcement now means:
- Sites with confirmed back button hijacking can receive manual spam actions, which remove pages or entire sites from search results
- Automated demotions can also be applied without manual review
- The penalty applies even if the hijacking comes from third-party code (ad networks, recommendation engines, affiliate scripts, popup tools)
Even if your intentions were innocent (a "don't leave yet!" popup from a marketing tool), the implementation may now trigger a penalty. This is especially urgent for sites running aggressive exit-intent popups or content discovery widgets.
Step-by-Step: What To Do About It
Step 1: Audit Your Site for Back Button Hijacking
Open your site in a browser and navigate to several pages. Then press the browser back button. Does it take you straight back to the previous page or Google? If it doesn't, or if you get a popup, redirect, or loop — you have a problem. Test landing pages, product pages, blog posts (especially those with affiliate links), and any page using exit-intent popups.
Step 2: Identify Third-Party Scripts That Modify Navigation
Check your Google Tag Manager, site source code, or JavaScript audit for any scripts that use:
history.pushState()orhistory.replaceState()to add fake navigation history entriesonbeforeunloadorwindow.onpopstateto intercept the back button- Exit-intent popup libraries that redirect rather than show an overlay
- Content recommendation widgets (e.g., Taboola, Outbrain, or similar) that push history states
Step 3: Remove or Reconfigure Offending Code
If a third-party tool is causing the problem: check if the tool has a compliant configuration option (a popup overlay that doesn't modify browser history), and if not, disable or remove the script entirely. If you use an ad network, contact their support to request a non-hijacking code variant.
Step 4: Check Google Search Console for Manual Actions
Log into Google Search Console → Security & Manual Actions → Manual Actions. If a manual action has already been applied, you'll see it listed. Address the issue, then submit a reconsideration request.
Step 5: Test Again After Fixing
After removing the offending code, test all pages again in multiple browsers and on mobile. Use browser developer tools to monitor history stack manipulation during page load.
Step 6: Monitor Rankings for 2–4 Weeks
If you had the issue and fixed it, monitor your organic traffic and rankings over the next 2–4 weeks. Recovery timelines from spam actions vary, but most sites see improvement within one to two crawl cycles after fixing and requesting reconsideration.
Common Mistakes to Avoid
- Assuming you're safe because you didn't write the code — Google holds the site owner responsible. Audit every third-party script.
- Confusing exit-intent overlays with back button hijacking — A popup overlay that appears when the mouse exits the viewport is generally fine, as long as the back button still works normally. A script that pushes a fake history entry to trigger the popup is hijacking.
- Ignoring mobile — Test on real mobile devices, not just desktop. Mobile back-button behavior can differ from desktop.
- Waiting for a penalty before acting — The enforcement window opened June 15. Act now before a manual review catches your site.
- Not requesting reconsideration after fixing — If you receive a manual action, you must submit a reconsideration request after fixing the issue. Rankings won't recover automatically.
Quick-Win Checklist
- Visit your top 10 landing pages and test the back button manually
- Check Google Tag Manager for any
history.pushStateorpopstatescripts - Review your exit-intent popup tool — does it modify browser history?
- Audit content recommendation widgets (Taboola, Outbrain, Disqus, etc.)
- Check Search Console → Manual Actions for any existing penalties
- Remove or reconfigure any non-compliant scripts
- Re-test all affected pages post-fix
- Submit a reconsideration request if a manual action was already applied
