Latest TweetsVerify any search engine or visitor via CLI Forward-Reverse Lookup perishablepress.com/cli-forwar…
Perishable Press

Hacked by Google?

[ WP Cron HTTP Auth ] The setup: I recently launched a new plugin that included a Demo page. To keep things flexible, I set up the Demo as a page on my experimental “Labs” WordPress installation, which is entirely nofollow, noindex and noarchive, meaning that Google can’t legitimately see what’s there.

The story:

So I launch my plugin and the traffic starts rolling in and some of it goes to the Demo page, as planned. Everything was going fine for a number of hours – people were checking out the Demo, submitting sample posts into the ether, and all was well. There were no tricks, no spam, no traps, no phishing, no nuthin’ – as with everything I do here at Perishable Press, the USP Demo is white-hat, squeaky clean, and safe for the masses.

And then suddenly, traffic to my Demo page completely stopped, and I get a message from a few users saying something like:

Dude your plugin demo is flagged as an attack site by Google – better check it out..

Seriously? After immediately scouring my site/server for signs of mischief, I found no signs of tampering and was left to wonder why on earth anyone would bother reporting my humble Demo page to the Web Cops (read: Google). The conspiracy theories began taking hold, but after further investigation and a little more analysis, I’m thinking that it wasn’t anyone reporting anything to Google – but rather, it was Google itself that pulled the plug on my new Demo page.

What to do if your page is flagged as an “attack site”

First, check your site with nanoscope for any wrongdoing, evil scripts, and other tampering. If you discover some plot, eliminate it. That’s always priority number one: keep your site secure. If you don’t find anything weird, and your site is clean, the next step is to figure out why Google flagged your page. There are basically two possibilities here:

  • Someone reports it as an attack site
  • Google discovers it and considers it an attack site

For my flagged Demo page, my current hypothesis goes like this:

  1. Google saw a bunch of traffic suddenly going to a relatively new page
  2. Google wanted to check it out, but the page was nofollowed & noindexed
  3. Google gets paranoid and kills the new page

Did the actual content of the page (a post-submission form) play a role in Google killing my Demo? Not if Google obeys the noindex/nofollow/noarchive protocol, which for my page told them explicitly to stay out (I do not want my test WordPress installation interfering with anything search-engine related). Even so, I’ve got a strong hunch that Google dropped by anyway to check it out. And after seeing the form, the noindex, and the surge of traffic, Google takes it upon itself to be the Online Po-Po and hacks my site. So not cool bro.

Why Google is wrong

I understand that keeping idiots away from badness is somebody’s job, but Google has no right to essentially hijack any page it wants with an ominous “this is an attack site, get me out of here” message. That’s my personal property you’re hacking, and Google has no right to interfere with anybody’s anything at all. But as a corpo mega-giant, they can pretty much do whatever they want, so if Google don’t like the way your site looks – or even if they just get an unhappy feeling about it – they can and will hack your site with their trauma-inducing anti-traffic propaganda.

And the scare messages weren’t just coming from the search-engine results, Google was intercepting and redirecting traffic right on my own website! For example, some user is reading about my new plugin and decides to click on the “Demo” link to experience the awesomeness. BUT NO, when the user clicks on my link on my site, Google intercepts and redirects a legitimate user going to a legitimate page on my own frapping website.

If this were done by anyone else it would be called a malicious attack, but Google obviously does not see it that way.

Google’s response time is a joke

Often, the difference between a deliberate attack and a simple accident is communication. If some cracker breaks in, plants payload, and then escapes in the middle of the night, he/she isn’t going to send you an email explaining what’s up. Instead, they’re going to keep it dark, take their time, and wait for the perfect time to exploit your site. That’s just nasty behavior, and you would expect “do no evil” Google to not act like a criminal by actually communicating its intentions & actions with all of us lowly subjects.

Unfortunately, Google SUCKS at timely communication. To illustrate, consider the following chain of events:

  1. February 17th, 2011 – launch plugin & Demo page
  2. February 17th, 2011 – Google hacks my site, shuts down Demo page
  3. February 17th, 2011 – multiple people report the Demo page as legit
  4. February 21st, 2011 – Google sends a generic, useless email telling me what the scare-page already told me
  5. March 1st, 2011 – over a week later and still no follow-up from Google

When your site gets hacked, it is critical to eliminate the risk and restore security as soon as possible. Every second counts, and any information you can get is going to help you diagnose and resolve the issue as expediently as possible. Anyone working online should understand this basic principle:

Time is of the essence.

