Why does alt text matter for AI search?

AI engines like ChatGPT and Perplexity read alt text to understand images in context. Without it, AI cannot interpret your visual content — reducing the chance it cites or references your page. Well-written alt text also signals content quality and entity clarity, both key AEO ranking factors.

What is a 'suspicious' alt text?

Suspicious alt text includes filenames used as descriptions (e.g. 'IMG_4532.jpg'), generic labels ('image1', 'photo'), or alt text shorter than 3 characters. These provide no meaningful context to AI engines or screen readers.

Is empty alt text (alt='') always wrong?

No. Empty alt text is correct for purely decorative images — dividers, background textures, spacers — where the image adds no informational value. It tells screen readers to skip the image. The scanner flags these as 'decorative' for you to verify intentionality.

How is the alt text score calculated?

Score = (images with good alt text ÷ total images) × 100. Decorative and suspicious images lower your score because they either carry no value or carry misleading value for AI and accessibility engines.

> FREE_TOOL // WHITE_HAT_SECURITY

Alt Text Security Scanner

Alt text fields are an overlooked attack surface. Scan any webpage to detect hidden payloads, script injection, SQL injection, base64-encoded strings, and malicious content buried in image attributes — before someone else finds it first. Free, no account needed.

Public pages only. Scans static HTML — for JS-rendered pages or login-protected pages, use the bookmarklet below for a full in-browser scan.

› Fetching page and scanning images...

// Free Browser Bookmarklet

Scan any page you're currently on — including login-protected pages, staging environments, and localhost — with one click. No URL required. The bookmarklet runs entirely in your browser.

🔍 AEOfix Alt Scanner ← Drag this to your bookmarks bar

How to Install

Show your bookmarks bar

Chrome: Ctrl+Shift+B (Windows) / Cmd+Shift+B (Mac) · Firefox: View → Toolbars → Bookmarks Toolbar

Drag the button to your bookmarks bar

Click and hold the AEOfix Alt Scanner button above and drag it up to your bookmarks bar. Release to drop.

Navigate to any page and click the bookmark

Go to the page you want to audit. Click AEOfix Alt Scanner in your bookmarks bar. A panel appears overlaid on the page — images are highlighted by status.

Click again to dismiss

Click the × button in the panel or click the bookmark again to remove the overlay and outlines.

IMAGE OUTLINE COLORS

Green — Good alt text

Red — Missing alt attribute

Yellow — Empty / decorative

Orange — Suspicious / weak

Deep Red — Malicious detected

Can't drag? Install manually

Right-click your bookmarks bar → Add page → paste the code below as the URL:

// Why Alt Text Is an Attack Surface

Most people think alt text is just for screen readers. Attackers know better. Image alt attributes are rarely audited, never visible to casual visitors, and processed by crawlers, scrapers, search engines, and AI systems — making them a low-visibility channel for embedding malicious content.

This scanner detects what you can't see. It reads the raw HTML the same way a security auditor or malicious bot would — exposing anything that doesn't belong.

INJECTION ATTACKS

Script tags, event handlers, and javascript: URIs embedded in alt text can execute in vulnerable parsers, scrapers, and legacy CMS preview systems.

HIDDEN PAYLOADS

Base64 strings, hex-encoded data, and null-byte sequences can be used to exfiltrate data or smuggle content past content filters.

SEO POISONING

Keyword stuffing and URL injection in alt text manipulate search crawler behavior — a sign of compromised pages or malicious third-party scripts.

// Frequently Asked Questions

How can malicious content end up in alt text?

Several ways: a compromised CMS plugin that injects content into image metadata, a malicious third-party script that rewrites the DOM, a supply chain attack on an image optimization service, or a bad actor who gained write access to your site. Because alt text is invisible to visitors and rarely monitored, it's a low-risk, high-persistence hiding spot for attackers.

What does "malicious" mean in the scanner results?

The scanner flags alt text containing: script tags or javascript: URIs, inline HTML elements, event handler patterns (onerror=, onmouseover=), SQL injection strings, base64-encoded payloads (40+ chars), long hex strings, multiple URLs, and HTML-encoded control characters. Any of these in an alt attribute is abnormal and warrants investigation.

What does "suspicious" mean?

Suspicious alt text isn't necessarily malicious but indicates something worth reviewing: filenames used as descriptions (IMG_4532.jpg), generic placeholder labels, alt text over 150 characters, or comma-separated keyword lists (a classic SEO spam signal). These may indicate lazy CMS defaults, a compromised page, or a third-party script gone wrong.

Can script injection in alt text actually execute?

Not in a modern browser rendering the page normally — browsers don't execute alt text as code. However, it can execute in: XML parsers that process the raw attribute, RSS feed readers that render HTML, screen scraper tools, AI crawlers that pass content to downstream processors, and some legacy CMS preview systems. The risk is real for automated pipelines, not just human visitors.

Is empty alt text (alt="") a problem?

Not by itself — empty alt is correct for purely decorative images. But empty alt on a content image (product photo, team headshot, chart) is a red flag. It either means the CMS stripped the value, a script cleared it, or someone intentionally removed it to hide a previously populated field. The scanner flags these as "decorative" so you can verify intent.

Can I scan pages behind a login?

No — the URL scanner fetches public pages only. Use the free bookmarklet for authenticated pages. It runs entirely inside your browser — the page HTML never leaves your machine.

Does the scanner store my data?

No. The scan fetches the target URL server-side, processes the HTML, and returns results directly to your browser. Nothing is stored or logged. The bookmarklet runs 100% client-side — no data is transmitted anywhere.

I found malicious alt text on my site. What now?

First: don't panic, but act fast. Check your CMS audit log for recent file changes. Scan your active plugins and third-party scripts against known CVE databases. Pull a clean backup and diff it against current files. Change all admin credentials. If you can't identify the source, a full malware scan and server audit is warranted. The alt text is the symptom — the injection point is the real problem.

Want a Full Site Security & Visibility Audit?

Alt text is one layer. A full AEOfix audit covers AI crawler access controls, schema integrity, robots.txt exposure, content structure vulnerabilities, and how AI engines are currently reading and representing your site.

View Audit Services