0422 428 584
Google Business Profile suspension

Google Business Profile Link Rules: Important Changes

Google enforces new Business Profile link rules in 2026. Your links must point to your actual website, not social media or redirects. The fix in 5 steps.

Dorian Menard Updated 24 May 2026 10 min read
Graphic on Google Business Profile Link Rule Changes

Google just rolled out stricter enforcement for links on your Business Profile. If you’re still linking to social media pages where your website should be, or sending booking clicks to WhatsApp, you’re about to lose traffic.

Here’s what changed, why it matters, and how to fix it before Google strips your links entirely and worst, suspends your business profile.

The New Rules Enforced

Google’s not messing around anymore. They’ve introduced daily verification checks, at most, using their GoogleOther crawler to scan every link you’ve added to your Business Profile. Unlike regular web crawling, these verification bots completely ignore your robots.txt file.

The full policy is documented on Google’s Business links policies & guidelines page, which Google updated significantly in September 2025. The content roughly doubled, with new sections on dedicated landing pages, direct action completion, social media rules, and the formal “business links crawlability policy”. September 2025 is when the “we will pull your link if we can’t crawl it” enforcement became explicit policy rather than observed behaviour.

Think you can hide behind bot protection or rate limiting? Think again. Google’s official policy now states: “To enforce this policy, these business link verification crawlers don’t follow robots.txt rules.”

What does this mean practically? If your website blocks bots, uses aggressive CAPTCHA challenges, or returns anything other than a clean 200 status code to GoogleOther, your links can disappear overnight. No warnings. No appeals process. Just gone.

We’ve already seen Perth businesses lose their website links because their Cloudflare settings were too aggressive. One roofing contractor lost 40% of their Google-sourced leads when their booking link got pulled for redirecting to Facebook Messenger.

Your primary website field has one job: take potential customers to your actual business website. Not your Facebook page. Not a link shortener. Not your LinkedIn company profile.

Google’s guidelines are crystal clear now: “Do not provide phone numbers or URLs that redirect or ‘refer’ users to landing pages or phone numbers other than those of the actual business, including pages created on social media sites.”

Compliant examples:

  • https://searchscope.com.au/
  • https://yourrestaurant.com.au/location/perth/
  • https://lawfirm.com.au/contact/

Non-compliant examples (these get removed):

  • https://facebook.com/yourbusiness
  • https://bit.ly/book-appointment
  • https://linkedin.com/company/yourbusiness
  • Any URL that redirects through multiple hops

For multi-location businesses, each profile should link to its specific location page, not the corporate homepage. A Subway in Fremantle shouldn’t link to subway.com, it should link to the Fremantle location page or the main site if that’s the only option.

Here’s the kicker: Google checks these daily. If your hosting goes down, your SSL certificate expires, or your CDN starts blocking GoogleOther, your website link vanishes until you fix it and re-add it manually.

Action Links: Bookings and Orders Must Complete On-Page

This is where most businesses are getting caught. Your “Book Now” or “Order Online” links must let customers complete that exact action on the landing page. You can’t send them to your Instagram DMs or WhatsApp for “convenience.”

Google’s policy couldn’t be clearer: “Local business links must allow customers to complete the designated action. For example, an ‘order’ link must allow the customer to complete an order.”

What’s banned outright:

  • Social media sites (Facebook, Instagram, etc.)
  • Messaging links (WhatsApp, Messenger, etc.)
  • App store links
  • Link shorteners (bit.ly, tinyurl, etc.)

What works:

  • Direct Calendly booking pages
  • Square appointment booking
  • Your own online ordering system
  • Third-party booking platforms (if they complete the action)

Here’s a real example: A Perth café was using their “Order” link to send customers to their Instagram page with a “DM us your order” message. Google pulled the link within two weeks. They switched to their Square online ordering page and the link stuck.

The rules also limit you to one link per domain per transaction type, with a maximum of 20 links per transaction type. If you’re hitting these limits, you’ve probably got bigger organisational issues to sort out.

Crawlability: How to Test and What to Fix

Google’s GoogleOther crawler needs unrestricted access to verify your links. If your website security blocks it, uses rate limiting, or serves different content to bots, you’ll fail verification.

Check if GoogleOther can access your website:

curl -A "GoogleOther" -I https://yourdomain.com.au/

You want to see a 200 status code. Anything else (403 Forbidden, 404 Not Found, 500 Server Error) means trouble.

Check if your booking link works:

curl -A "GoogleOther" -I https://calendly.com/yourbusiness/booking

Same deal. Clean 200 response or fix it.

Common problems we’re fixing for clients

  • Cloudflare Bot Fight Mode blocking GoogleOther
  • Cloudflare’s “Block AI Bots” managed rule (separate, newer, much more common in 2025-2026)
  • WordPress security plugins treating GoogleOther as a threat
  • Managed WordPress hosts blocking bots at the platform infrastructure level
  • CDN configurations that rate-limit bot traffic
  • SSL issues that only affect certain user agents

Most of these fixes take 10 minutes if you know what you’re doing. The hard part is knowing they’re broken in the first place.

Cloudflare’s “Block AI Bots” rule (the silent killer in 2025-2026)

The single most common Cloudflare misconfiguration we now see breaking GBP link verification is not Bot Fight Mode, it is the newer “Block AI bots” managed rule.

Since July 2025, Cloudflare has enabled this rule by default on every new domain. Existing domains have been quietly opted-in during plan renewals. Cloudflare’s own docs list the exact bots blocked.

GoogleOther is explicitly on that block list. That means Cloudflare returns a 403 to Google’s Business Profile verification crawler before the request ever reaches your origin server, your robots.txt, or your WordPress install.

