Tuesday, September 18, 2007
Written by Nathan Johns, Search Quality Team
In recent months, there's been a noticeable increase in the number of compromised websites around the web. One explanation is that people are resorting to hacking sites in order to distribute malware or attempt to spam search results. Regardless of the reason, it's a great time for all of us to review helpful webmaster security tips.
: While we've collected tips and pointers below, and we encourage webmasters to "please try the following at home," this is by no means an exhaustive list for your website's security. We hope it's useful, but we recommend that you conduct more thorough research as well.
Check your server configuration.
Stay up-to-date with the latest software updates and patches.
A common pitfall for many webmasters is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Need some tips? Blogger Mark Blair has a few
, including making a list of all the software and plug-ins used for your website and keeping track of the version numbers and updates. He also suggests taking advantage of any feeds their websites may provide.
Regularly keep an eye on your log files.
Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.
Check your site for common vulnerabilities.
Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads "Come on in and help yourself!" Also check for any
(cross-site scripting) and
vulnerabilities. Finally, choose good passwords. The Gmail support center has some good
to follow, which can be helpful for choosing passwords in general.
Be wary of third-party content providers.
If you're considering installing an application provided by a third party, such as a widget, counter, ad network, or webstat service, be sure to exercise due diligence. While there are lots of great third-party content on the web, it's also possible for providers to use these applications to push exploits, such as dangerous scripts, towards your visitors. Make sure the application is created by a reputable source. Do they have a legitimate website with support and contact information? Have other webmasters used the service?
Try a Google site: search to see what's indexed.
This may seem a bit obvious, but it's commonly overlooked. It's always a good idea to do a quick check and make sure things look normal. If you're not already familiar with the site: search operator, it's a way for you to restrict your search to a specific site. For example, the search
will only return results from the Official Google Blog.
It includes all kinds of good stuff like a site status wizard and tools for managing how Googlebot crawls your site. Another nice feature is that if Google believes your site has been hacked to host malware, our
webmaster console will show more detailed information
, such as a sample of harmful URLs. Once you think the malware is removed, you then can request a reevaluation through Webmaster Tools.
SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's
Tips for Cleaning and Securing Your Website
Here's some great content about online security and safety with pointers to lots of useful resources. It's a good one to add to your Google Reader feeds. :)
Contact your hosting company for support.
Most hosting companies have helpful and responsive support groups. If you think something may be wrong, or you simply want to make sure you're in the know, visit their website or give 'em a call.
We hope you find these tips helpful. If you have some of your own tips you'd like to share, you can start a discussion in the
Google Webmaster Help
group. Practice safe webmastering!