Google Blocks My Blog And Warns Visitors?
Thanks for being patient with me. I haven’t posted in a while because of something that happened last week.
You see, my blog was hacked (not by a person but with malicious code that creeped into my blog), and as a result I was blocked by Google. I’m sure you’ve heard about it, as people talked about the news.
How did it get blocked?
Whenever my site(s) came up in Google, there was a “this site may harm your computer” warning. And when people clicked on my link, it lead them to a Google error page preventing people from accessing my site.
Apparently, Google checks its indexed pages against a database of “known offenders” (at StopBadware.org, which is similar to many IP blacklists for spam), and turned all my listings on Google to unreachable.
So my site wasn’t banned. But the worse part was, Google not only blocked my site but also displayed a dire warning that my site was malicious! (You can only imagine what kind of damage this can cause to someone’s reputation.)
But that’s not all…
To fix this, I had to jump through several hoops. Of course, the first of which was to remove the hacked or “malicious” code.
But this wasn’t an easy task.
The problem was, since I used a plugin called “Bad Behavior” with my WordPress blog, the plugin, which identified it on IP blacklists as well, prevented me from accessing my own site — including my admin control panel!
So, not only I couldn’t make the changes I had to make to get reinstated, but also I couldn’t disable the bad behavior plugin to allow myself access to my own admin panel.
It’s all straightened out now, thank goodness! But it took me and my staff several days, and a lot of back and forth with the powers that be, to get unlisted from IP blacklists and such.
(Thanks for waiting for me.)
Here’s how I resolved it.
First of all, I had to disable the plugins using phpMyAdmin, which gave me direct access to my database. Then, I had to manually upload via FTP the files that were “cleaned” of the malicious code.
After that, I had to upgrade my blog to the latest version of WordPress (i.e., version 2.3.1), and update and reactivate all my plugins, too. (I also had to re-customize a lot of the code that was tailored for my blog.)
Next, I had to submit a manual review request to StopBadware.org. Problem is, it doesn’t block entire domains like Google does. I had to manually submit a review request for each and every page that was blacklisted!
(Since the code appeared on my sidebar, well, you can do the math.)
Then, I went to Google’s Webmaster Tools.
Webmaster Tools is a fantastic service, which allows you to manually submit sitemaps to be crawled. What’s neat, though, is the fact that this service comes with tutorials, and, of course, displays any warnings about your site.
In fact, there’s a feature that allows webmasters to request manual reviews by Google. In my case, I used it to ask Google to verify that my site was clean, to unblock it from its search engine results, and to remove the warnings.
In about 48 hours, everything went back to normal. Whew!
Now, some people have told me there’s quite some controversy about this, including talk on a blog by Google’s own Matt Cutts, where a lot of people are complaining of false positives.
Personally, I think this is a great feature because I hate visiting blackhat sites that cause havoc on my computer. Problem is, it’s still relatively new (about a year now).
Perhaps my site was a false positive, too. I don’t know. Your guess is as good as mine.
But here’s what seems weird in all this…
The code that had any semblance of being malicious (according to some examples on Matt Cutt’s blog) was javascript code for displaying ads with links.
(I wasn’t selling links. The links were from a non-PPC ad network, which I’m told did not violate Google’s guidelines.)
What I’m not sure about is, was the code itself the culprit or frowned upon by Google? Or was the code used to hack the blog and ended up being truly malicious after all?
I’ll probably never know.
But since the code was from an ad vendor, which displayed paid links on my blog, the question is, was the violation based on the presumption that I was selling links?
Here’s why I ask myself this question.
When I checked with StopBadware.org, the blacklist site against which Google made its determination, the manual review process asked that you enter a statement, which said something to the effect of…
“I have removed the code, and links to other sites, that violate StopBadware’s guidelines. I believe that my site no longer hosts malware or links to sites that violate these guidelines.”
What caught me by surprise was the statement, “links to other sites.”
What surprised me even more was that I received a warning about my site being blocked, directly from Google, only 24 hours later. Funny though, because once I could access my site, and while I was still being blocked by Google, my blog was still displaying Google AdSense ads.
