(Cross-posted from the Google Security Blog.)
Every week, over 10 million users encounter harmful websites that deliver malware and scams. Many of these sites are compromised personal blogs or small business pages that have fallen victim due to a weak password or outdated software. Safe Browsing and Google Search protect visitors from dangerous content by displaying browser warnings and labeling search results with 'this site may harm your computer'. While this helps keep users safe in the moment, the compromised site remains a problem that needs to be fixed.
Unfortunately, many webmasters for compromised sites are unaware anything is amiss. Worse yet, even when they learn of an incident, they may lack the security expertise to take action and address the root cause of compromise. Quoting one webmaster from a survey we conducted, “our daily and weekly backups were both infected” and even after seeking the help of a specialist, after “lots of wasted hours/days” the webmaster abandoned all attempts to restore the site and instead refocused his efforts on “rebuilding the site from scratch”.
In order to find the best way to help webmasters clean-up from compromise, we recently teamed up with the University of California, Berkeley to explore how to quickly contact webmasters and expedite recovery while minimizing the distress involved. We’ve summarized our key lessons below. The full study, which you can read here, was recently presented at the International World Wide Web Conference.
When Google works directly with webmasters during critical moments like security breaches, we can help 75% of webmasters re-secure their content. The whole process takes a median of 3 days. This is a better experience for webmasters and their audience.
How many sites get compromised?
Over the last year Google detected nearly 800,000 compromised websites—roughly 16,500 new sites every week from around the globe. Visitors to these sites are exposed to low-quality scam content and malware via drive-by downloads. While browser and search warnings help protect visitors from harm, these warnings can at times feel punitive to webmasters who learn only after-the-fact that their site was compromised. To balance the safety of our users with the experience of webmasters, we set out to find the best approach to help webmasters recover from security breaches and ultimately reconnect websites with their audience.
Finding the most effective ways to aid webmaster
- Getting in touch with webmasters: One of the hardest steps on the road to recovery is first getting in contact with webmasters. We tried three notification channels: email, browser warnings, and search warnings. For webmasters who proactively registered their site with Search Console, we found that email communication led to 75% of webmasters re-securing their pages. When we didn’t know a webmaster’s email address, browser warnings and search warnings helped 54% and 43% of sites clean up respectively.
- Providing tips on cleaning up harmful content: Attackers rely on hidden files, easy-to-miss redirects, and remote inclusions to serve scams and malware. This makes clean-up increasingly tricky. When we emailed webmasters, we included tips and samples of exactly which pages contained harmful content. This, combined with expedited notification, helped webmasters clean up 62% faster compared to no tips—usually within 3 days.
- Making sure sites stay clean: Once a site is no longer serving harmful content, it’s important to make sure attackers don’t reassert control. We monitored recently cleaned websites and found 12% were compromised again in 30 days. This illustrates the challenge involved in identifying the root cause of a breach versus dealing with the side-effects.
Posted by Kurt Thomas and Yuan Niu, Spam & Abuse Research
(Cross-posted from the Google Security Blog.)
In November, we announced that Safe Browsing would protect you from social engineering attacks - deceptive tactics that try to trick you into doing something dangerous, like installing unwanted software or revealing your personal information (for example, passwords, phone numbers, or credit cards). You may have encountered social engineering in a deceptive download button, or an image ad that falsely claims your system is out of date. Today, we’re expanding Safe Browsing protection to protect you from such deceptive embedded content, like social engineering ads.
Consistent with the social engineering policy we announced in November, embedded content (like ads) on a web page will be considered social engineering when they either:
- Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself.
- Try to trick you into doing something you’d only do for a trusted entity — like sharing a password or calling tech support.
Posted by Lucas Ballard, Safe Browsing Team
If you've already made your site mobile-friendly, you will not be impacted by this update. If you need support with your mobile-friendly site, we recommend checking out the Mobile-Friendly Test and the Webmaster Mobile Guide, both of which provide guidance on how to improve your mobile site. And remember, the intent of the search query is still a very strong signal — so even if a page with high quality content is not mobile-friendly, it could still rank well if it has great, relevant content.
If you have any questions, please go to the Webmaster help forum.