Your link gets pulled from your GBP within days. You have no way of seeing why from the server-side logs because the block fires at Cloudflare’s edge.

The fix: in your Cloudflare dashboard, go to Security > Bots > AI Crawl Control and confirm GoogleOther is set to Allow. While you are there, also confirm OAI-SearchBot, ChatGPT-User, ClaudeBot, Claude-Web and PerplexityBot are set to Allow if you care about AI-search visibility (Henry David Photography has a clean reference setup).

Managed WordPress hosts can block bots at the infrastructure level

A May 2026 Search Engine Land investigation by Will Scott (summarised here on Dev.to) exposed an issue that affects more sites than people realise.

Managed WordPress hosts (WP Engine specifically named) enforce platform-level rate limiting on certain high-impact bots that customers cannot selectively disable per bot.

The block fires below WordPress plugins, so Wordfence and Sucuri logs show nothing. It also fires below the customer’s own Cloudflare zone, so the dashboard shows zero security events. You only see HTTP 429s in deep server logs you do not normally have access to.

If you are on WP Engine (Kinsta has publicly stated they do not do this), you have to contact the hosting provider directly and ask whether GoogleOther is affected by their platform-level rate limiting.

Reference the Search Engine Land investigation. The support agent in Scott’s case eventually confirmed the platform-wide rule and that customer-facing rules do not override it. If they cannot exclude GoogleOther, that is the kind of thing that justifies a host migration for a business that depends on Maps visibility.

Why blocking GoogleOther by IP is worse than blocking it by user-agent

A practitioner case study from May 2025 documented an IT team that blocked GoogleOther via an Azure Front Door WAF rule after the crawler hit their translation database hard.

Within a week, Search Console started reporting a 40% spike in connectivity errors and failed search-index requests.

The reason: GoogleOther and the regular Googlebot share IP addresses. In the documented case, IP 66.249.70.66 was hit 123,384 times in a single week as GoogleOther and 10,000+ times in the same week as regular Googlebot. Block one by IP, you block the other.

The clean fix: never use firewall rules or IP blocks against GoogleOther. If you genuinely need to limit it (rare, and worth pushing back on if a developer suggests it), do it only by user-agent in robots.txt, knowing Google’s official policy is that the GBP link-verification crawler ignores robots.txt anyway.

The right answer in almost every case is to leave GoogleOther fully allowed.

Quick Fixes and Prioritised Checklist

  1. Go to your Business Profile manager
  2. Check your website URL points to your actual business site
  3. Test it loads cleanly with the curl command above
  4. If it redirects, make sure it’s a single hop to the right place
  1. Remove any links pointing to social media or messaging apps
  2. Make sure booking/ordering links complete the action on-page
  3. Test each one with GoogleOther user agent
  4. Delete any link shorteners
  1. Go to Edit profile → Contact → Social profiles
  2. Add your Facebook, Instagram, LinkedIn there
  3. Don’t put social URLs in website or action link fields

Priority 4: Fix crawlability issues

  1. Check your security settings aren’t blocking GoogleOther
  2. Disable aggressive bot protection on landing pages
  3. Make sure SSL certificates are valid and current

Most businesses need 2-3 of these fixes. The ones ignoring this will lose clicks when their links get pulled.

Common Pitfalls and Real-World Examples

The franchise trap: Chain businesses often link to corporate websites instead of location-specific pages. A Domino’s franchise linking to dominos.com.au instead of their local store page violates the dedicated landing page rule.

The social media shortcut: We’ve seen dozens of Perth businesses using their Facebook page as their website link because “everyone finds us there anyway.” Google doesn’t care about your social media strategy, they want customers to land on websites they can crawl and verify.

The WhatsApp booking system: Popular with tradies and service businesses, but completely against policy now. Your “Book Now” link can’t dump customers into WhatsApp to organise appointments. Build a proper booking system or use Calendly.

The link shortener habit: If you’re tracking clicks with bit.ly or similar services, stop. Google treats these as potentially deceptive and removes them during verification.

The SSL oversight: We found three businesses last month whose website links got removed because their SSL certificates expired. GoogleOther is stricter about security than regular browsers.

Need help? We audit and fix this fast

If you are unsure whether your Business Profile links comply with Google’s new rules, or you are already seeing links disappear, this is the exact kind of profile-health work we do day to day.

Our Business Profile audit covers:

  • Link compliance check and corrections
  • Crawlability testing with GoogleOther simulation
  • Social media links placed in the proper fields
  • Ongoing monitoring to catch issues before Google does

For context on the scale, we have audited and fixed hundreds of Australian Business Profiles since Google tightened its rules through 2025, including the 230 of 234 Australian reinstatement cases we have run since early 2025 (98% success rate, no result no fee). Most link-rule fixes restore the affected links within 24 to 72 hours of going live.

The businesses that fix this quickly will keep getting the Google Maps traffic everyone else is about to lose. The ones that ignore it will wonder where their leads went.

Do not let Google pull your links while you are figuring this out. Book a call or start the onboarding form and we will tell you what is broken and what to fix first. For broader Maps visibility work, our Google Maps SEO service covers the full picture.

GBP Insider Newsletter

Get ahead of Google instead of reacting to it.

Frontline updates from the Google Business Profile and AI search era — what changed this week, what to action, and what to ignore. Written by Dorian.

  • New GBP suspension patterns and how to dodge them
  • AI Overview / map-pack ranking shifts as they happen
  • Tactical playbooks before they leak into the SEO mainstream

1–2 emails max per quarter. Value-packed emails. No spam, unsubscribe in one click.

Your subscription could not be saved. Please try again.
You're in. Watch your inbox for the next GBP Insider.