(Again, I don’t know. Perhaps my friend blog expert Andy Beard may have some clues or something to say about this.)
For now, here’s my suggestion to you…
If you’re running any older versions of WordPress, upgrade to 2.3.1 as soon as possible. Second, if you’re going to use javascript in your blog, try to make it pull from an external file — like a .js file — instead of actual script code.
And don’t use Bad Behavior. Stick with Akismet or SpamKarma plugins. According to my host engineer, the Bad Behavior script is still very buggy.
To be candid, this disappointed me, because I loved Bad Behavior. It stopped spam and hack attempts from bots. And I virtually had any comment spam or spammers trying to register as blog users.
But apparently, the script has its flaws, too.
Finally, do have a Google Webmaster Tools account to submit your sitemaps. Sure, you don’t really need it. But it’s good to have, even if it’s just to know when errors are preventing the Googlebot from crawling your site.
Above all, don’t be shy to ask for a manual review when you need to.
By the way, a HUGE “thank you!” to all the people who notified me about this, helped me with screenshots and such, and given me some of the pointers and steps I listed above. You know who you are. 
About the Author
Michel Fortin is a direct response copywriter, author, speaker, consultant, and CEO of The Success Doctor, Inc. Visit his blog and signup free to get tested conversion strategies and response-boosting tips by email, along with blog updates, news, and more! Go now to http://www.michelfortin.com.
Last 5 Posts by Michel Fortin
- Are You a Lazy or Me-Too Marketer?
- What is Most Important in Copywriting?
- Not-So-Shocking Responses to Shocking Report
- Are You Committing These Sins?
- After 9 Months, It’s Finally Born!
Share This Post
Share this post with a friend by clicking "share this" below. You may freely reprint or redistribute this article, provided the content and links are left intact, and the "about the author" section is included. Get notified of new posts by RSS or email, below.
Email Updates
|
Turn Words Into Cash
|
Million-dollar influence and persuasion tactics so potent, if they were any more powerful the government would be forced to classify them as 'mind control'! Other Related Posts
Readers Also Viewed
Warning: Invalid argument supplied for foreach() in /usr/www/users/successd/~blog/wp-content/plugins/wheredidtheygov1.php on line 98
Posted by Michel Fortin on December 10th, 2007. Filed in News, Opinions, Personal. Tagged as akismet, bad behavior, blacklist, direct, google, hack, malware, matt cutts, script, sitemap, traffic, warning, wordpress. Follow responses through the RSS feed.
Leave a response, or trackback from your own site.
From Greg “the blog dude”
Wow! What a hassle. As I was ready your tells of IT issues I was hoping you were going to provide a fix. So, when I saw you “how we fixed it”, I was happy. I have a few blogs that have not been updated…
I guess I need to fix these ASAP.
Thanks for sharing!
Greg
Author's Website December 10th, 2007
From Ray Edwards
Michel
Thanks for taking the time to write such a candid, informative post about this issue. I appreciate your doing this. It’s service to the bogging community.
Author's Website December 10th, 2007
From Clint Dixon
Actually the organic side of Google and the Adsense side are two entities… using two different bots… and two different algorithms… to determine issues in regards to your website.
Author's Website December 10th, 2007
From Liquid Vitamins
Michel,
Not sure if it just happened again to you or there is some code left over but when I went to the main page of your blog after reading your email Norton came up with a malicous code warning for your site.
I don’t think it’s a false positive. I had a problem with one of my Blogs too. After being hacked not once but twice. Knock on wood!!! All is good now .
It was a scarey few days while my lisings we coming up with 404’s and hacked pages.
I ended up having to start from scratch and leave out a bunch of plugins that “Could” be causing problems. I think they got to me though an upload folder for Podpress and then installed code in places we could not find. The only way we were able to get rid of it was reinstall wordpress from scratch and upload a new template. Database was still intact but everything else had to be redone.
Hope you get it all worked out. It still looks like you have a problem. I really wish people had better things to do with their time.