So why did it take FOUR DAYS to hear anything back from those responsible for actually hacking my site? In this case, Google’s behavior is no different than that of an actual malicious attack. The minute I discovered that someone (Google) had attacked my Demo page, I kicked it into high gear, moving as swiftly as possible to diagnose and resolve the problem that Google started. Meanwhile what does Google do after hacking my website and accusing me of getting hacked? Nothing. They didn’t do a damn thing, even after multiple people reported that the Demo page was in fact legit. After a week and still no report, message, or nothing back from Google about the verifications.

Let’s review..

Let’s review the chain of events to make everything crystal clear:

  • Google “attacks” a legitimate website after suspecting it of wrongdoing
  • Google intercepts and redirects all traffic to an ominous “attack” page
  • Google scares off traffic, damages reputation of legitimate website
  • Site owner tries to accommodate and obey all of Google’s demands
  • Google ignores verification requests, does literally nothing
  • Google waits four days and then emails the same regurgitated information contained in their original “attack” message
  • A week later, still nothing from Google about any of this
  • Feeling frustrated and betrayed, site owner pens insightful rant

So what can I do? I’m just a small-timer with no real power. But I can write. I can share. I can post this information on the Web and tell you with all seriousness that Google is NOT your friend, and will attack your site if they feel like it.

The solution..

Simple: communication. How is it that the world’s largest harvester of data can’t/won’t send a simple email before they attack your website? If this sounds familiar, it’s because Google is the worst at communicating with their users. Think about it: how many web admins and bloggers bend over backwards trying to satisfy Google’s every command. Why can’t/won’t Google return the favor with a quick message before they destroy your site, reputation, and income? It would be so nice..

I remember feeling frustrated like this before, back when Microsoft was in power.

Jeff Starr
About the Author Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
Archives
48 responses
  1. Think it had to do w/ their new algorithm? They are ‘cracking’ down on stuff, and you were probably cause in a crossfire. #lame

    • Jeff Starr

      Perhaps the new algorithm had something to do with it, but when is it not involved somehow? My safest bet would be that Google’s flagging mechanisms for “suspected attack sites” is too sloppy, like an overprotective parent or something. I agree that it is #lame

      • I wonder what the false-positives vs actual threat ratio is. Would be interested in knowing whether your site was a rare 1% or if it’s more than that.

  2. I really hope this was a one time mistake by Google. Have you tried to contact them and asked for an explanation? (although you shouldn’t have to)

    • Jeff Starr

      Yes, I have tried contacting Google about this, but as mentioned below, no reply yet.

      It would be awesome to know why the page was flagged, but any sort of response from Google would be appreciated.

  3. John Rocheleau March 1, 2011 @ 11:52 am

    In the investment world, when company’s stock is over-valued they soon experience a market correction. I think Google is losing integrity and overstepping its perceived power. Google may be big, but the market is bigger and always has the last say. I think Google may be due for a correction in the next year or two. I’ve shared this post to spread the word.

    • Jeff Starr

      I agree, and would further that the whole “rise-peak-fall” concept applies to just about everything. Google is a giant, but certainly no exception to this natural, inevitable cycle of life, business software, you-name-it. For anyone/thing, time at the top is finite, with decline easily predictable by a variety of unmistakable factors, such as the topic at hand. Thanks for sharing the post.

  4. David Lawlor March 1, 2011 @ 11:58 am

    Actually this is bad web mastering. Noindex/nofollow/noarchive does not stop googlebot from crawling it just does exactly what those tags are meant to do:
    Not Index a page
    Not give link juice to outbound links
    Not to cache

    Using robots.txt to block those pages/directory stops googlebot from actually crawling the page.

    Do you use Google webmaster tools? They do put a message in there and I was notified that way when a client’s site was hacked. No one hacked your site, they simply protected their users from what they perceived as a threat. The only way people were intercepted from your own page is if they are using Chrome or the Google toolbar in either instance the user has accepted that Google can police their results.

    Google continually takes a we know better than everyone else stance and I deplore it but in this case you could have stopped the whole thing with a proper use of robots.txt

    Dave

    • Jeff Starr

      You’re missing the point..

      • You accuse Google of wrongdoing based on incorrect information but when you’re corrected that’s somehow not the point?

        What is the point then?

      • David Lawlor March 1, 2011 @ 12:34 pm

        Really cause if I am I’m trying to see where? Your post states that Google shouldn’t have done what they did because you used those tags. I corrected you that you used the incorrect method to get the results you desired.

        You asked for more communication from Google, I again pointed you to webmaster tools as they do communicate that warning through there (and I believe they send an email but I can’t remember).

