What happens when your carefully optimized website suddenly starts showing poor Core Web Vitals (CWV) scores, even though real users don’t seem to notice? Google experts say these attacks have little impact on rankings if real users aren’t affected—here’s why Recently, a post on Bluesky raised alarms about a novel type of negative SEO attack, dubbed “Core Web Vitals poisoning.” The discussion caught the attention of Google’s John Mueller and [Chrome Web Performance](https://www.stanventures.com/blog/google-pagespeed-insights/google-recommended-speed/) Developer Advocate Barry Pollard, giving the SEO community a rare peek into how unusual performance issues are investigated. Here is what we learned and why it might or might not affect your search rankings. ## What Is Core Web Vitals Poisoning? ![What Is Core Web Vitals Poisoning? ](https://cdn.bsky.app/img/feed_fullsize/plain/did:plc:fvgq6thprs2ajx5rq2ss6gdi/bafkreigglix7ggrikdbhfajrgfqieyalcoswpa3fjpqqr3y3d3wjny5lsm@jpeg) Someone on[Bluesky reported](https://bsky.app/profile/brendantully00.bsky.social/post/3lwbeyggp522j) seeing a strange pattern across multiple sites where intentional render delays were being injected. They wrote: “We’re seeing a weird type of negative SEO attack that looks like core web vitals performance poisoning… seeing it across multiple sites & source countries… this data is pulled by web-vitals.js.” > @johnmu.com @rviscomi.dev hey we're seeing a weird type of negative SEO attack that looks like core web vitals performance poisoning, seeing it on multiple sites where it seems like an intentional render delay is being injected, see attached screenshot.Seeing across multiple sites & source countries > — [Brendan Tully – WPSpeedFix (@brendantully00.bsky.social)](https://bsky.app/profile/did:plc:fvgq6thprs2ajx5rq2ss6gdi?ref_src=embed) [2025-08-13T08:13:53.146Z](https://bsky.app/profile/did:plc:fvgq6thprs2ajx5rq2ss6gdi/post/3lwbeyggp522j?ref_src=embed) Web-vitals.js is a lightweight JavaScript library developed by the Google Chrome Team. It allows webmasters and SEOs to measure Core Web Vitals on their own or client websites in a way consistent with PageSpeed Insights and Google Search Console. In simple terms: attackers try to slow your site’s ‘lab’ speed scores, not real visitor experience. So, if web-vitals.js is recording poor scores, it’s capturing actual performance hits on the server, not just synthetic metrics. But does that mean your rankings are at risk? Let’s explore. ## How Are Core Web Vitals Being Affected? The discussion highlighted several key points: - ### Cache-Bypass Denial-of-Service (DoS) Attack ![ LCP issue in website](https://cdn.bsky.app/img/feed_fullsize/plain/did:plc:fvgq6thprs2ajx5rq2ss6gdi/bafkreidgu6joze7t5ujpjydsjchdaw4wtt42h2o5yxkwr4cpdfjprx3fzy@jpeg) The sites in question were being hit with a cache-bypass DoS attack, which overwhelms the server by forcing it to generate pages directly rather than serving them from a CDN or local cache. This increases Time to First Byte (TTFB) and slows page rendering, negatively affecting metrics like Largest Contentful Paint (LCP), causing web-vitals.js to record degraded performance. - ### Multiple Countries, Forged Referrers The attack appeared to come from various locations and often included forged referrer headers, which makes it harder to track or mitigate. - ### No Impact on CrUX Data ![CrUX data ](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:ilj6i6evo5xxl5iixp2y76nt/bafkreicwhot6qnvytckgu7fdhhssij77qpgky2kxack344sydtzxpsq6eu@jpeg) CrUX (Chrome User Experience Report) data, which collects metrics from real users who have opted into reporting, did not reflect degraded performance. This suggests that typical visitors were likely served cached versions of pages via CDNs, avoiding the slowdown. ## Could This Really Affect Rankings? Let’s see… should website owners panic? According to John Mueller, the chances are slim. He commented: “I can’t imagine that this would cause issues, but maybe @tunetheweb.com has seen things like this or would be keen on taking a look.” Barry Pollard also noted that this could be a bug in web-vitals.js rather than an SEO attack, and he asked if the problem appeared in CrUX data, which it did not. The takeaway? While CWV