GOOD LUCK!!!!!
Author's Website December 10th, 2007
From Michel Fortin
@Liquid:
The site is fine. Google is serving it without problems. However, some anti-virus may have not updated its IP lists (some pages are still “pending review” on StopBadware.org, even though Google checked everything and cleared it).
When I got the news, all I was told was, I was in violation, and that I had to go through the guidelines to ensure my site was compliant, and ask for a review… and wait. Which I did.
I was subsequently approved by Google, but I’m still “pending review” on StopBadware for some pages. So I don’t know where the problem is. Even StopBadware has a section that says “here’s why your site is listed,” followed by a blank space in my case.
So, no one knows why the site was in violation?
A headscratcher, for sure.
Also, according to StopBadware, their database is not only created from their own sources and from complaints, but also partnered with Google and can add IP’s in it based on what Google says.
Problem is, while Google may have cleared my site, my IP may still be on some lists, from which some anti-virus or anti-malware software pulls its data, which need to be updated, or has yet to be updated.
I’m waiting… hoping… crossing fingers…
Author's Website December 10th, 2007
From Bob Marconi
Hi,
This link in your post - “Google’s Webmaster Tools” - appears to just take you back to your blog and not to a Google site.
Author's Website December 10th, 2007
From Michel Fortin
@Bob:
Thanks! It’s fixed now. (I forgot the http at the beginning!)
Author's Website December 10th, 2007
From Marcelle Snyder
Hi
Unfortunately, you are not the only one who gets “hijacked”.
Last February, 2007, I had my website Http://A1gardening-landscapingsupplies.com
also on red alert by Google. I also discovered it was a javascript installing iframes. My website was under a different name, and when I asked Steve from DataWebPro what he thought had happened and how I should deal with the problem he said: “one of two things. Your password is not good enough — too easy to break. And second, your main website on the site was open game because you have no page made up for it.” When anyone typed in my main website’s url, they got information normally provided by the server when one has a domain name ready to go but no pages uploaded to it.”
He suggested I change my gardening-landscaping domain name, scrap the one I had, and reupload the website information from my computer’s stored backup information, which I did. I also emailed StopBadware.org and finally I was on track again.
We are not the only ones. See the different posts at this blog which I found last March. It explains clearly what the hijackers are doing
ethanzuckerman.com/blog/2007/03/21/hacked-websites-trojan-ho…
The guys at PLR Pro also had their blogger hijacked in the spring.
Hopes this helps a bit and makes us all realize that we must constantly be on the alert and that a password made of numbers and letters in a way difficult to decipher is one way to keep the hijackers away.
Marcelle
Author's Website December 10th, 2007
From Case Stevens
I had the exact same happen to me with Bad Behavior, only …
I was lucky enough to detect the problem ten minutes after using my blog. Had to go back to change something and couldn’t log in. I used FTP to delete the plugin. No harm done (I think).
From this experience I also learned to upgrade the plugins that I use. It shows in the Plugin tab whenever a new release is issued and then I install immediately.
What a lesson! Not good for the heart.
Author's Website December 10th, 2007
From Joseph Ratliff
Michel,
Good to hear all is well again.
Just as a quick side note, there is a plug in from Wordpress that you can have installed that will streamline the version updating process to literally seconds.
This security stuff is so hard to keep up on.
Joseph Ratliff
Author of The Profitable Business Edge 2
Author's Website December 10th, 2007
From Jeff
Michel - I wonder if your ad script was simply linking to a page that violated Stopbadware and it extended to your site? If it was something like Text Link Ads or the like - then you really have little control over what sites end up paying to be linked to your site, that could have been the problem?
Jeff
Author's Website December 10th, 2007
From Internet Dental Marketing
Hi Michel,
Boy, don’t you just LOVE technology… as long as it’s not messing up!!
Don’t know whether this is related to your earlier problems or not…
But when I try to access your site, my virus program (Avast!) gives me this error message:
File name: somesite/iframe/good.php \[Packman]\[Embedded#7e79]\[UPX]
Malware name: Win32:Tiny-LU [Trj]
Malware type: Trojan Horse
VPS version: 071210-0, 10/12/2007
Just thought I’d give you a heads-up, in case anyone else has trouble with this as well.
