Written by Michel Fortin
Comments

Google Blocks My Blog And Warns Visitors?

GoogleThanks for being patient with me. I haven’t posted in a while because of something that happened last week.

You see, my blog was hacked (not by a person but with malicious code that creeped into my blog), and as a result I was blocked by Google. I’m sure you’ve heard about it, as people talked about the news.

How did it get blocked?

Whenever my site(s) came up in Google, there was a “this site may harm your computer” warning. And when people clicked on my link, it lead them to a Google error page preventing people from accessing my site.

Apparently, Google checks its indexed pages against a database of “known offenders” (at StopBadware.org, which is similar to many IP blacklists for spam), and turned all my listings on Google to unreachable.

So my site wasn’t banned. But the worse part was, Google not only blocked my site but also displayed a dire warning that my site was malicious! (You can only imagine what kind of damage this can cause to someone’s reputation.)

But that’s not all…

To fix this, I had to jump through several hoops. Of course, the first of which was to remove the hacked or “malicious” code.

But this wasn’t an easy task.

The problem was, since I used a plugin called “Bad Behavior” with my WordPress blog, the plugin, which identified it on IP blacklists as well, prevented me from accessing my own site — including my admin control panel!

So, not only I couldn’t make the changes I had to make to get reinstated, but also I couldn’t disable the bad behavior plugin to allow myself access to my own admin panel.

It’s all straightened out now, thank goodness! But it took me and my staff several days, and a lot of back and forth with the powers that be, to get unlisted from IP blacklists and such.

(Thanks for waiting for me.)

Here’s how I resolved it.

First of all, I had to disable the plugins using phpMyAdmin, which gave me direct access to my database. Then, I had to manually upload via FTP the files that were “cleaned” of the malicious code.

After that, I had to upgrade my blog to the latest version of WordPress (i.e., version 2.3.1), and update and reactivate all my plugins, too. (I also had to re-customize a lot of the code that was tailored for my blog.)

Next, I had to submit a manual review request to StopBadware.org. Problem is, it doesn’t block entire domains like Google does. I had to manually submit a review request for each and every page that was blacklisted!

(Since the code appeared on my sidebar, well, you can do the math.)

Then, I went to Google’s Webmaster Tools.

Webmaster Tools is a fantastic service, which allows you to manually submit sitemaps to be crawled. What’s neat, though, is the fact that this service comes with tutorials, and, of course, displays any warnings about your site.

In fact, there’s a feature that allows webmasters to request manual reviews by Google. In my case, I used it to ask Google to verify that my site was clean, to unblock it from its search engine results, and to remove the warnings.

In about 48 hours, everything went back to normal. Whew!

Now, some people have told me there’s quite some controversy about this, including talk on a blog by Google’s own Matt Cutts, where a lot of people are complaining of false positives.

Personally, I think this is a great feature because I hate visiting blackhat sites that cause havoc on my computer. Problem is, it’s still relatively new (about a year now).

Perhaps my site was a false positive, too. I don’t know. Your guess is as good as mine.

But here’s what seems weird in all this…

The code that had any semblance of being malicious (according to some examples on Matt Cutt’s blog) was javascript code for displaying ads with links.

(I wasn’t selling links. The links were from a non-PPC ad network, which I’m told did not violate Google’s guidelines.)

What I’m not sure about is, was the code itself the culprit or frowned upon by Google? Or was the code used to hack the blog and ended up being truly malicious after all?

I’ll probably never know.

But since the code was from an ad vendor, which displayed paid links on my blog, the question is, was the violation based on the presumption that I was selling links?

Here’s why I ask myself this question.

When I checked with StopBadware.org, the blacklist site against which Google made its determination, the manual review process asked that you enter a statement, which said something to the effect of…

I have removed the code, and links to other sites, that violate StopBadware’s guidelines. I believe that my site no longer hosts malware or links to sites that violate these guidelines.”

What caught me by surprise was the statement, “links to other sites.”

What surprised me even more was that I received a warning about my site being blocked, directly from Google, only 24 hours later. Funny though, because once I could access my site, and while I was still being blocked by Google, my blog was still displaying Google AdSense ads.

(Again, I don’t know. Perhaps my friend blog expert Andy Beard may have some clues or something to say about this.)

For now, here’s my suggestion to you…

If you’re running any older versions of WordPress, upgrade to 2.3.1 as soon as possible. Second, if you’re going to use javascript in your blog, try to make it pull from an external file — like a .js file — instead of actual script code.