        What point am I missing?

      • Jeff Starr

        Why did Google flag my site? They were not allowed access, so they could not see what was there. Why doesn’t Google ask me about the page before/after flagging it?

        I know they can do better than the “flag it and forget it” service I received.

  5. Did you start a post in the google support forums complaining about this issue?

  6. If you want to stop Google from seeing the content you should use robots.txt. Your hypothesis is wrong and you weren’t hacked by Google.

    Google can do what it wants with visitors to it’s own site. I suspect the users you claimed were hijacked by Google were actually using Chrome which is Googles browser. Again, they have a right to notify users however they like. If the user doesnt like it, they can use a different browser.

    While I understand your frustration, you most certainly not hacked by Google and they didn’t behave inappropriately other than perhaps not reacting fast enough to your requests.

    • Jeff Starr

      The test site is nofollow, noindex, and noarchive. Google et al have no business there. And they have not responded at all to my requests, which seems inappropriate and irresponsible given their actions.

      • Again, you’re incorrect. Noindex means Google won’t index the page. Nofollow means Google won’t give credit to any site you link tofrom the page. Noarchive means your site won’t be archived by the likes of Archive.org etc.

        None of that prevents any bot from crawling your site. That’s what robots.txt is for. If you don’t want Google even on your site, block it via robots.txt.

        In essence your argument seems to amount to “I’m angry because I dont understand how to block bots & then Google doesn’t respond fast enough.” The first part is your fault, the latter part I agree with you on.

      • Jeff Starr

        By nofollow, I refer to robots.txt, which is all disallow for everyone. Google should not have been there, and even if they were, there was no reason to flag my page. And even if there was a reason, Google has the tools to communicate when they make significant changes to stuff like site status and so on. They don’t.

        The issue is not about how to block Google, but rather Google’s aggressive, paranoid tactics coupled with their poor (at best) communication skills. I was going to call the post, “Flagged by Google”, but somehow that didn’t sound menacing enough, so I changed it last minute. Perhaps the confusion.

        Seriously though, Ben, it’s not a big deal. I get the how-to-control-robots thing, just check my archives ;) I’ve been doing this stuff for years, and this is just another post that will disappear into the river of posts behind it. I do not mean to offend.

        Regardless of opinion, I appreciate the discussion and value you as a person. I’d like to think that if we were just hanging out, maybe over a beer, this would quickly evolve into a fascinating and enlightening discussion. Perhaps someday ;)

      • Chris Countey March 7, 2011 @ 12:20 pm

        I believe the other users who have responded are correct. You need to stop Google at the server level. If they can get to the page, I think it’s already too late. You are correct though, the response time is a bit lengthy. But if you check out the Google Webmaster Help forums, you’ll see that they are very busy. Good luck though!

      • Jeff Starr

        This is a good idea for really sensitive projects, but if you think about it, there should have been no reason to keep Google out at all. I went with nofollow/noindex/noarchive for the site in general just because it’s a test site and doesn’t need to be in the search engines. That is, no reason to block any bots that want in, but keeping the site out of the Index seems like a good idea.

  7. Paul te Kortschot March 1, 2011 @ 2:34 pm

    Is it possible that one get a “this website has been flagged…” by direct visiting the website? So not by landing on the page via google’s search engine. In other words, does Google have the power to “capture” direct incomming links?

    With Regards,
    Paul

    • Paul te Kortschot March 1, 2011 @ 2:38 pm

      Btw scroll down on my site :) i just started to code my own theme, and you and Chris are very helpfull. Love this site and css-tricks!!!

      • Jeff Starr

        Sweet! Thanks for including Perishable Press – that’s a great list to be on :)

        Cheers, and keep up the good work on your site!

    • Jeff Starr

      Google makes the call, and then browsers like Firefox and Chrome takes Google’s word for it and displays the ominous attack message. I’m pretty sure this is the default functionality of browsers that use Google’s block list.

      • Paul te Kortschot March 1, 2011 @ 11:45 pm

        This really is a troubling idea… In essence Google has no business flagging a site people direct link to. They are not paying for the website, the owner is. And in the country where I am from we have a great deal of freedom of speech and publicity. Google has no business overruling that no matter what the content is. If they want to flag it for users who’m visit the site by their tools…. that is their business.

        I guess for the greater good they handle this correctly, but the tiny group we participate in has questions about it.