Posted by Klemen Kloboves, Software Engineer
|Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
(Googlebot smartphone user-agent starting from April 18, 2016)
Today, we use the following smartphone user-agent for Googlebot:
|Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
(Current Googlebot smartphone user-agent)
We’re updating the user-agent string so that our renderer can better understand pages that use newer web technologies. Our renderer evolves over time and the user-agent string indicates that that it is becoming more similar to Chrome than Safari. To make sure your site can be viewed properly by a wide range of users and browsers, we recommend using feature detection and progressive enhancement.
Our evaluation suggests that this user-agent change should have no effect on 99% of sites. The most common reason a site might be affected is if it specifically looks for a particular Googlebot user-agent string. User-agent sniffing for Googlebot is not recommended and is considered to be a form of cloaking. Googlebot should be treated like any other browser.
If you believe your site may be affected by this update, we recommend checking your site with the Fetch and Render Tool in Search Console (which has been updated with the new user-agent string) or by changing the user-agent string in Developer Tools in your browser (for example, via Chrome Device Mode). If you have any questions, we’re always happy to answer them in our Webmaster help forums.
Posted by Katsuaki Ikegami, Software Engineer
As a form of online marketing, some companies today will send bloggers free products to review or give away in return for a mention in a blogpost. Whether you’re the company supplying the product or the blogger writing the post, below are a few best practices to ensure that this content is both useful to users and compliant with Google Webmaster Guidelines.
- Use the nofollow tag where appropriate
Links that pass PageRank in exchange for goods or services are against Google guidelines on link schemes. Companies sometimes urge bloggers to link back to:
- the company’s site
- the company’s social media accounts
- an online merchant’s page that sells the product
- a review service’s page featuring reviews of the product
- the company’s mobile app on an app store
Bloggers should use the nofollow tag on all such links because these links didn’t come about organically (i.e., the links wouldn’t exist if the company hadn’t offered to provide a free good or service in exchange for a link). Companies, or the marketing firms they’re working with, can do their part by reminding bloggers to use nofollow on these links.
- Disclose the relationship
Users want to know when they’re viewing sponsored content. Also, there are laws in some countries that make disclosure of sponsorship mandatory. A disclosure can appear anywhere in the post; however, the most useful placement is at the top in case users don’t read the entire post.
- Create compelling, unique content
The most successful blogs offer their visitors a compelling reason to come back. If you're a blogger you might try to become the go-to source of information in your topic area, cover a useful niche that few others are looking at, or provide exclusive content that only you can create due to your unique expertise or resources.
For more information, please drop by our Google Webmaster Central Help Forum.
Posted by the Google Webspam Team
Accelerated Mobile Pages (AMP) is a global, industry-wide initiative, with publishers large and small all focused on the same goal: a better, faster mobile web.
We’ve had a great response to our English language AMP office hours, but we know that English isn’t everyone’s native language.
For the next two weeks, we’re rolling out a new series of office hours in French, Italian, German, Spanish, Brazilian Portuguese, Russian, Japanese, and Indonesian and invite everyone to learn about AMP in their native language. Product Managers, Technical Managers, & Engineers at Google, will get to speak in their native tongue, and answer any questions you may have on AMP.
First we will reintroduce you to AMP and how it works, before diving into the technical specs and various components of AMP. You can add your questions via the Q and A app on the event pages below, and we will answer them during the office hours. You can also watch them on the News Lab YouTube page after the event.
Check out the lineup below and join the discussion.