And don’t use Bad Behavior. Stick with Akismet or SpamKarma plugins. According to my host engineer, the Bad Behavior script is still very buggy.

To be candid, this disappointed me, because I loved Bad Behavior. It stopped spam and hack attempts from bots. And I virtually had any comment spam or spammers trying to register as blog users.

But apparently, the script has its flaws, too.

Finally, do have a Google Webmaster Tools account to submit your sitemaps. Sure, you don’t really need it. But it’s good to have, even if it’s just to know when errors are preventing the Googlebot from crawling your site.

Above all, don’t be shy to ask for a manual review when you need to.

By the way, a HUGE “thank you!” to all the people who notified me about this, helped me with screenshots and such, and given me some of the pointers and steps I listed above. You know who you are. ;)

Last 5 Posts by Michel Fortin

About the Author

Michel Fortin is a direct response copywriter, author, speaker, and consultant. Visit his blog and signup free to get tested conversion strategies and response-boosting tips by email, along with blog updates, news, and more! Go now to http://www.michelfortin.com. While you're at it, follow him on Twitter.

Like this blog post? Buy me a coffee or send me a tip!

Share
Category: Opinions / Personal / Websites
Tags: akismet, bad behavior, blacklist, direct, google, hack, malware, matt cutts, script, Selling, sitemap, traffic, warning, wordpress
This post was written on Monday, December 10th, 2007. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Start Making $10K+ Per Copywriting Project!

Start Making $10K+ Per Copywriting Project!

New! Brian McElroy's video lessons show you how to find highly qualified prospects for your services, sell them for instant cash and easily get top dollar. Perfect for copywriters! Click for more »

« The Key To Getting The Fees You Deserve
Digital Scarcity: Does It Still Convert? »
  • Wow! What a hassle. As I was ready your tells of IT issues I was hoping you were going to provide a fix. So, when I saw you "how we fixed it", I was happy. I have a few blogs that have not been updated...

    I guess I need to fix these ASAP.

    Thanks for sharing!

    Greg
  • Michel

    Thanks for taking the time to write such a candid, informative post about this issue. I appreciate your doing this. It's service to the bogging community.
  • Clint Dixon
    Actually the organic side of Google and the Adsense side are two entities... using two different bots... and two different algorithms... to determine issues in regards to your website.
  • Michel,

    Not sure if it just happened again to you or there is some code left over but when I went to the main page of your blog after reading your email Norton came up with a malicous code warning for your site.

    I don't think it's a false positive. I had a problem with one of my Blogs too. After being hacked not once but twice. Knock on wood!!! All is good now .

    It was a scarey few days while my lisings we coming up with 404's and hacked pages.

    I ended up having to start from scratch and leave out a bunch of plugins that "Could" be causing problems. I think they got to me though an upload folder for Podpress and then installed code in places we could not find. The only way we were able to get rid of it was reinstall wordpress from scratch and upload a new template. Database was still intact but everything else had to be redone.

    Hope you get it all worked out. It still looks like you have a problem. I really wish people had better things to do with their time.

    GOOD LUCK!!!!!
  • @Liquid:

    The site is fine. Google is serving it without problems. However, some anti-virus may have not updated its IP lists (some pages are still "pending review" on StopBadware.org, even though Google checked everything and cleared it).

    When I got the news, all I was told was, I was in violation, and that I had to go through the guidelines to ensure my site was compliant, and ask for a review... and wait. Which I did.

    I was subsequently approved by Google, but I'm still "pending review" on StopBadware for some pages. So I don't know where the problem is. Even StopBadware has a section that says "here's why your site is listed," followed by a blank space in my case.

    So, no one knows why the site was in violation?

    A headscratcher, for sure.

    Also, according to StopBadware, their database is not only created from their own sources and from complaints, but also partnered with Google and can add IP's in it based on what Google says.

    Problem is, while Google may have cleared my site, my IP may still be on some lists, from which some anti-virus or anti-malware software pulls its data, which need to be updated, or has yet to be updated.

    I'm waiting... hoping... crossing fingers...
  • Bob Marconi
    Hi,

    This link in your post - "Google's Webmaster Tools" - appears to just take you back to your blog and not to a Google site.
  • @Bob:

    Thanks! It's fixed now. (I forgot the http at the beginning!)
  • Hi

    Unfortunately, you are not the only one who gets "hijacked".

