Mogul Logo
  1. Home
  2. Latest.

Three focus areas shaping digital growth: AI Search, Security, & Google Ads

November 7, 2025

In the past few weeks, I’ve worked through several challenges with our clients, and they reveal three interconnected areas that will define your success (or failure) in the year ahead: optimising for AI-powered search, securing your infrastructure correctly, and adapting your Google Ads strategy to new realities.

Let me walk through each one, because getting any of these wrong carries real costs.

1. AI-powered search is no longer coming. It’s here.

When we talk about search optimisation these days, we’re not just talking about traditional Google Search rankings. The playing field has fundamentally shifted. Millions of people are now asking ChatGPT, Claude, Perplexity, and Google’s Gemini for travel recommendations, product research, and business advice. When someone uses an AI chatbot to research a Waiheke Island wine tour or hunting for specialist agricultural equipment, they’re not seeing a typical search results page. They’re receiving curated, conversational recommendations from an LLM. This changes everything about how you need to structure your content and your site.

What This Means Practically

We recently worked on a proposal for a boutique tour operator targeting high-end travellers. The traditional SEO advice would be to rank for “Waiheke wine tours” on Google. That’s still relevant, but it’s no longer the complete picture.

Modern search optimisation now requires:

  • Schema Markup and Structured Data: AI systems need to understand your offering with precision. We’re implementing LocalBusiness, Event, Tour, and FAQ schema markup so that when an LLM asks “What’s a good boutique wine tour on Waiheke?” your business is accurately represented in the model’s training and context windows.
  • Conversational Content: AI systems understand natural language patterns. Content written as “Premium small-group wine tours featuring local insider access” performs differently in AI discovery than traditional SEO copy. You’re writing not just for search algorithms, but for how humans ask questions to AI tools.
  • Information Architecture: How your site is structured matters. Clear hierarchies, proper heading structure, and logical content organisation help AI systems parse and understand your offerings more effectively.
  • Video and Rich Media: AI systems increasingly leverage multimedia content. Professional video footage, high-quality images with proper alt text, and structured video metadata all contribute to better representation in AI-powered discovery.

The bottom line: if your content isn’t optimised for how AI systems read and understand information, you’re invisible to a growing segment of search traffic.

Find out more about our AI Search Optimisation offerings

2. Security configuration isn’t set & forget.

This one comes from recent client work with Cloudflare, and it’s worth highlighting because we see the same mistakes repeatedly.

A client had implemented geofencing rules in their Cloudflare WAF (Web Application Firewall) to block access from specific countries. On the surface, this looked correct. But the site was still being accessed from blocked regions, and they couldn’t understand why. After investigation, the issue wasn’t the rule logic. It was the DNS configuration underneath.

The Problem: DNS proxying and security rules

Cloudflare’s security rules only work when your DNS records are properly proxied through Cloudflare’s network. If your DNS records are pointing directly to your origin server (not proxied), security rules are completely bypassed. Your firewall is enforcing rules on traffic that never reaches it. This is a fundamental misunderstanding we see often. Security tools are only effective when traffic flows through them.

The solution we implemented
  1. Proxy only the records you need: Rather than proxying all DNS records, we configured only the root and www records through Cloudflare. This routes all web traffic through their security infrastructure while leaving other services (email, etc.) unaffected.
  2. Use CNAME records instead of A records: In some cases, it seems direct A record pointing to your origin doesn’t allow Cloudflare’s systems to intercept and analyse traffic. Switching to CNAME records pointing to your hosting provider’s Cloudflare-compatible endpoint ensures all traffic flows through their security layer. We are still investigating what the underlying cause of this, but CNAMEs are a better option anyway, because they ensure the site will still resolve even if your web host changes your web server’s IP address.
  3. Don’t block legitimate bots: Many security configurations are too restrictive. We’ve seen sites blocking Google, Bing, and other search engine crawlers, which destroys SEO performance. Cloudflare’s “Known Bots” rule allows legitimate search and analytics crawlers while still blocking malicious traffic.
  4. Test your rules: Just because your setup looks correct doesn’t mean it’s working. If in doubt, enable Cloudflare’s “Under Attack Mode”. If you can still see the site after that, your Cloudflare proxy ain’t working.
Why this matters

A misconfigured security setup gives you false confidence whilst leaving vulnerabilities open. Worse, overly restrictive rules can damage your search visibility and analytics accuracy by blocking legitimate tools.

Find out more about our WordPress Security offerings

3. Google Ads strategy has shifted.

The paid search landscape has changed significantly. New bidding strategies, AI-driven optimisation, and performance metrics work differently than they did even six months ago.

We’ve just completed a Google Ads strategy session with a client managing multiple product campaigns.

Here’s where things are heading.

  • From “Maximise Conversions” to “Target CPA”: The older bidding strategy of simply maximising conversions often results in lower-quality leads at higher costs. Switching to Target Cost Per Acquisition (CPA) bidding gives you much better control over efficiency. One client saw their account optimisation score jump from 57.5% to 76% after this change alone.
  • AI Max Bidding: Google has released new AI-driven bidding strategies that adjust bids in real time based on conversion likelihood. These are still in learning phases (requiring 14 days of monitoring before tweaking), but early results show improved efficiency and better targeting.
  • Ad Strength Matters: More headlines, more descriptions, business logos, business names, and site links directly impact ad relevance and performance. We’re seeing 6+ site links becoming standard in high-performing accounts. This isn’t just about quantity. Specific, relevant extensions improve click-through rates and conversion quality.
  • Performance Max Has Limitations: Performance Max campaigns can be really amazing, but they can also cannibalise your brand search traffic (bidding against your own branded terms). For most clients, a dedicated, well-structured old-school search campaign targeting specific products with modest daily budgets (10 to 15 NZD) can outperform a broad Performance Max approach and save you from bidding on your own brand name.
  • Data Accuracy is Critical: Removing low-quality traffic sources reveals your true campaign performance. One client’s apparent decline in conversions was actually a positive development. Once we removed an underperforming external ad campaign (i.e. run by another agency who will rename nameless!), the underlying metrics improved significantly. Clicks increased 6.7%, conversions improved 10.9%, and cost per click fell 6%. Separate your campaigns and providers out so the metrics are cleaner and more actionable.

Find out more about our Google Ads offerings

How are these three areas interconnected?

Your Google Ads campaigns drive traffic to your site, which needs to be discoverable through both traditional search and AI-powered discovery, and all of it needs to flow through security infrastructure that’s properly configured and tested.

Missing any one of these creates friction:

  • Brilliant ads driving traffic to a site that’s invisible to AI search tools
  • Perfectly optimised content that’s inaccessible because security rules are misconfigured
  • Secure infrastructure with no traffic because your ads aren’t performing

The businesses pulling ahead are the ones treating digital as an integrated system, not separate components.

As we head into the final quarter of 2025, with Christmas looming, now is the time to audit all three areas. What’s your AI search optimisation strategy? Are your security rules actually protecting traffic? Is your Google Ads strategy built on current best practices or legacy approaches? These aren’t one-time fixes. They require ongoing attention and adaptation as the landscape continues to shift. But the investment pays off through improved visibility, better protection, and more efficient media spend.

By

Matthew Miller

Mogul Co-Founder & Director

More from Matthew

The 2025 Email Deliverability Audit: Are you still compliant?

Massive Formula 1 car crash. Move fast and break things?

The Digital Shift: How AI changes the rules of digital marketing (and what smart agencies are doing about it)

Surfer at night

The AI wave is here. Is your digital strategy built to surf, or sink?

Forget “How much do you charge for a website?” – ask the better question