Three Files Google Reads Before You Do

The developer sent the final invoice on a Friday. The site went live that afternoon. By Monday the owner had shared the URL with every contact in her phone. By the following Monday, not one of those visits had registered in Google Search. The site existed. It was live. It was invisible.

The file is called robots.txt. It sits at the root of every website. Its job is to give instructions to automated crawlers — the bots that read your site and decide whether it belongs in search results. Google reads it before it reads anything else. The file is plain text. It is not encrypted. It is not hidden. Anyone can read it by typing your domain name followed by /robots.txt directly into a browser. Most business owners have never done this. Most never think to.

The file this developer left behind contained one line that should not have been there. Disallow: /. Two words and a slash. That is the entire catastrophe. That one line tells every crawler on the internet — Google, Bing, every one of them — that no page on the site is permitted to be indexed. It is a complete lockout. The developer had used it during the build phase to keep the unfinished site out of search results. A standard practice. The problem is that nobody removed it before launch. The site went live with the front door welded shut.

The owner did not find out for six weeks. She found out because she hired a different developer to figure out why the site had no traffic. He typed /robots.txt into the browser. He read two words. He deleted the line. The site began appearing in search results within days.

That is what the file costs when it is wrong. Six weeks. Whatever revenue walks past a business that cannot be found. The fix takes thirty seconds.

Before moving on, do this: open a browser, type your domain name followed by /robots.txt, and read what is there. If you see Disallow: / standing alone, that is the problem. Fix it today.

The Digital Lore prompt packs on Etsy include a site audit sequence that surfaces this exact robots.txt failure inside the first ten minutes of use. Real store owners who ran it found the Disallow: / line in sites that had been live for over a year. The problem is common. The fix is fast. The audit makes it findable.

A woman walked into her accountant's office with a printout. It was a screenshot of her own business website, taken from a customer's phone. Across the top of the browser, in gray text, were two words: Not Secure. She had built the site herself. She had paid for hosting. She had done everything she thought was required. She had no idea her site was broadcasting a warning to every visitor before they read a single word.

The padlock is not decoration. That small icon in the address bar is a browser's way of telling a visitor that the connection between them and the website is encrypted. Data moving back and forth cannot be intercepted. The technical name for this is HTTPS. The S stands for secure. When the certificate is missing or expired, the padlock disappears. The browser replaces it with a warning. The warning is the first thing the visitor sees. Most of them leave.

The certificate that creates the padlock is called an SSL certificate. For years, the going rate was around one hundred dollars per year. Hosting companies sold them as add-ons. Many still do. The myth that you have to pay for this is one of the most expensive myths in small business. The certificate is free. The organization that issues it is called Let's Encrypt. It is a nonprofit. It exists specifically to make encrypted connections the default for the entire web. Every major hosting provider supports it. Most have a one-click install in their dashboard.

What Let's Encrypt does not do automatically is force the redirect. This is the part people miss. Installing the certificate is step one. Step two is telling the server to redirect every HTTP request to HTTPS. If you skip step two, some visitors will arrive at the secure version of your site and some will arrive at the insecure version. Google sees them as two different sites. That split hurts rankings. It also means some visitors still get the Not Secure warning even after you paid attention to this.

The redirect is a server configuration. If you are on a shared hosting platform like Bluehost or SiteGround, there is typically a toggle in the dashboard that forces it. If you are on WordPress, a plugin called Really Simple SSL handles both the redirect and several related settings in under two minutes.

Before moving on, do this: visit your site and look at the browser address bar. If you see a padlock, check that the URL begins with https and not http. If you see Not Secure, go to your hosting dashboard and install the free Let's Encrypt certificate today.

The AIXStudio ebook pipeline runs on a WordPress installation behind a forced HTTPS redirect configured the same day as launch. No certificate was purchased. Let's Encrypt handled it. The Not Secure warning never appeared. That is what the fix looks like in practice.

He bought a new domain on a Tuesday. He pointed it at his hosting account. He checked it an hour later and the site did not load. He checked again the next morning. Nothing. By Thursday it was working. He spent three days convinced something was broken, refreshing a browser, unable to tell whether the problem was real or fixed.

Nothing was broken. The domain was propagating. He just did not know that word existed.

When a domain is registered or updated, the new address information has to spread across a global network of servers called the Domain Name System. DNS is the internet's address book. When you type a business name into a browser, DNS is what translates that name into the actual numeric address of the server where the site lives. That translation does not happen instantly. It spreads from server to server across the network. The full spread typically takes twenty-four to forty-eight hours. During that window, some people can reach your site and some cannot, depending on which DNS server their internet provider uses.

The specific records inside DNS that most small business owners will actually touch are the A-record and the CNAME. The A-record maps a domain name directly to an IP address. If someone types yourcompany.com into a browser, the A-record tells the internet which server to send them to. The CNAME is an alias. It maps one name to another name. If you want www.yourcompany.com to go to the same place as yourcompany.com, you set a CNAME. Both records live inside the DNS settings of wherever your domain is registered. That might be GoDaddy. It might be Namecheap. It might be the same company that hosts the site, or a completely different company. The confusion about which dashboard controls which setting is where most people waste an afternoon.

The math is simple. Two records. One points at the server. One connects the www. Both need to be correct. When they are wrong, the site does not load and the owner has no obvious way to know why. When they are right, the propagation window closes and the site appears everywhere, for everyone, without further intervention.