    Last February, 2007, I had my website Http://A1gardening-landscapingsupplies.com
    also on red alert by Google. I also discovered it was a javascript installing iframes. My website was under a different name, and when I asked Steve from DataWebPro what he thought had happened and how I should deal with the problem he said: "one of two things. Your password is not good enough -- too easy to break. And second, your main website on the site was open game because you have no page made up for it." When anyone typed in my main website's url, they got information normally provided by the server when one has a domain name ready to go but no pages uploaded to it."

    He suggested I change my gardening-landscaping domain name, scrap the one I had, and reupload the website information from my computer's stored backup information, which I did. I also emailed StopBadware.org and finally I was on track again.

    We are not the only ones. See the different posts at this blog which I found last March. It explains clearly what the hijackers are doing
    http://www.ethanzuckerman.com/blog/2007/03/21/h...

    The guys at PLR Pro also had their blogger hijacked in the spring.

    Hopes this helps a bit and makes us all realize that we must constantly be on the alert and that a password made of numbers and letters in a way difficult to decipher is one way to keep the hijackers away.

    Marcelle
  • I had the exact same happen to me with Bad Behavior, only ...
    I was lucky enough to detect the problem ten minutes after using my blog. Had to go back to change something and couldn't log in. I used FTP to delete the plugin. No harm done (I think).

    From this experience I also learned to upgrade the plugins that I use. It shows in the Plugin tab whenever a new release is issued and then I install immediately.

    What a lesson! Not good for the heart. :-)
  • Michel,

    Good to hear all is well again.

    Just as a quick side note, there is a plug in from Wordpress that you can have installed that will streamline the version updating process to literally seconds.

    This security stuff is so hard to keep up on. :(

    Joseph Ratliff
    Author of The Profitable Business Edge 2
  • Michel - I wonder if your ad script was simply linking to a page that violated Stopbadware and it extended to your site? If it was something like Text Link Ads or the like - then you really have little control over what sites end up paying to be linked to your site, that could have been the problem?

    Jeff
  • Hi Michel,

    Boy, don't you just LOVE technology... as long as it's not messing up!! :-)

    Don't know whether this is related to your earlier problems or not...

    But when I try to access your site, my virus program (Avast!) gives me this error message:

    File name: somesite/iframe/good.php \[Packman]\[Embedded#7e79]\[UPX]
    Malware name: Win32:Tiny-LU [Trj]
    Malware type: Trojan Horse
    VPS version: 071210-0, 10/12/2007

    Just thought I'd give you a heads-up, in case anyone else has trouble with this as well.

    Cheers,
    Tom
  • @Jeff:

    That's probably part of the problem. I removed all javascript from ad vendors because Google and StopBaware didn't indicate what was the problem. So I'm not taking any chances and removed everything.
  • @Tom:

    Clean your cache. That solved the problem for Norton users, apparently. If you've visited this site in the past, it will pull from your cache and showing you the old infected version instead.
  • Any thought to setting up a test blog so you might isolate the source of this problem and come to a positive conclusion?

    The thing I found troublesome is your uncertainty about whether the javascript code for displaying ads with links was, itself, the culprit, or whether the code was "frowned upon by Google" ("frowned" to the effect of blowing your site out of the water in a most unsanctimonious way!).

    Being a natural cynic, I wonder if you considered this twist on the third possibility you put forward: whether Google, in an effort to protect their advertising franchise, used the code to hack your blog (either using internal agents or through third parties).

    It seems if Google frowns upon sites combining AdSense with scripted ads such as you were using, they ought to be VERY UPFRONT AND TRANSPARENT about this ... because if they're not, then the door opens to speculations such as I made in the preceding paragraph and the onus of proof is laid at their doorstep.
  • Trevor C. McDonald
    Hi Micheal
    Shock Horror form Google doing that to your site. Im the guy that mentioned the Genesis 2 mens birth control manual a while back, everyone is haveing their say in educating me, likes of Yanik Silver, Dan Kennedy, Derek Gehl, Eben pagan, I didnt think you would care to much at the time, but when your wife had the cancer scare, I knew you would be a good person to help with it, Im not tackling it right away, Ive got a few other projects to get through first, but its next on the list after the market crash management system Im working on, but the contraceptive pill is a class a carcegen, a cancer causing substance. Cory Rudl even wanted to know my secret but I wouldnt tell him, cant let the cat out of the bag before its time, and it will need customised for respectable sex education. you're a good writer, I remeber when you wrote about your dog and the refrigerator , I loved it. In the mean time I've been chipping away at other things to help it be more valuable, namely a 500+ file of Hints and things guys out to know to go with it, that way well get every one in on it. This is just to let you know Im still working on it. Regards Trev.
  • Ali
    Dear Michel,

    I do believe in what situation you were passing. As I also passed the same with my one religious site. Even after removing all nu-necessary codes and sticked to Google's standard. My site is still showing Harmful mesg. While the site is absolutely CLEAN.

