Tuesday, September 18, 2007 at 12:34 AM
Written by Nathan Johns, Search Quality TeamIn recent months, there's been a noticeable increase in the number of compromised websites around the web. One explanation is that people are resorting to hacking sites in order to distribute malware or attempt to spam search results. Regardless of the reason, it's a great time for all of us to review helpful webmaster security tips.
Obligatory disclaimer: While we've collected tips and pointers below, and we encourage webmasters to "please try the following at home," this is by no means an exhaustive list for your website's security. We hope it's useful, but we recommend that you conduct more thorough research as well.
- Check your server configuration.
Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server side includes, authentication and encryption.
- Stay up-to-date with the latest software updates and patches.
A common pitfall for many webmasters is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Need some tips? Blogger Mark Blair has a few good ones, including making a list of all the software and plug-ins used for your website and keeping track of the version numbers and updates. He also suggests taking advantage of any feeds their websites may provide.
- Regularly keep an eye on your log files.
Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.
- Check your site for common vulnerabilities.
Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads "Come on in and help yourself!" Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities. Finally, choose good passwords. The Gmail support center has some good guidelines to follow, which can be helpful for choosing passwords in general.
- Be wary of third-party content providers.
If you're considering installing an application provided by a third party, such as a widget, counter, ad network, or webstat service, be sure to exercise due diligence. While there are lots of great third-party content on the web, it's also possible for providers to use these applications to push exploits, such as dangerous scripts, towards your visitors. Make sure the application is created by a reputable source. Do they have a legitimate website with support and contact information? Have other webmasters used the service?
- Try a Google site: search to see what's indexed.
This may seem a bit obvious, but it's commonly overlooked. It's always a good idea to do a sanity check and make sure things look normal. If you're not already familiar with the site: search operator, it's a way for you to restrict your search to a specific site. For example, the search site:googleblog.blogspot.com will only return results from the Official Google Blog.
- Use Google's Webmaster Tools.
They're free, and include all kinds of good stuff like a site status wizard and tools for managing how Googlebot crawls your site. Another nice feature is that if Google believes your site has been hacked to host malware, our webmaster console will show more detailed information, such as a sample of harmful URLs. Once you think the malware is removed, you then can request a reevaluation through Webmaster Tools.
- Use secure protocols.
SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's Tips for Cleaning and Securing Your Website.
- Read the Google Online Security Blog.
Here's some great content about online security and safety with pointers to lots of useful resources. It's a good one to add to your Google Reader feeds. :)
- Contact your hosting company for support.
Most hosting companies have helpful and responsive support groups. If you think something may be wrong, or you simply want to make sure you're in the know, visit their website or give 'em a call.
We hope you find these tips helpful. If you have some of your own tips you'd like to share, feel free to leave a comment below or start a discussion in the Google Webmaster Help group. Practice safe webmastering!
11 comments:
Hi,
I agree with the previous users comments to some extent.
I think there are a number of issues here and Google need to differentiate between them and how they are dealt with for example I view that there are 3 levels of problem with Malware:
Level 1 - the site is known to deliver Malware as a course of Business - it is not recommended to go to this site.
Level 2 - The site has been attacked and Malware had been installed on the site - the webmasters have been informed but the site when last checked on
(date) was still infected on X% of its pages. It is suggested that going to this site could be a problem until it has been cleaned and secured.
Level 3 - This site has been attacked by advertising delivered Malware - the webmaster and advertising network have been informed. Our tests showed that Y% of the sites pages has these adverts and we suggest you proceed with caution.
As has been suggested a malicious competitor could place hidden badware adverts on a site to reduce its usage or a corporate competitor could do it to reduce value prior to a takeover.
We are talking here about nasty people doing bad things BUT the current system has in its cross hairs the web site and in the final case the web site has been attacked and that the real culprit is the "advertising network".
Surely in the case of advertising delivered Malware the information that needs to be provide are:
i) Location from where the bot that found the problem was location - don't need IP address need to know COUNTRY and possibly STATE / CITY - this is because a large proportion of advertising is Geo Targeted.
ii) The advertising network that the offending banner was downloaded from.
iii) The name of the Malware and where it was being downloaded from on the name of the URL with the problem.
With that a webmaster can approach the advertising networks they use and resolve the issue at source so saving not just their users BUT more IMPORTANTLY all the other 1,000s of sites that are probably being attacked at the same time but which Google just didn't see.
Closing traffic to a site on which less than 1% of the pages have bad adverts on them doesn't really help anyone providing information to stop the advert being delivered on 1,000s or 10,000s of machines by the advertising networks would stop this quickly.
The recent incident with Right Media took 2 weeks to stop even though someone spotted it in a few days (and google didn't penalise any of those sites).
