Welcome to WebmasterWorld Guest from 107.23.176.162

Forum Moderators: open

Message Too Old, No Replies

Google "State of Website Security 2016"

     
12:54 pm on Mar 21, 2017 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25843
votes: 847


According to the latest stats from Google, there was an increase of 36% in hacked sites in 2016, compared to 2015.

There's an interesting stat in there which I find a frustration.
61% of webmasters who were hacked never received a notification from Google that their site was infected because their sites weren't verified in Search Console. Google "State of Website Security 2016" [webmasters.googleblog.com]

Not everyone wants to verify in the GSC, and, surely, in that case that there's a figure of 61%, Google shouldn't be relying on that as a way to notify, imho. It's up to the webmasters to look after their sites, but they shouldn't have to have GSC, imho.

Anyhow, the article goes into some detail through its updated help documentation over what to do when a site is compromised.

Top ways websites get hacked by spammers [developers.google.com]

Glossary for Hacked Sites [developers.google.com]

FAQs for Hacked Sites [developers.google.com]

How do I know if my site is hacked? [developers.google.com]

The article goes on to explain about the gibberish hack, Japanese keywords hack, and the cloaked keywords hack, and what the objective is by the hackers.

There's also a useful hacked help guide [developers.google.com].
11:31 pm on Mar 21, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Useful links, thanks engine.

Not everyone wants to verify in the GSC, and, surely, in that case that there's a figure of 61%, Google shouldn't be relying on that as a way to notify, imho. It's up to the webmasters to look after their sites, but they shouldn't have to have GSC, imho.
Don't most site owners just hire a developer to build the site and leave it at that? Surely most have no knowledge of GSC & if they do, may be timid about engaging with the various tools & settings. In fact, I would have thought the percentage of sites not GSC verified would be higher.

If most sites are now WordPress (latest stat) is there or should there be a mechanism inherent to WP that could notify of hacking?
3:35 pm on Mar 22, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 4, 2001
posts:2278
votes: 77


I actually think WordPress would not start notifications of hacks as it would publicly expose how vulnerable WP actually is.
10:04 am on Mar 23, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2003
posts:278
votes: 22


Depends what you call a "hacked site" though:

We've received notifications from Google of Malware on our site which is then labelled as compromised in the search results.

Both times it turned out to be a site that we linked to that had dropped and been re-registered and now contained Malware - it wasn't on our site at all.

We link out to thousands of sites - and according to Google we're now responsible for the content of all of them.

So I'm not sure if more sites are being hacked - or if Google's just changed its definition.
8:46 am on Mar 24, 2017 (gmt 0)

Senior Member from HK 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 14, 2002
posts:2301
votes: 19


7 Driver - Do you link out with a 301/302 redirector?
3:05 pm on Mar 24, 2017 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2003
posts:278
votes: 22


Yes - we link out via a click counter page on our own site, which does a 302 redirect to the target site.

Do you think Google might be getting confused as to whose site the malware is on?

Is there a better way to do this and still count the clicks?
4:08 pm on Mar 24, 2017 (gmt 0)

Full Member

joined:July 23, 2015
posts:254
votes: 76


>> Not everyone wants to verify in the GSC

@engine, it's not even that.

It's that a lot of sites are either not complete or dead. Websites are complex, especially for non-techies. Hey, websites are complex even for techies, look how very few really good designs+UI+functionality there are out there.

A lot of sites are either abandoned or the owner tried, saw no ROI and basically quit. Or never bothered to get through with idea. Life happens too.

Considering the fact that Kaspersky reports hack attacks now in the Millions, I think from last year attacks went to a new level and are now several orders of magnitude larger. It is surprising that there's only 36% more hacked sites.
7:03 pm on Mar 24, 2017 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 3, 2001
posts:578
votes: 1


I am getting this same thing and just did a post on WebmasterWorld this very morning...and then was notified of this thread. I am getting malware warnings for linking with a counter redirect to another site. It goes to the other site right away so you would think Google could figure this out. And I have done it this way for years because I have links that are stored offline in a mobile app. This allows me to change the links from my control, rather than leave remote bad links out there for months possibly years if the person didn't update the offline data.

If they count my site as a problem and the actual site, I wonder if that suddenly counts as two sites. That would cause an increase in stats right there.
9:01 pm on Mar 24, 2017 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1206
votes: 339


So long as SEs continue to rank hacked - and openly malicious - sites for queries (adding some little blurb about hazard is umm cute) they are feeding the problem.

Instead any site found that is a hazard should be dropped from showing for anything...
* a huge shiny blinking note in WMT or equivalent
* same for a site: command result
* same for Chrome or other browser when domain/URL entered (sorta done now)
...but otherwise gone
and
all link values from said site should be zeroed immediately; if not negatively weighted.

There is value to hacking sites, there is value to malicious payloads on sites. And until the value is removed the problem will continue.

Hosts need to up their game as well. And be held accountable for permitting such sites to remain live, especially after being informed.

Unfortunately, currently there is no real downside to either hosting or returning such sites in search results. The problem has been shifted onto the shoulders of unwary consumers and often oblivious web sites. At some point the increasing number of corrupted systems and resulting actions will crash significant sections of society and regulators will find themselves, once again, playing catch up. While SEs and hosts play innocent victim and claim harm from forced responsibility.

Until then it's a case of harden/secure one's own harbours and expeditions onto the intertubes as best as practicable.

Let's be careful out there.
---Sergeant Phil Esterhaus, Hill Street Blues.
9:01 pm on Mar 27, 2017 (gmt 0)

Full Member

joined:July 23, 2015
posts:254
votes: 76


@iamlost, so you think that, along with a dread of their site being hacked and trying to figure it all out, you think that a hacked site owner should also enjoy a complete destruction of his business as her site is completely removed from G?

So you think webmaster should be punished twice somehow and completely put out of business?

What about "don't wish onto others..." ?
3:17 am on Mar 28, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9047
votes: 752


Since there is no reliable direct way to notifiy site owners their site is hacked, having it disappear from the serps would be the next best thing.... provided there is a provision for the site owner to see an alert in that regard. Otherwise the unwary will never know and the malicious won't care, meanwhile, the rest of us might end up with useless link outs that turn and bite us.

The world is not fair, never has been, but it can be made to work with heads and time and perhaps money thrown at it. Last thing needed, however, is government regulations. Beware:

"I'm from the government and I'm here's to help you."
4:32 am on Mar 28, 2017 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1206
votes: 339



@iamlost, so you think that, along with a dread of their site being hacked and trying to figure it all out, you think that a hacked site owner should also enjoy a complete destruction of his business as her site is completely removed from G?

Google is already blacklisting almost 100,000 sites a week for malware and phishing. Granted not all those are hacked, many are purpose-built, regardless the numbers are huge. And does not include sites hacked for 'SEO' reasons.

Site owners 'enjoy a complete destruction of business' for a great many Google transgressions, i.e. Panda, Penguin, ubiquitous Fred, that are far less hazardous to searchers than many hacked sites maintaining SERP with a 'warning label' affixed.

I think that the problem is past wide spread enough and well past hazardous enough that quarantine aka being dropped from search results (until well again) is a web public health necessity. And browsers should throw a warning page that blisters the eyeballs when a blacklisted site connection is attempted. The only thing greater online than the ignorance and incompetence of webdevs is that of the general browsing public.
4:51 am on Mar 28, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


browsers should throw a warning page that blisters the eyeballs when a blacklisted site connection is attempted
Chrome56 mobile & desktop certainly do.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members