Cheers,
Tom
Author's Website December 10th, 2007
From Michel Fortin
@Jeff:
That’s probably part of the problem. I removed all javascript from ad vendors because Google and StopBaware didn’t indicate what was the problem. So I’m not taking any chances and removed everything.
Author's Website December 10th, 2007
From Michel Fortin
@Tom:
Clean your cache. That solved the problem for Norton users, apparently. If you’ve visited this site in the past, it will pull from your cache and showing you the old infected version instead.
Author's Website December 10th, 2007
From Platostotle, The Philosopher Bear
Any thought to setting up a test blog so you might isolate the source of this problem and come to a positive conclusion?
The thing I found troublesome is your uncertainty about whether the javascript code for displaying ads with links was, itself, the culprit, or whether the code was “frowned upon by Google” (”frowned” to the effect of blowing your site out of the water in a most unsanctimonious way!).
Being a natural cynic, I wonder if you considered this twist on the third possibility you put forward: whether Google, in an effort to protect their advertising franchise, used the code to hack your blog (either using internal agents or through third parties).
It seems if Google frowns upon sites combining AdSense with scripted ads such as you were using, they ought to be VERY UPFRONT AND TRANSPARENT about this … because if they’re not, then the door opens to speculations such as I made in the preceding paragraph and the onus of proof is laid at their doorstep.
Author's Website December 10th, 2007
From Trevor C. McDonald
Hi Micheal
Shock Horror form Google doing that to your site. Im the guy that mentioned the Genesis 2 mens birth control manual a while back, everyone is haveing their say in educating me, likes of Yanik Silver, Dan Kennedy, Derek Gehl, Eben pagan, I didnt think you would care to much at the time, but when your wife had the cancer scare, I knew you would be a good person to help with it, Im not tackling it right away, Ive got a few other projects to get through first, but its next on the list after the market crash management system Im working on, but the contraceptive pill is a class a carcegen, a cancer causing substance. Cory Rudl even wanted to know my secret but I wouldnt tell him, cant let the cat out of the bag before its time, and it will need customised for respectable sex education. you’re a good writer, I remeber when you wrote about your dog and the refrigerator , I loved it. In the mean time I’ve been chipping away at other things to help it be more valuable, namely a 500+ file of Hints and things guys out to know to go with it, that way well get every one in on it. This is just to let you know Im still working on it. Regards Trev.
Author's Website December 11th, 2007
From Ali
Dear Michel,
I do believe in what situation you were passing. As I also passed the same with my one religious site. Even after removing all nu-necessary codes and sticked to Google’s standard. My site is still showing Harmful mesg. While the site is absolutely CLEAN.
Anyway, Sorry to say But I have to tell you. Your Site is still showing me a Small Trojan alert from my Anti-Spyware the moment I come to your site. If possible, I request you to re-check again. Because, we want to be on there regularly.
Ali.
Author's Website December 11th, 2007
From Ryan
When I came to your site this morning 5:30 a.m FreeAv gave me the 3 following warnings. It appears to me you still have a problem.
Virus or unwanted program ‘HTML/Psyme.Gen [HTML/Psyme.Gen]‘
detected in file
Virus or unwanted program ‘TR/Crypt.ULPM.Gen [TR/Crypt.ULPM.Gen]‘
detected in file
Virus or unwanted program ‘TR/Crypt.ULPM.Gen [TR/Crypt.ULPM.Gen]‘
detected in file
Author's Website December 11th, 2007
From Andy Beard
Hi Michel
I am in the middle of moving house and ‘net connection is proving to be a problem, even though the local telephone control box is actually on the corner of my land.
I am having to briefly use my wife’s machine from work
Certainly from here it looks like you have at least the home page fixed. Clicking through from a SERP doesn’t come up with a warning.
The easiest way to deal with a rogue plugin is via ftp, just renaming a folder.