There is a free tool called DNSChecker.org. You type your domain into it and it shows you whether your DNS records have propagated across servers around the world. It does not fix anything. What it does is tell you whether you are waiting on a real problem or just waiting.

Before moving on, do this: go to DNSChecker.org and run your domain. Look at the A-record results. If every location shows the same IP address, propagation is complete. If results are mixed, you are still inside the window. Wait. Do not touch anything.

Every domain in the AIXStudio pipeline was verified through DNSChecker before any page was considered live. That practice alone prevented two launches from going out before propagation was complete. The LORE pipeline documents this as a pre-launch checkpoint. It takes four minutes.

The developer had done the work correctly. The SSL certificate was installed. The redirect from HTTP to HTTPS was forced. The robots.txt file had been cleaned. The DNS records were set. The site loaded fast. The padlock was there. By every visible measure, the job was done.

Six months later, the certificate expired. The padlock disappeared overnight. The Not Secure warning came back. The owner had no memory of the certificate, no calendar reminder, and no notification. She found out when a customer texted her a screenshot.

This is the assumption that kills the fix: that a one-time configuration holds forever. Most of it does. DNS records do not expire on their own. A clean robots.txt file stays clean unless someone edits it. But SSL certificates have expiration dates. Let's Encrypt certificates expire every ninety days by design. The renewal is automatic if the hosting environment is configured correctly. When it is not, the expiration is silent. The warning returns. And because the owner did not know the certificate existed in the first place, she has no mental model for what just happened.

The record shows a predictable pattern. A problem is found. It is fixed. The person who fixed it moves on. The owner assumes the fixed state is permanent. The underlying mechanism has its own schedule. The mechanism does not notify anyone.

Automation is the only answer that holds. Every major hosting platform that supports Let's Encrypt also supports auto-renewal. The setting is typically a checkbox. It is not enabled by default on every platform. Finding it and enabling it is a five-minute task that prevents the certificate from becoming an annual crisis.

The same logic applies to the robots.txt file. A site update, a platform migration, a new developer coming in — any of these events can reintroduce the Disallow: / line. The file should be checked after any significant change to the site. Not because it changes often. Because the one time it does and nobody catches it, the cost is measured in weeks.

Before moving on, do this: log into your hosting dashboard, find the SSL settings, and confirm that auto-renewal is enabled. If you cannot find the setting, open a support chat with your host and ask them directly. One question, five minutes, done.

The AIXStudio site audit checklist, embedded in the Digital Lore prompt packs on Etsy, includes a ninety-day SSL check and a post-update robots.txt verification as standing items. Both came directly from this failure pattern. The checklist exists because the failure is real and repeatable.

A competitor does not have to attack your site. He just has to let you leave the door open.

The three files are not separate problems. They are one system with three points of failure. The robots.txt file controls who reads the site. The SSL certificate controls whether visitors trust it. The DNS records control whether the site loads at all. Any one of them wrong and the damage is real. All three wrong and the business is effectively offline regardless of what the hosting dashboard says.

There is a specific order to read these files. Start with robots.txt because it is the fastest to check and the damage from a Disallow: / line is total. A site that cannot be indexed does not benefit from a padlock or correct DNS. Confirm the SSL certificate next. The browser tells you what you need to know before you open any dashboard. The padlock is there or it is not. Then verify DNS with DNSChecker.org if the site has been recently moved or updated. That is the full sweep. Three checks. Fifteen minutes. The kind of thing a developer would charge you a diagnostic fee to do.

The tell is always in the file itself. Not in the traffic numbers. Not in a monthly report from an SEO agency. The file is the primary source. The traffic number is a consequence. By the time the consequence is visible, the problem has already been running for weeks.

Small business owners are routinely handed websites they cannot read. The professional who built the site has no incentive to walk them through the back end. The owner accepts the login credentials and moves on. What gets left in that gap is a set of configurations that were right when the developer left and wrong three months later when something changed and nobody checked.

Reading these files is not a technical skill. It is a habit. The A-record either matches the server's IP address or it does not. The SSL certificate is either valid or expired. The robots.txt file either allows crawling or blocks it. Each file gives a clean answer. The machinery is not opaque. It is just unread.

Before moving on, do this: run all three checks right now. Type your domain plus /robots.txt. Look at the browser padlock. Run your domain through DNSChecker.org. Write down what you find. That document is your baseline. Every check after this one is a comparison.

The LORE pipeline that produces every AIXStudio ebook and Digital Lore prompt pack runs on a site that has been through this exact three-check sweep. The sweep caught a misconfigured CNAME during a domain migration that would have made the site unreachable on mobile networks. The sweep is documented. The catch was real.

You came in not knowing what robots.txt was. You are leaving with the specific line that breaks everything and the knowledge that it was probably placed there by someone who meant well and forgot to clean it up. That is earned ground.

The files are real. The damage is real. The fixes are free or close to it. Every tool named in this book — Let's Encrypt, DNSChecker.org, the hosting dashboard you already have access to — exists right now and costs nothing to use. The Digital Lore prompt packs on Etsy carry this audit sequence forward for owners who want to run it systematically. The AIXStudio ebook series keeps building the record from here.

Everything we have built from this process is at aixstudio.com. Come find what we built. Then build something of your own.

aixstudio.com

---