    Anyway, Sorry to say But I have to tell you. Your Site is still showing me a Small Trojan alert from my Anti-Spyware the moment I come to your site. If possible, I request you to re-check again. Because, we want to be on there regularly.

    Ali.
  • Ryan
    When I came to your site this morning 5:30 a.m FreeAv gave me the 3 following warnings. It appears to me you still have a problem.

    Virus or unwanted program 'HTML/Psyme.Gen [HTML/Psyme.Gen]'
    detected in file

    Virus or unwanted program 'TR/Crypt.ULPM.Gen [TR/Crypt.ULPM.Gen]'
    detected in file

    Virus or unwanted program 'TR/Crypt.ULPM.Gen [TR/Crypt.ULPM.Gen]'
    detected in file
  • Hi Michel

    I am in the middle of moving house and 'net connection is proving to be a problem, even though the local telephone control box is actually on the corner of my land.

    I am having to briefly use my wife's machine from work

    Certainly from here it looks like you have at least the home page fixed. Clicking through from a SERP doesn't come up with a warning.

    The easiest way to deal with a rogue plugin is via ftp, just renaming a folder.
    The thing I don't like about Bad Behaviour is you never know who you blocked.

    The move to 2.3.1 isn't as friendly as many people with quite new blogs assume. I had lots of problems importing tags due to lack of memory on my existing server, so I had to move servers to get my tags imported correctly.

    I am still not 100% settled after a few weeks of 2.3.1 and haven't had time to update my own plugins.

    You had a huge advantage in sorting this out, as you have technical knowledge and a team to fall back on.

    Some of these stopbadware type lists are a real pain. I can remember a while back Dane Morgan discovered that MyBlogLog had been added to one list because of the way it tracked visitors.
  • Hey~ What an absolute NIGHTMARE! Glad that the problem was finally resolved and Thanks for passing on how you fixed it. You never know when something like this can happen to anyone of us. Keep the great information coming!
  • Thank you for this post. It's very interesting!
  • Shirley Burling
    Very interesting post! I agree that google makes us jump through hoops. Have you ever considered using Artemis Pro to help with site promotion?

    Good job you got it sorted eventually! Great blog.
  • Hello Michel,
    I am a regular reader of your blog, and last time, December 12, 2007, 2 am GMT, when I opened the main page of your blog, from the browser tab of my feed reader, the Avira Antivir anti virus software which I use, came up with a malicious code warning for your site.

    Please take care, since I'm not the only one who got this warning.

    Cheers,
    Emeric
  • Michaell Fortin is a genius when it comes to copyrighting. I enjoy all of his work and learn so much from what he does. I am fairly new in the internet game and look forward modeling Michaels' expertise and wisdom throughout my journey. Thanks again Michael.
    Erick
    Dallas Tx
  • Dear Mr. Fortin,

    It's actually Google, not StopBadware, that flagged your site. Google independently checks the web for badware and badware-linking code, and places warnings in its own search results. StopBadware comes in simply to help site owners who want to remove the warnings in learning about badware and getting the warnings removed.

    Many sites that are the subject of Google's warnings have been the victims of a malicious hacking attack, often taking advantage of security holes at the server level or in web software. Another common reason for otherwise innocent sites to be flagged by Google is if badware is being distributed through third party provided content such as ads provided by an ad network.

    For any of your readers who may find themselves in a similar situation in the future, I want to offer a few pointers:

    * There's actually no need to submit multiple review requests for pages on the same domain if the entire domain itself has been flagged. The only exception to this is for sites with lots of subdomains, where it's possible Google might choose to lift the flag on some subdomains but keep the flag on others (such as for sites where each subdomain is managed by a different person).

    * You can submit a review to StopBadware, to Google directly through Webmaster Tools, or both. Regardless of where your review starts, the first step is a rescan by Google. There's more info about the review process in our FAQ.

    * Google's malware flags aren't based on presumptions about selling links or any violations of other aspects of Google's guidelines for webmasters. The malware flags are for sites that are distributing badware, whether it be directly, via a cross-site exploit, via a compromised ad, or via substantial links to other sites that distribute badware.