  8. Man in the shadows March 1, 2011 @ 9:05 pm

    I agree with you and I too have criticized Google in the public of the internet. I never did get a response but I did get what appeared to be frozen pagerank and reduced traffic for what seemed like ages. Now I never report anything even when they tell me I should such as spam in their index. Big G has the power to flip you off like a light switch, so now I always save face and continue on quietly with my humble service to the internet.

    • Jeff Starr

      It will be interesting to see if they do the same to this site for “daring” to criticize. Honestly I don’t think they’re that petty, and also this site is so tiny why even bother with it? Either way, it will take a lot more than no more Google traffic to shut me up. Just like I did for years, I’ll keep posting even if nobody visits. I write primarily for myself. Having readers is a blessing, having Google traffic is a bonus, not required. I hear where you’re coming from, however, and think it’s sad that so many are so afraid of the “Big G”. Thanks for the feedback, Man in the shadows.

      • Chris Countey March 7, 2011 @ 12:24 pm

        There is another site that is wholly devoted to blasting Google every chance it gets. It’s actually well written, but a waste of time. Your site, however, has awesome content and I don’t believe you’ll become a target.

      • Jeff Starr

        Thanks, I hope that nobody thinks that now suddenly I’m all about trashing Google. This post is aimed (perhaps poorly) at expressing need for improvement in the communication department. Overall Google does an excellent job with too many projects and services to name. So no harm or offense intended to anyone, just trying to vent, inform, and encourage improvement.

  9. The bots that evaluate pages for SafeBrowsing are _supposed_ to ignore robot directives, otherwise the bad guys would just add a “noindex,nofollow,noarchive” to their scam pages to avoid having them flagged!

    Maybe some content was added to the demo page that made it look malicious? Heuristics are never perfect, if everything is in order this was probably a false positive.

    It still sucks that they haven’t replied. If you are registered as the owner in the Webmaster Tools, you should get a warning email. They also tell you the current status and provide a link to request re-evaluation. Some time ago I got hacked on a very old postnuke installation (that I had honestly completely forgotten), cleaned up the mess and got the site re-evaluated. I think the whole thing took less than two days.

    • Jeff Starr

      They did send a generic email notifying me that my page was flagged as an attack site. The problem is that it took 4 days for them to send it. And I’m still waiting to hear about the multiple verification requests. It’s been over a week now, and still nada.

      Good to know about the “SafeBrowsing” functionality – I wish I would’ve knew that before Google flagged my site! ;)

  10. Rockford Remodeling March 2, 2011 @ 7:09 am

    Google messed up my local listing and ranking big time and had references from another site/location mixed in with mine. I can relate to the pains of trying to get it straightened out and the generic canned answers.

    My last report a problem was capital letters I AM THE VERIFIED SITE OWNER…then I proceeded with my distate about where they’ve been ‘goofing’ me.

    I am not at all pleased with these shenanigans Goober (name intentionally spelled this way) is doing.

    -Shawn W.

    • Jeff Starr

      I feel your pain! Google seems to be getting to the point where it is “too big not to fail” but it will take years, I imagine, before they’re riding backseat with MicroSoft and Co.

      I do give Google credit for when they get it right – and they do have so many awesome tools to help webmasters, but they need to try a little harder to keep the respect of their users. My opinion!

  11. @jeffS

    Dude, I might be talking out of my vuvuzela here, but would the presence of one or two major validation bloopers count toward penalizing that page?

    The Farmer Update is causing no end of stress for loads of sites right now, good’uns and bad’uns…

    • Jeff Starr

      Perhaps, but they’d have to be some freaking huge validation errors to justify penalizing a page.. it’s certainly a possibility, but I’m pretty sure Google doesn’t validate HTML/markup (or any kind of code).

      And by Farmer Update you refer to WP 3.1? Hehe..

      • I refer to G’s new algo. I notice a few SEO players are using this term.

        On reflection, I guess your site doesn’t fit the profile one iota. How the algo would sense malevolence on the part of your demo page is beyond me.

        Are you pulling the page?

      • Jeff Starr

        Ah, gotcha. Yep this site is squeaky clean, which furthers my point that Google is just a wee bit too paranoid and aggressive when it comes to whacking out websites. And getting a quick email with a litlle “why” would go a long way to helping webmasters clean up after them after they drive by and perforate your hard work.

        Yes, I pulled the page and replaced it with one on this WP install, which is open to poor old Googlebot so nobody gets any hurt feelings.

      • When it comes to a stand-up fight between eminent interwebtubes sorcerer and doodlebot, I know which side of the table my money goes.

        Know what I mean?

  12. i think, its really a one time mistake by Google

[ Comments are closed for this post ]