The thing I don’t like about Bad Behaviour is you never know who you blocked.
The move to 2.3.1 isn’t as friendly as many people with quite new blogs assume. I had lots of problems importing tags due to lack of memory on my existing server, so I had to move servers to get my tags imported correctly.
I am still not 100% settled after a few weeks of 2.3.1 and haven’t had time to update my own plugins.
You had a huge advantage in sorting this out, as you have technical knowledge and a team to fall back on.
Some of these stopbadware type lists are a real pain. I can remember a while back Dane Morgan discovered that MyBlogLog had been added to one list because of the way it tracked visitors.
Author's Website December 11th, 2007
From charlie
Hey~ What an absolute NIGHTMARE! Glad that the problem was finally resolved and Thanks for passing on how you fixed it. You never know when something like this can happen to anyone of us. Keep the great information coming!
Author's Website December 11th, 2007
From Alexey Dvoryaninov
Thank you for this post. It’s very interesting!
Author's Website December 11th, 2007
From Shirley Burling
Very interesting post! I agree that google makes us jump through hoops. Have you ever considered using Artemis Pro to help with site promotion?
Good job you got it sorted eventually! Great blog.
Author's Website December 11th, 2007
From Kalmar Emeric
Hello Michel,
I am a regular reader of your blog, and last time, December 12, 2007, 2 am GMT, when I opened the main page of your blog, from the browser tab of my feed reader, the Avira Antivir anti virus software which I use, came up with a malicious code warning for your site.
Please take care, since I’m not the only one who got this warning.
Cheers,
Emeric
Author's Website December 11th, 2007
From Erick
Michaell Fortin is a genius when it comes to copyrighting. I enjoy all of his work and learn so much from what he does. I am fairly new in the internet game and look forward modeling Michaels’ expertise and wisdom throughout my journey. Thanks again Michael.
Erick
Dallas Tx
Author's Website December 12th, 2007
From Erica George
Dear Mr. Fortin,
It’s actually Google, not StopBadware, that flagged your site. Google independently checks the web for badware and badware-linking code, and places warnings in its own search results. StopBadware comes in simply to help site owners who want to remove the warnings in learning about badware and getting the warnings removed.
Many sites that are the subject of Google’s warnings have been the victims of a malicious hacking attack, often taking advantage of security holes at the server level or in web software. Another common reason for otherwise innocent sites to be flagged by Google is if badware is being distributed through third party provided content such as ads provided by an ad network.
For any of your readers who may find themselves in a similar situation in the future, I want to offer a few pointers:
* There’s actually no need to submit multiple review requests for pages on the same domain if the entire domain itself has been flagged. The only exception to this is for sites with lots of subdomains, where it’s possible Google might choose to lift the flag on some subdomains but keep the flag on others (such as for sites where each subdomain is managed by a different person).
* You can submit a review to StopBadware, to Google directly through Webmaster Tools, or both. Regardless of where your review starts, the first step is a rescan by Google. There’s more info about the review process in our FAQ.
* Google’s malware flags aren’t based on presumptions about selling links or any violations of other aspects of Google’s guidelines for webmasters. The malware flags are for sites that are distributing badware, whether it be directly, via a cross-site exploit, via a compromised ad, or via substantial links to other sites that distribute badware.
* StopBadware has more information on a page for owners of sites with Google warnings . We also have a page of Security Tips for website owners , and an email discussion group where many webmasters have also found help from our community .
Thanks for helping spread information to your fellow webmasters. It’s great to see a site owner explaining what happened to his readers and helping everyone get better educated.
Erica
StopBadware staff
Author's Website December 12th, 2007
From Michel Fortin
@Erica:
Thank you so much for dropping by and explaining this. It’s very helpful indeed.
When I blogged about this, please note that I looked at it from my very limited perspective. What didn’t help was the fact that there were no indications as to why it was blocked.
In fact, when I checked Google and StopBadware, it not only gave no reason, but there were blank spaces where presumably reasons were supposed to be. As if they didn’t know, either.
