Recently a newspaper contacted me. Their PageRank had dropped from 7 to 3, and they wanted to know why. They genuinely didn’t seem know what the issue was, so I took some time to write them an in-depth reply. Part of the motivation for my blog is to provide information in more scalable ways, so I figured I’d strip any identifying information from my email and post it. Here’s what I wrote:
In particular, earlier this year on [website] we saw links labeled as sponsored that passed PageRank, such as a link like [example link]. That’s a clear violation of Google’s quality guidelines, and it’s the reason that [website]‘s PageRank as well as our trust in the website has declined.
In fact, we received a outside spam report about your site. The spam report passed on an email from a link seller offering to sell links on multiple pages on [website] based on their PageRank. Some pages mentioned in that email continue to have unusual links to this day. For example [example url] has a section labeled “PARTNER LINKS” which links to [linkbuyer].
So my advice would be to investigate how paid links that pass PageRank ended up on [website]: who put them there, are any still up, and to investigate whether someone at the [newspaper] received money to post paid links that pass PageRank without disclosing that payment, e.g. using ambiguous labeling such as “Partner links.” That’s definitely where I would dig.
After that investigation is complete and any paid links that pass PageRank are removed, the site’s webmaster can do a reconsideration request using Google’s free webmaster tools console at google.com/webmasters. I would include as much detail as you can about what you found out about the paid links. That will help us assess how things look going forward.
That’s about it. This case was interesting because we also had an external spam report about the newspaper selling links.
Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Here’s a simple video about how it works:
I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions–check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:
Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country? Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.
Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen? Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.
Myth #3: Don’t I have to fiddle with an extra PIN every time I log in? Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.
Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP? Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.
Myth #5: Okay, but what if I want to verify how secure Google Authenticator is? Reality: Google Authenticator is free, open-source, and based on openstandards.
One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.
Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?
Added August 26, 2012: Dropbox added support, so I included a link above.
One of the most tenacious blackhat webspam techniques we continue to see is hacked sites. I wanted to remind site owners that our free “Fetch as Google” tool can be a really helpful way to see whether you’ve successfully cleaned up a hacked site.
For example, recently a well-known musician’s website was hacked. The management firm for the musician wrote in to say that the site was clean now. Here’s the reply I sent back:
Unfortunately when our engineers checked this morning, the site was still hacked. I know the page looks clean to you, but when we send Googlebot to fetch www.[domain].com this morning, we see
<title>Generic synthroid bad you :: Canadian Pharmacy</title>
on the page. What the hackers are doing is sneaky but unfortunately pretty common. When you surf directly to the website, you see normal content. But when a search engine (or a visitor from a search engine) visits the website, they see hacked drug-related content. The reason that the hackers do it this way is so that the hacked content is harder to find/remove and so that hacked content stays up longer.
One important tool Google provides to help in assessing whether a site is cleaned up is our “Fetch as Googlebot” feature in our free webmaster console at http://google.com/webmasters/ . That tool lets you actually send Googlebot to your website and see exactly what we see when we fetch the page. That tool would have let you known that the website was still hacked.
I hope that helps give an idea of where to go next.
Something I love about “Fetch as Googlebot” is that it’s self-service–you don’t even need to talk to anyone at Google to diagnose whether your hacked site looks clean.
Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites. The most common reaction we hear from webmasters is “The problem is with the Google search. There is nothing wrong with our website.” That’s a real quote from an email one site owner recently sent us. Sadly, it turns out that the site is almost always really hacked.
The single best piece of advice I can give to prevent website hacking is “keep your web server software up-to-date and fully patched.” That prevention is much better than the hassle of cleaning up a hack. Here’s an example email I just sent to a site owner with the identifying details removed:
Hi xxxxxxx, I’m the head of Google’s webspam team. Unfortunately, example.com really has been hacked by people trying to sell pills. I’m attaching an image to show the page that we’re seeing.
P.S. If you visit a page like http://www.example.com/deep-url-path/ and don’t see the pill links, that means the hackers are being extra-sneaky and only showing the spammy pill links to Google. We provide a free tool for that situation as well. It’s called “Fetch as Googlebot” and it lets you send Google to your website and will show you exactly what we see. I would recommend this blog post http://googlewebmastercentral.blogspot.com/2009/11/generic-cialis-on-my-website-i-think-my.html describing how to use that tool, because your situation looks quite similar.
Anyway, just a reminder for site owners to keep their web server software up-to-date, because hacked sites are a real pain. Most Google searchers and even website owners don’t think about hacked sites much, but on our side have to spend a fair amount of effort writing classifiers to catch this illegal activity, helping the victims of hacked sites, adapting when the hackers change their techniques, etc.