If there was a community led effort to track these attacks back to the advertising networks then these things could be stopped much faster and without annoying professional webmasters whose goal is safe web surfing for all.
Currently Google's methodology seems to penalise sites that are being attacked and make it so hard to find out what is wrong that there is little chance of the information being passed back to the advertising networks and saving other sites from the same predicament.
Lets try to solve this problem by working together to stop the delivery of badware via advertising networks by stopping it at source the network not at the poor unsuspecting site who are just trying to make a living.
Avoid having directories with open permissions.
Could you elaborate on this? I've never found any tutorial that can explain how to properly setup web site permissions. What does it mean to have open permissions? 777? or is it something else?
Hello,
777: all can read / write / execute the file.
755: owner can do all, group / others can read / execute.
644: owner can read / write, group / others can read only.
Common Chmod Settings
cgi scripts: 755
data files: 666
configuration files not updated by the script: 644
directories: 777
Hope This Helps
http://www.net-ebooks.com
Here's another really great developer security tip:
Subscribe to the United States Computer Emergency Readiness Team's (CERT) mailing list at http://www.us-cert.gov/
It will give you updates of vulnerabilities in software that are already out there being exploited. When I receive one of these I always stop what I'm doing to see if my company or clients are using any of the affected software versions - if so I update immediately.
I have a msn spaces and I'd like use the "google webmaster tool" but I can't verify my blog loading html file or metatag because with msn spaces is not possible. Is there an other way to verify that I'm the webmaster?
(e-mail: fabryfa86@hotmail.it)
Sorry for the English, but I'm italian... Thanks, Goodbye
fabryfa86, that's a great type of question for our Webmaster Help Group. We have a FAQ that answers just that question: http://groups.google.com/group/Google_Webmaster_Help/web/faqs-for-webmaster-tools-2 (scroll to the bottom).
I am loving all your products - tonight, in particular, Google docs are perfect. It's helping me with a prepared speech where I need input from other collaborators.
My post is simply a thank you, Google, for being you. I couldn't seem to find anyplace else to write that comment. Hopefully, it's not in appropriate here.
I am probably going to be out of business by the time you read this. My site was hacked and there is no real way to access Google. I feel like David and Goliath only this time I am not betting on David. I was first victimized by a hacker and now I have no way to access Google that works. I know about webmaster tools, blocking content, robots file, etc. but none of those are stopping Google from finding 100 new bogus spam pages that the hacker continues to make look like they come from my site. The breach has been fixed but 100 new pages appear to come from my site. My traffic is down 99%. I used to just love Google in every regard. I love Checkout, iGoogle, search, you name it, but there may as well be a fortress around them. There is no way to get through to them. My business gets 99% of traffic through Google, and although they mean to do no evil, they ended up partnered with the hacker to put me out of business. Google needs an ombudsman to give victimized sites a place to turn before just dying. Even the FBI ic3.gov has been more responsive than Google at this point. My site helped teachers work with traumatized students, but all that will stop shortly because I have no way to get Google to understand that the hacked pages aren't mine. Please listen up Google: The time has come to become more human when crime has vicitimized innocent sites. The spiders don't understand hacks and neither do your clean-up tools. You need a last chance ombudsman for victimized sites.Want to see the extent of the damage? I am hoping to see the cache clear soon but if you get to it before it does, type in site:youthchg.com and most of the 1000 pages that appear to be part of http://www.youthchg.com, aren't. If you are someone that can suggest something I've overlooked to save my site, please reply. I'm desperate. Otherwise, Goodbye internet. After 11 years, it took a hacker just one week to take me out.
Hi Youth Change--
I'm sorry to hear about your troubles. Fortunately or unfortunately, Google can only find and index pages that exist on your site. I say fortunately because that means that as soon as you've removed the hacker's work from your site, you should be able to remove all evidence of hacked pages from Google's index; but unfortunately because, if parts of your site are still hacked (or if hacked pages are still accessible on your site), Google may continue to find and index them.
If our crawlers are still finding hacked pages on your site, that probably means that there's still some hacked code on your site. It's possible for code to auto-generate hacky pages, so you need to be extra careful that you've cleaned out any unrecognized code as well as any unrecognized files. Once your site has been secured and *all* of the damage has been cleaned up, you can use tools like URL removal to remove hacked pages or page caches from Google's index.
If you're having trouble cleaning all the hacked pages and code out of your site, you should ask your hoster or webmaster for help. Googlers can help you to use Google tools and products, but we can't help you maintain or protect your server (beyond giving some general tips, as we do in this blog post).
Hi everyone,
Since several months have passed since we published this post, we're closing the comments to help us focus on the work ahead. If you still have a question or comment you'd like to discuss, free to visit and/or post your topic in our Webmaster Help Group.
Thanks and take care,
The Webmaster Central Team
Post a Comment