(Lucky for me, some of my clients emailed me their reports from their client-side anti-malware software, which helped me to pinpoint the problems.)
Sure, you provide a laundry list of things to do. (Which is helpful.) But being forced to go through the entire list without knowing what to look for is like shooting blanks in the dark, and is nonetheless quite labor-intense.
(And to be notified only 24 hours later was also distressing.)
So, I was left guessing, scratching my head trying to make sense of it. My blog post was my attempt to both explain the situation (because of the harm this caused to my reputation), as well as trying to shed light on such a confusing issue.
Nevertheless, I sincerely do appreciate your feedback, and thank you for making the web safer for us.
I personally CAN’T stand sites that wreak havoc on my browser or computer. Your service is a much needed one and I love it — even though I believe it still needs to be a little better and more user-friendly for us victims.
Anyway, thanks again.
Author's Website December 12th, 2007
From Terry Barker
Thanks for letting me know, i’ll have to upgrade my site now! Can’t sleep until it’s done! I read the blog at jamesbrausch.com on a regular basis, i’m suprised he didn’t mention it.
I think i’ll add your blog to my favorites! It’s fantastic.
Author's Website December 13th, 2007
From Michel Fortin
@Terry:
I just finished cleaning up this site — and 7 other blogs (they were all 2.2), which were ALL infected, believe it or not. What a pain! But it’s all done now.
Indeed, I recommend that you upgrade to 2.3.1 ASAP.
Author's Website December 13th, 2007
From Doug arger
Hi Michel,
Thanks for the advice and I am glad that you got it all sorted quickly.
I have really gleaned alot from your blog and greatly admire your
expertise.
Merry Christmas,
Doug B.
Author's Website December 14th, 2007
From Richelo Killian
Hi Michel,
You might still have some issue on your site! When I Stumbled upon this page, my Zone Alarm popped up with a warning of this trojan trying to load from your site:
Virus Name: Trojan-Downloader.JS.Psyme.me
Better have you IT guys check your code.
Cheers
Richelo
Author's Website December 14th, 2007
From Michel Fortin
Yup, it creeped back in. I removed it, and took an extra step… I CHMOD’d my themes folder to 755 (not writeable). I know it’s a pain because now I can’t modify theme files from within the control panel, but it’s the only way I can stop this code from coming back.
It should be safe and secure, now.
Author's Website December 14th, 2007
From Al
Thanks! It’s fixed now. (I forgot the http at the beginning!)
Author's Website December 25th, 2007
From Kalmar Emeric
Dear Michel,
Just a few words:
Statue of Liberty
Balzac
Benjamin Franklin at Paris
Freedom of speech
USA
Cheers,
Emeric
Author's Website December 26th, 2007
From Erick
I have a new personal development company lauching in the next couple weeks. My first approach is via email due to my ebooks I have written along with some audio books. I would love to surround myself with someone as successful as yourself on a regular basis. You can definatley help me with my sales letter and marketing tools. Please let me know how I can pursue that successfully!
Thanks look forward hearing from you.
Erick
Author's Website December 27th, 2007
From Michael Hampton
I’m sorry I didn’t see this post before. (I might have, had there been a backlink in it somewhere!)
I can tell you with certainty that whatever problem you may have had with Bad Behavior, it has absolutely nothing to do with malicious software warnings from Google and StopBadware.org.
And the problem you did have with Bad Behavior was fixed within a couple of hours, since it caught me as well as, oh, thousands of other people, many of whom filled my inbox to overflowing.
That said, I have no idea why your web hosting provider would complain about Bad Behavior; its resource usage ranges between minimal and zero, and it’s no more buggy than anything else out there. In all the cases I’ve seen where it performs poorly, it’s been the fault of the web hosting provider not having tuned their servers properly, oversubscribed their servers beyond the breaking point, or just not knowing what they’re doing generally. I can’t say which of the above might apply to your host.
I do see, though, that you’re running Bad Behavior again. I hope that it’s performing well for you, and if not, feel free to let me know.
Author's Website August 24th, 2008