- Introduction to AMP - Mar. 7 @ 1700 CET with Cecile Pruvost, Industry Manager
- AMP Anatomy - Mar. 14 @ 1700 CET with Emeric Studer, Technology Manager
- Introduction to AMP - Mar. 8 @ 1500 CET with Luca Forlin Head of International Play Newsstand Partnerships
- AMP Anatomy - Mar. 15 @ 1500 CET with Flavio Palandri Antonelli, AMP Software Engineer
- Introduction to AMP - Mar. 9 @ 1700 CET with Nadine Gerspacher, Partner Development Manager
- AMP Anatomy - Mar. 18 @ 1600 CET with Paul Bakaus, Developer Advocate
- Introduction to AMP - Mar. 9 @ 1430 CET with Demian Renzulli, Technical Solutions Consultant
- AMP Anatomy - Mar. 16 @ 1430 CET with Julian Toledo, Developer Advocate
- Introduction to AMP - Mar. 10 @ 1430 BRT with Carol Soler, Strategic Partner Manager
- AMP Anatomy - Mar. 17 @ 1430 BRT with Breno Araújo, Technology Manager
- Introduction to AMP & AMP Anatomy - Mar. 10 @ 1500 MSK with Natasha Rostovtceva, Strategic Partner Manager & Boris Farber, Developer Advocate
- Introduction to AMP - Mar. 15 @ 1800 JST with Duncan Wright, Strategic Partner Manager
- Introduction to AMP - Mar. 10 @ 1400 WIB with Rica Handayani, Strategic Partner Manager
Posted by Tomo Taylor, AMP Community Manager
More and more sites are implementing Accelerated Mobile Pages (AMP) for news content, so we've decided to provide a preview of error reports in Search Console to help you get ready for the upcoming official AMP launch and get early feedback from you. You can find these reports under Search Appearance - Accelerated Mobile Pages. The goal here is to make it easier to spot issues in your AMP implementation across the whole website. In order to get started with AMP on Google Search, you'll need to create matching, valid AMP pages where relevant, ensure that they use the NewsArticle schema.org markup, and link them appropriately.
The AMP error report gives an overview of the overall situation on your site, and then lets you drill down to specific error types and URLs. This process helps you quickly find the most common issues, so that you can systematically address them in your site's AMP implementation (potentially just requiring tweaks in the templates or plugin used for these pages).
Curious about AMP and how it might fit in with your site? Here's a demo preview of AMP in search, more on how AMP works, and a guide to getting started with AMP. If you think AMP would be a good fit for your website, implementing it might ultimately be as easy as installing a plugin in your CMS, so check with your provider. AMP hasn't officially launched in Google Search, so there's still time to get set up -- feedback & patience will be appreciated by your CMS & plugin providers. Stay tuned for more updates on the AMP Project blog.
We're only getting started -- this is a first step at AMP error reporting. We'll be refining this report in the near future, and we'd love to get your feedback to help us. Let us know in the comments here how things work out for you.
Posted by John Mueller, Webmaster Trends Analyst, Google Zurich
We spent a lot of time making this site right for you. We took our own advice by analyzing visitor behavior and conducting user studies to organize the site into categories you’ll find most useful. Thanks to our awesome community and Top Contributors for the valuable feedback during the process!
|Our new Google Webmasters website|
The site contains support resources to help you fix issues with your website, SEO learning materials to create a high-quality site and improve search rankings, and connection opportunities to stay up-to-date with our team and webmaster community. It also contains new features such as:
- Webmaster troubleshooter: Need a step-by-step guide to move your site or understand a message in Search Console? The troubleshooter can help answer these and other common problems with your site in Google Search and Google Search Console.
- Popular resources: Looking for popular Google Webmasters YouTube videos, blog posts and forum threads? Here’s a curated list of our top resources – these may differ across languages.
- Events calendar: Want to meet someone from our team online for office hours or at a live event near you? We have office hours and events in multiple languages around the world.
Browse around and let us know in the comments below if you stumble onto something new!
As a natural continuation of this, today we'd like to announce that we're adjusting our indexing system to look for more HTTPS pages. Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page. When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL if:
- It doesn’t contain insecure dependencies.
- It isn’t blocked from crawling by robots.txt.
- It doesn’t redirect users to or through an insecure HTTP page.
- It doesn’t have a rel="canonical" link to the HTTP page.
- It doesn’t contain a noindex robots meta tag.
- It doesn’t have on-host outlinks to HTTP URLs.
- The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL
- The server has a valid TLS certificate.
Although our systems prefer the HTTPS version by default, you can also make this clearer for other search engines by redirecting your HTTP site to your HTTPS version and by implementing the HSTS header on your server.
We’re excited about taking another step forward in making the web more secure. By showing users HTTPS pages in our search results, we’re hoping to decrease the risk for users to browse a website over an insecure connection and making themselves vulnerable to content injection attacks. As usual, if you have any questions or comments, please let us know in the comments section below or in our webmaster help forums.
Posted by Zineb Ait Bahajji, WTA, and the Google Security and Indexing teams