    * StopBadware has more information on a page for owners of sites with Google warnings . We also have a page of Security Tips for website owners , and an email discussion group where many webmasters have also found help from our community .

    Thanks for helping spread information to your fellow webmasters. It's great to see a site owner explaining what happened to his readers and helping everyone get better educated.

    Erica
    StopBadware staff
  • @Erica:

    Thank you so much for dropping by and explaining this. It's very helpful indeed.

    When I blogged about this, please note that I looked at it from my very limited perspective. What didn't help was the fact that there were no indications as to why it was blocked.

    In fact, when I checked Google and StopBadware, it not only gave no reason, but there were blank spaces where presumably reasons were supposed to be. As if they didn't know, either.

    (Lucky for me, some of my clients emailed me their reports from their client-side anti-malware software, which helped me to pinpoint the problems.)

    Sure, you provide a laundry list of things to do. (Which is helpful.) But being forced to go through the entire list without knowing what to look for is like shooting blanks in the dark, and is nonetheless quite labor-intense.

    (And to be notified only 24 hours later was also distressing.)

    So, I was left guessing, scratching my head trying to make sense of it. My blog post was my attempt to both explain the situation (because of the harm this caused to my reputation), as well as trying to shed light on such a confusing issue.

    Nevertheless, I sincerely do appreciate your feedback, and thank you for making the web safer for us.

    I personally CAN'T stand sites that wreak havoc on my browser or computer. Your service is a much needed one and I love it -- even though I believe it still needs to be a little better and more user-friendly for us victims.

    Anyway, thanks again.
  • Terry Barker
    Thanks for letting me know, i'll have to upgrade my site now! Can't sleep until it's done! I read the blog at jamesbrausch.com on a regular basis, i'm suprised he didn't mention it.

    I think i'll add your blog to my favorites! It's fantastic.
  • @Terry:

    I just finished cleaning up this site -- and 7 other blogs (they were all 2.2), which were ALL infected, believe it or not. What a pain! But it's all done now.

    Indeed, I recommend that you upgrade to 2.3.1 ASAP.
  • Hi Michel,

    Thanks for the advice and I am glad that you got it all sorted quickly.

    I have really gleaned alot from your blog and greatly admire your
    expertise.

    Merry Christmas,
    Doug B.
  • Hi Michel,

    You might still have some issue on your site! When I Stumbled upon this page, my Zone Alarm popped up with a warning of this trojan trying to load from your site:

    Virus Name: Trojan-Downloader.JS.Psyme.me

    Better have you IT guys check your code.

    Cheers

    Richelo
  • Yup, it creeped back in. I removed it, and took an extra step... I CHMOD'd my themes folder to 755 (not writeable). I know it's a pain because now I can't modify theme files from within the control panel, but it's the only way I can stop this code from coming back.

    It should be safe and secure, now.
  • Al
    Thanks! It's fixed now. (I forgot the http at the beginning!)
  • Dear Michel,
    Just a few words:
    Statue of Liberty
    Balzac
    Benjamin Franklin at Paris
    Freedom of speech
    USA

    Cheers,
    Emeric
  • I have a new personal development company lauching in the next couple weeks. My first approach is via email due to my ebooks I have written along with some audio books. I would love to surround myself with someone as successful as yourself on a regular basis. You can definatley help me with my sales letter and marketing tools. Please let me know how I can pursue that successfully!
    Thanks look forward hearing from you.
    Erick
  • I'm sorry I didn't see this post before. (I might have, had there been a backlink in it somewhere!)

    I can tell you with certainty that whatever problem you may have had with Bad Behavior, it has absolutely nothing to do with malicious software warnings from Google and StopBadware.org.

    And the problem you did have with Bad Behavior was fixed within a couple of hours, since it caught me as well as, oh, thousands of other people, many of whom filled my inbox to overflowing.

    That said, I have no idea why your web hosting provider would complain about Bad Behavior; its resource usage ranges between minimal and zero, and it's no more buggy than anything else out there. In all the cases I've seen where it performs poorly, it's been the fault of the web hosting provider not having tuned their servers properly, oversubscribed their servers beyond the breaking point, or just not knowing what they're doing generally. I can't say which of the above might apply to your host.

    I do see, though, that you're running Bad Behavior again. I hope that it's performing well for you, and if not, feel free to let me know.
blog comments powered by Disqus
Turn Words Into Cash

Turn Words Into Cash

New! Million-dollar influence and persuasion tactics so potent, if they were any more powerful the government would be forced to classify them as 'mind control'! Click for more »