is a ranking factor, server-side performance hits from attacks like this are unlikely to influence search results if real users are not affected. Google prioritizes actual user experience over isolated performance anomalies. ## How Does a Cache-Bypass DoS Work? It is important to understand what’s happening behind the scenes. Normally, pages are served from a CDN cache, which reduces load on the origin server. In a cache-bypass DoS, attackers send numerous requests that skip the cache, forcing the server to generate fresh pages for each hit. This: - Increases TTFB - Degrades page rendering - Triggers poor Core Web Vitals in scripts measuring server performance But if users continue to get cached pages, CrUX and real-user experiences remain stable. ## Should Site Owners Worry About CWV Poisoning? For most websites, probably not. Key points: 1. **Server-Side Metrics vs Real User Experience**** ** CWV scores measured via scripts like web-vitals.js may drop but real user experience remains intact if CDNs or caching layers are in place. 2. **Impact on Rankings Is Minimal**** ** Google cares more about actual content relevance and usability than occasional performance anomalies. 3. **Mitigation Is Still Smart**** ** Even if rankings are not affected, a cache-bypass DoS attack can strain servers, increase hosting costs and slow down internal operations. ## How Can You Protect Your Site? At **Stan Ventures**, we advise proactive monitoring and mitigation strategies: 1. **Use a CDN with cache-busting protection**** ** Ensure that high-traffic pages are cached and served from multiple edge locations. 2. **Monitor for spikes in bypass traffic**** ** Watch for unusual spikes in requests, especially those bypassing caches or originating from unexpected regions. 3. **Rate-limit suspicious requests**** ** Configure web application firewalls or rate-limit rules to mitigate DoS-like attacks without blocking legitimate users. 4. **Compare web-vitals.js and CrUX regularly**** ** Use web-vitals.js or PageSpeed Insights to monitor CWV trends over time. Compare with CrUX data to detect anomalies caused by external attacks versus genuine performance issues. 5. **Strengthen Hosting Resources**** ** Ensure your servers can handle sudden bursts of traffic and have proper fallback mechanisms to avoid degradation. ## Key Takeaways - Core Web Vitals poisoning is an emerging type of negative SEO attack targeting server performance. - John Mueller confirms it is unlikely to affect rankings if real users experience normal page loads. - Cache-bypass DoS attacks are the primary culprit behind these metrics drops. - Mitigation strategies include CDN caching, server monitoring, rate-limiting, and technical audits. - Tools like web-vitals.js and CrUX data help distinguish real user experience from server-side anomalies. For webmasters and SEO professionals, this incident is a reminder:[technical performance](https://www.stanventures.com/blog/category/technical-seo/) can be impacted by external attacks but Google is sophisticated enough to prioritize actual user experience. Want to ensure your Core Web Vitals and site performance are secure from DoS and other attacks? Contact [Stan Ventures](https://www.stanventures.com/) for a free consultation and let our technical SEO experts keep your site healthy**.** ## FAQs **Should ordinary site owners worry?** Most site owners don’t need to panic. These attacks are rare and usually target higher-profile or high-traffic sites. As long as your real visitors are having a smooth experience, your SEO rankings are unlikely to suffer. **Can these attacks slow my site for real visitors?** Not usually. If your site uses a CDN (Content Delivery Network) and proper caching, most users will still receive fast, cached pages. The attack mainly affects test scripts and un-cached requests. **What should I do if I notice CWV score drops?** First, compare your results in PageSpeed Insights or web-vitals.js with data from CrUX in Google Search Console. If only lab or script-based tools show issues (but not real user data), monitor your server logs for suspicious activity. Strengthen your cache strategies, consider rate-limiting unusual requests, and, if necessary, consult with a technical SEO or security expert.